Event Hubs security articles: steps & screenshots

spelluru · spelluru · commit 3e709df0968f · 2023-02-15T20:30:29.000-05:00
diff --git a/articles/event-hubs/event-hubs-ip-filtering.md b/articles/event-hubs/event-hubs-ip-filtering.md
@@ -2,7 +2,7 @@
 title: Azure Event Hubs Firewall Rules | Microsoft Docs
 description: Use Firewall Rules to allow connections from specific IP addresses to Azure Event Hubs. 
 ms.topic: article
-ms.date: 02/23/2022
+ms.date: 02/15/2023
 ---
 
 # Allow access to Azure Event Hubs namespaces from specific IP addresses or ranges
@@ -25,20 +25,16 @@ This section shows you how to use the Azure portal to create IP firewall rules f
 
 1. Navigate to your **Event Hubs namespace** in the [Azure portal](https://portal.azure.com).
 4. Select **Networking** under **Settings** on the left menu. 
-1. On the **Networking** page, for **Public network access**, you can set one of the three following options. Choose **Selected networks** option to allow access from only specified IP addresses. 
+1. On the **Networking** page, for **Public network access**, choose **Selected networks** option to allow access from only specified IP addresses. 
+
+    Here are more details about options available in the **Public network access** page:
     - **Disabled**. This option disables any public access to the namespace. The namespace will be accessible only through [private endpoints](private-link-service.md). 
-  
-        :::image type="content" source="./media/event-hubs-firewall/public-access-disabled.png" alt-text="Networking page - public access tab - public network access is disabled.":::
     - **Selected networks**. This option enables public access to the namespace using an access key from selected networks. 
 
         > [!IMPORTANT]
-        > If you choose **Selected networks**, add at least one IP firewall rule or a virtual network that will have access to the namespace. Choose **Disabled** if you want to restrict all traffic to this namespace over [private endpoints](private-link-service.md) only.   
-    
-        :::image type="content" source="./media/event-hubs-firewall/selected-networks.png" alt-text="Networking page with the selected networks option selected." lightbox="./media/event-hubs-firewall/selected-networks.png":::    
+        > If you choose **Selected networks**, add at least one IP firewall rule or a virtual network that will have access to the namespace. Choose **Disabled** if you want to restrict all traffic to this namespace over [private endpoints](private-link-service.md) only.
     - **All networks** (default). This option enables public access from all networks using an access key. If you select the **All networks** option, the event hub accepts connections from any IP address (using the access key). This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range. 
-
-        :::image type="content" source="./media/event-hubs-firewall/firewall-all-networks-selected.png" lightbox="./media/event-hubs-firewall/firewall-all-networks-selected.png" alt-text="Screenshot that shows the Public access page with the All networks option selected.":::
-1. To restrict access to **specific IP addresses**, follow these steps: 
+1. To restrict access to **specific IP addresses**, select **Selected networks** option, and then follow these steps: 
     1. In the **Firewall** section, select **Add your client IP address** option to give your current client IP the access to the namespace. 
     3. For **address range**, enter a specific IPv4 address or a range of IPv4 address in CIDR notation.
         
