Merge pull request #196582 from dominicbetts/central-export-vnet

IoT Central add secure VNet details

Author: v-ccolin

articles/iot-central/TOC.yml

@@ -233,8 +233,10 @@
           href: core/howto-manage-iot-central-from-cli.md
         - name: Manage from CSP portal
           href: core/howto-create-and-manage-applications-csp.md
-        - name: Create a private endpoint
+        - name: Create a private endpoint for devices
           href: core/howto-create-private-endpoint.md
+        - name: Export to a secure VNET
+          href: core/howto-connect-secure-vnet.md
 - name: Reference
   items:
   - name: Azure CLI

articles/iot-central/core/howto-connect-secure-vnet.md

@@ -0,0 +1,64 @@
+---
+title: Export IoT Central data to a secure VNet | Microsoft Docs
+description: Learn how to use IoT Central data export to send data to a destination in a secure VNet. Data export destinations include Azure Blob Storage, Azure Event Hubs, and Azure Service Bus Messaging.
+author: dominicbetts
+ms.author: dobett
+ms.date: 04/25/2022
+ms.topic: how-to
+ms.service: iot-central
+services: iot-central
+
+# Administrator
+---
+
+# Export data to a secure destination on an Azure Virtual Network
+
+Data export in IoT Central lets you continuously stream device data to destinations such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus Messaging. You may choose to lock down these destinations by using an Azure Virtual Network (VNet) and private endpoints.
+
+Currently, it's not possible to connect an IoT Central application directly to VNet for data export. However, because IoT Central is a trusted Azure service, it's possible to configure an exception to the firewall rules and connect to a secure destination on a VNet. In this scenario, you typically use a managed identity to authenticate and authorize with the destination.
+
+## Prerequisites
+
+- An IoT Central application. To learn more, see [Create an IoT Central application](howto-create-iot-central-application.md).
+
+- Data export configured in your IoT Central application to send device data to a destination such as Azure Blob Storage, Azure Event Hubs, or Azure Service Bus. The destination is configured to use a managed identity. To learn more, see [Export IoT data to cloud destinations using data export](howto-export-data.md).
+
+## Configure the destination service
+
+To configure Azure Blob Storage to use a VNet and private endpoint see:
+
+- [Configure Azure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json)
+- [Private endpoints for your storage account](../../storage/common/storage-private-endpoints.md)
+
+To configure Azure Event Hubs to use a VNet and private endpoint see:
+
+- [Allow access to Azure Event Hubs namespaces from specific virtual networks](../../event-hubs/event-hubs-service-endpoints.md)
+- [Allow access to Azure Event Hubs namespaces via private endpoints](../../event-hubs/private-link-service.md)
+
+To configure Azure Service Bus Messaging to use a VNet and private endpoint see:
+
+- [Allow access to Azure Service Bus namespace from specific virtual networks](../../service-bus-messaging/service-bus-service-endpoints.md)
+- [Allow access to Azure Service Bus namespaces via private endpoints](../../service-bus-messaging/private-link-service.md)
+
+## Configure the firewall exception
+
+To allow IoT Central to connect to a destination on a VNet, enable a firewall exception on the VNet to allow connections from trusted Azure services.
+
+To configure the exception in the Azure portal for Azure Blob Storage, navigate to **Networking > Firewalls and virtual networks**. Then select **Allow Azure services on the trusted services list to access this storage account.**:
+
+:::image type="content" source="media/howto-connect-secure-vnet/blob-storage-exception.png" alt-text="Screenshot from Azure portal that shows firewall exception for Azure Blob Storage virtual network.":::
+
+To configure the exception in the Azure portal for Azure Event Hubs, navigate to **Networking > Public access**. Then select **Yes** to allow trusted Microsoft services to bypass this firewall:
+
+:::image type="content" source="media/howto-connect-secure-vnet/event-hubs-exception.png" alt-text="Screenshot from Azure portal that shows firewall exception for Azure Event Hubs virtual network.":::
+
+To configure the exception in the Azure portal for Azure Service Bus, navigate to **Networking > Public access**. Then select **Yes** to allow trusted Microsoft services to bypass this firewall:
+
+:::image type="content" source="media/howto-connect-secure-vnet/service-bus-queue-exception.png" alt-text="Screenshot from Azure portal that shows firewall exception for Azure Service Bus virtual network.":::
+
+## Next steps
+
+Now that you've learned how to export data to a destination locked down on a VNet, here's the suggested next step:
+
+> [!div class="nextstepaction"]
+> [Administer your application](howto-administer.md).

articles/iot-central/core/howto-export-data.md

@@ -328,11 +328,7 @@ To configure the permissions:
 
 1. Select **Save**. The managed identity for your IoT Central application is now configured.
 
-To further secure your event hub and only allow access from trusted services with managed identities, see:
-
-- [Allow access to Azure Event Hubs namespaces using private endpoints](../../event-hubs/private-link-service.md)
-- [Trusted Microsoft services](../../event-hubs/private-link-service.md#trusted-microsoft-services)
-- [Allow access to Azure Event Hubs namespaces from specific virtual networks](../../event-hubs/event-hubs-service-endpoints.md)
+To further secure your event hub and only allow access from trusted services with managed identities, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).
 
 To create the Event Hubs destination in IoT Central on the **Data export** page:
 
@@ -403,11 +399,7 @@ To configure the permissions:
 
 1. Select **Save**. The managed identity for your IoT Central application is now configured.
 
-To further secure your queue or topic and only allow access from trusted services with managed identities, see:
-
-- [Allow access to Azure Service Bus namespaces using private endpoints](../../service-bus-messaging/private-link-service.md)
-- [Trusted Microsoft services](../../service-bus-messaging/private-link-service.md#trusted-microsoft-services)
-- [Allow access to Azure Service Bus namespace from specific virtual networks](../../service-bus-messaging/service-bus-service-endpoints.md)
+To further secure your queue or topic and only allow access from trusted services with managed identities, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).
 
 To create the Service Bus destination in IoT Central on the **Data export** page:
 
@@ -482,11 +474,7 @@ To configure the permissions:
     > [!TIP]
     > This role assignment isn't visible in the list on the **Azure role assignments** page.
 
-To further secure your blob container and only allow access from trusted services with managed identities, see:
-
-- [Use private endpoints for Azure Storage](../../storage/common/storage-private-endpoints.md)
-- [Authorize access to blob data with managed identities for Azure resources](../../storage/blobs/authorize-managed-identity.md)
-- [Configure Azure Storage firewalls and virtual networks](../../storage/common/storage-network-security.md?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json)
+To further secure your blob container and only allow access from trusted services with managed identities, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).
 
 To create the Blob Storage destination in IoT Central on the **Data export** page:
 

articles/iot-central/core/media/howto-connect-secure-vnet/blob-storage-exception.png

@@ -86,6 +86,10 @@ To learn more, see:
 - [Configure a managed identity in the Azure portal](howto-manage-iot-central-from-portal.md#configure-a-managed-identity)
 - [Configure a managed identity using the Azure CLI](howto-manage-iot-central-from-cli.md#configure-a-managed-identity)
 
+## Connect to a destination on a secure virtual network
+
+Data export in IoT Central lets you continuously stream device data to destinations such as Azure Blob Storage, Azure Event Hubs, Azure Service Bus Messaging. You may choose to lock down these destinations by using an Azure Virtual Network (VNet) and private endpoints. To enable IoT Central to connect to a destination on a secure VNet, configure a firewall exception. To learn more, see [Export data to a secure destination on an Azure Virtual Network](howto-connect-secure-vnet.md).
+
 ## Next steps
 
 Now that you've learned about security in your Azure IoT Central application, the suggested next step is to learn about [Manage users and roles](howto-manage-users-roles.md) in Azure IoT Central.