@@ -71,56 +67,79 @@ The following Resource Manager template enables adding an IP filter rule to an e
     "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
     "contentVersion": "1.0.0.0",
     "parameters": {
-        "eventhubNamespaceName": {
+        "namespace_name": {
+            "defaultValue": "contosoehub1333",
             "type": "String"
         }
     },
+    "variables": {},
     "resources": [
         {
             "type": "Microsoft.EventHub/namespaces",
-            "apiVersion": "2021-11-01",
-            "name": "[parameters('eventhubNamespaceName')]",
+            "apiVersion": "2022-01-01-preview",
+            "name": "[parameters('namespace_name')]",
             "location": "East US",
             "sku": {
                 "name": "Standard",
                 "tier": "Standard",
                 "capacity": 1
             },
             "properties": {
+                "minimumTlsVersion": "1.2",
+                "publicNetworkAccess": "Enabled",
                 "disableLocalAuth": false,
                 "zoneRedundant": true,
                 "isAutoInflateEnabled": false,
                 "maximumThroughputUnits": 0,
                 "kafkaEnabled": true
             }
         },
+        {
+            "type": "Microsoft.EventHub/namespaces/authorizationrules",
+            "apiVersion": "2022-01-01-preview",
+            "name": "[concat(parameters('namespaces_spehubns0215_name'), '/RootManageSharedAccessKey')]",
+            "location": "eastus",
+            "dependsOn": [
+                "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_spehubns0215_name'))]"
+            ],
+            "properties": {
+                "rights": [
+                    "Listen",
+                    "Manage",
+                    "Send"
+                ]
+            }
+        },
         {
             "type": "Microsoft.EventHub/namespaces/networkRuleSets",
-            "apiVersion": "2021-11-01",
-            "name": "[concat(parameters('eventhubNamespaceName'), '/default')]",
+            "apiVersion": "2022-01-01-preview",
+            "name": "[concat(parameters('namespaces_spehubns0215_name'), '/default')]",
             "location": "East US",
             "dependsOn": [
-                "[resourceId('Microsoft.EventHub/namespaces', parameters('eventhubNamespaceName'))]"
+                "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_spehubns0215_name'))]"
             ],
             "properties": {
                 "publicNetworkAccess": "Enabled",
                 "defaultAction": "Deny",
                 "virtualNetworkRules": [],
                 "ipRules": [
                     {
-                        "ipMask":"10.1.1.1",
-                        "action":"Allow"
+                        "ipMask": "10.1.1.1",
+                        "action": "Allow"
                     },
                     {
-                        "ipMask":"11.0.0.0/24",
-                        "action":"Allow"
-                    }                
+                        "ipMask": "11.0.0.0/24",
+                        "action": "Allow"
+                    },
+                    {
+                        "ipMask": "172.72.157.204",
+                        "action": "Allow"
+                    }
                 ]
             }
         }
     ]
 }
-
 ```
 
 To deploy the template, follow the instructions for [Azure Resource Manager][lnk-deploy].
diff --git a/articles/event-hubs/event-hubs-service-endpoints.md b/articles/event-hubs/event-hubs-service-endpoints.md
@@ -2,7 +2,7 @@
 title: Virtual Network service endpoints - Azure Event Hubs | Microsoft Docs
 description: This article provides information on how to add a Microsoft.EventHub service endpoint to a virtual network. 
 ms.topic: article
-ms.date: 02/23/2021
+ms.date: 02/15/2023
 ---
 
 # Allow access to Azure Event Hubs namespaces from specific virtual networks 
@@ -40,18 +40,14 @@ This section shows you how to use Azure portal to add a virtual network service
 1. Navigate to your **Event Hubs namespace** in the [Azure portal](https://portal.azure.com).
 4. Select **Networking** under **Settings** on the left menu. 
 1. On the **Networking** page, for **Public network access**, you can set one of the three following options. Choose **Selected networks** option to allow access only from specific virtual networks.
+
+    Here are more details about options available in the **Public network access** page:
     - **Disabled**. This option disables any public access to the namespace. The namespace will be accessible only through [private endpoints](private-link-service.md). 
-  
-        :::image type="content" source="./media/event-hubs-firewall/public-access-disabled.png" alt-text="Networking page - public access tab - public network access is disabled.":::
     - **Selected networks**. This option enables public access to the namespace using an access key from selected networks. 
 
         > [!IMPORTANT]
-        > If you choose **Selected networks**, add at least one IP firewall rule or a virtual network that will have access to the namespace. Choose **Disabled** if you want to restrict all traffic to this namespace over [private endpoints](private-link-service.md) only.   
-    
-        :::image type="content" source="./media/event-hubs-firewall/selected-networks.png" alt-text="Networking page with the selected networks option selected." lightbox="./media/event-hubs-firewall/selected-networks.png":::    
+        > If you choose **Selected networks**, add at least one IP firewall rule or a virtual network that will have access to the namespace. Choose **Disabled** if you want to restrict all traffic to this namespace over [private endpoints](private-link-service.md) only.
     - **All networks** (default). This option enables public access from all networks using an access key. If you select the **All networks** option, the event hub accepts connections from any IP address (using the access key). This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range. 
-
-        :::image type="content" source="./media/event-hubs-firewall/firewall-all-networks-selected.png" lightbox="./media/event-hubs-firewall/firewall-all-networks-selected.png" alt-text="Screenshot that shows the Public access page with the All networks option selected.":::
 1. To restrict access to specific networks, choose the **Selected Networks** option at the top of the page if it isn't already selected.
 2. In the **Virtual networks** section of the page, select **+Add existing virtual network***. Select **+ Create new virtual network** if you want to create a new VNet. 
 
diff --git a/articles/event-hubs/media/event-hubs-firewall/firewall-selected-networks-trusted-access-disabled.png b/articles/event-hubs/media/event-hubs-firewall/firewall-selected-networks-trusted-access-disabled.png
diff --git a/articles/event-hubs/private-link-service.md b/articles/event-hubs/private-link-service.md
@@ -1,7 +1,7 @@
 ---
 title: Integrate Azure Event Hubs with Azure Private Link Service
 description: Learn how to integrate Azure Event Hubs with Azure Private Link Service
-ms.date: 08/26/2022
+ms.date: 02/15/2023
 ms.topic: article 
 ms.custom: devx-track-azurepowershell
 ---
@@ -40,18 +40,14 @@ If you already have an Event Hubs namespace, you can create a private link conne
 2. In the search bar, type in **event hubs**.
 3. Select the **namespace** from the list to which you want to add a private endpoint.
 1. On the **Networking** page, for **Public network access**, you can set one of the three following options. Select **Disabled** if you want the namespace to be accessed only via private endpoints. 
+
+    Here are more details about options available in the **Public network access** page:
     - **Disabled**. This option disables any public access to the namespace. The namespace will be accessible only through [private endpoints](private-link-service.md). 
-  
-        :::image type="content" source="./media/event-hubs-firewall/public-access-disabled.png" alt-text="Networking page - public access tab - public network access is disabled.":::
     - **Selected networks**. This option enables public access to the namespace using an access key from selected networks. 
 
         > [!IMPORTANT]
-        > If you choose **Selected networks**, add at least one IP firewall rule or a virtual network that will have access to the namespace. Choose **Disabled** if you want to restrict all traffic to this namespace over [private endpoints](private-link-service.md) only.   
-    
-        :::image type="content" source="./media/event-hubs-firewall/selected-networks.png" alt-text="Networking page with the selected networks option selected." lightbox="./media/event-hubs-firewall/selected-networks.png":::    
+        > If you choose **Selected networks**, add at least one IP firewall rule or a virtual network that will have access to the namespace. Choose **Disabled** if you want to restrict all traffic to this namespace over [private endpoints](private-link-service.md) only.
     - **All networks** (default). This option enables public access from all networks using an access key. If you select the **All networks** option, the event hub accepts connections from any IP address (using the access key). This setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range. 
-
-        :::image type="content" source="./media/event-hubs-firewall/firewall-all-networks-selected.png" lightbox="./media/event-hubs-firewall/firewall-all-networks-selected.png" alt-text="Screenshot that shows the Public access page with the All networks option selected.":::
 1. Switch to the **Private endpoint connections** tab. 
 1. Select the **+ Private Endpoint** button at the top of the page.
 
