Merge pull request #96445 from rachel-msft/edits1118

Add security overview, reorder TOC

Author: v-albemi

articles/mariadb/TOC.yml

@@ -49,16 +49,18 @@
       href: concepts-limits.md
   - name: Data access & security
     items:
-    - name: Firewall rules
-      href: concepts-firewall-rules.md
+    - name: Security overview
+      href: concepts-security.md
     - name: Configuring SSL
       href: concepts-ssl-connection-security.md
-    - name: Advanced Threat Protection
-      href: concepts-data-access-and-security-threat-protection.md
-    - name: Virtual Network
-      href: concepts-data-access-security-vnet.md
     - name: Connectivity architecture
       href: concepts-connectivity-architecture.md
+    - name: Firewall rules
+      href: concepts-firewall-rules.md
+    - name: Virtual Network
+      href: concepts-data-access-security-vnet.md
+    - name: Advanced Threat Protection
+      href: concepts-data-access-and-security-threat-protection.md
   - name: Business continuity
     items:
     - name: Business continuity intro

articles/mariadb/concepts-security.md

@@ -0,0 +1,49 @@
+---
+title: Security in Azure Database for MariaDB - Single Server
+description: An overview of the security features in Azure Database for MariaDB - Single Server.
+author: ajlam
+ms.author: andrela
+ms.service: mariadb
+ms.topic: conceptual
+ms.date: 11/25/2019
+---
+
+# Security in Azure Database for MariaDB - Single Server
+
+There are multiple layers of security that are available to protect the data on your Azure Database for MariaDB server. This article outlines those security options.
+
+## Information protection and encryption
+
+### In-transit
+Azure Database for MariaDB secures your data by encrypting data in-transit with Transport Layer Security. Encryption (SSL/TLS) is enforced by default.
+
+### At-rest
+The Azure Database for MariaDB service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk, with the exception of temporary files created while running queries. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.
+
+
+## Network security
+Connections to an Azure Database for MariaDB server are first routed through a regional gateway. The gateway has a publicly accessible IP, while the server IP addresses are protected. For more information about the gateway, visit the [connectivity architecture article](concepts-connectivity-architecture.md).  
+
+A newly created Azure Database for MariaDB server has a firewall that blocks all external connections. Though they reach the gateway, they are not allowed to connect to the server. 
+
+### IP firewall rules
+IP firewall rules grant access to servers based on the originating IP address of each request. See the [firewall rules overview](concepts-firewall-rules.md) for more information.
+
+### Virtual network firewall rules
+Virtual network service endpoints extend your virtual network connectivity over the Azure backbone. Using virtual network rules you can enable your Azure Database for MariaDB server to allow connections from selected subnets in a virtual network. For more information, see the [virtual network service endpoint overview](concepts-data-access-security-vnet.md).
+
+
+## Access management
+
+While creating the Azure Database for MariaDB server, you provide credentials for an administrator user. This administrator can be used to create additional MariaDB users.
+
+
+## Threat protection
+
+You can opt in to [Advanced Threat Protection](concepts-data-access-and-security-threat-protection.md) which detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit servers.
+
+[Audit logging](concepts-audit-logs.md) is available to track activity in your databases. 
+
+
+## Next steps
+- Enable firewall rules for [IPs](concepts-firewall-rules.md) or [virtual networks](concepts-data-access-security-vnet.md)

articles/mariadb/overview.md

@@ -6,7 +6,7 @@ ms.author: andrela
 ms.service: mariadb
 ms.topic: overview
 ms.custom: mvc
-ms.date: 08/13/2019
+ms.date: 11/25/2019
 ---
 
 # What is Azure Database for MariaDB?
@@ -48,11 +48,7 @@ Azure's industry-leading 99.99% availability SLA is powered by a global network
 
 ## Secure your data
 
-Azure database services have a tradition of data security that Azure Database for MariaDB upholds. Azure Database for MariaDB offers features that limit access, protect data at rest and in motion, and help you monitor activity. Visit the [Azure Trust Center](https://www.microsoft.com/en-us/trustcenter/security) for information about Azure's platform security.
-
-The Azure Database for MariaDB service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk with the exception of temporary files created while running queries. The service uses AES 256-bit cipher, which is included in Azure Storage encryption. The keys are system managed. Storage encryption is always on and can't be disabled.
-
-By default, the Azure Database for MariaDB service is configured to require [SSL connection security](./concepts-ssl-connection-security.md) for data in motion across the network. Enforcing SSL connections between your database server and your client applications helps protect against "man in the middle" attacks by encrypting the data stream between the server and your application. Optionally, you can disable the SSL requirement for connecting to your database service if your client application doesn't support SSL connectivity.
+Azure database services have a tradition of data security that Azure Database for MariaDB upholds. Azure Database for MariaDB offers features that limit access, protect data at rest and in motion, and help you monitor activity. Visit the [Azure Trust Center](https://www.microsoft.com/trustcenter/security) for information about Azure's platform security. For more information about Azure Database for MySQL security features, see the [security overview](concepts-security.md).
 
 ## Contacts
 

articles/mysql/TOC.yml

@@ -79,16 +79,18 @@
       href: concepts-limits.md
   - name: Data access & security
     items:
-    - name: Firewall rules
-      href: concepts-firewall-rules.md
+    - name: Security overview
+      href: concepts-security.md
     - name: Configuring SSL
       href: concepts-ssl-connection-security.md
-    - name: Advanced Threat Protection
-      href: concepts-data-access-and-security-threat-protection.md
+    - name: Connectivity architecture
+      href: concepts-connectivity-architecture.md
+    - name: Firewall rules
+      href: concepts-firewall-rules.md
     - name: Virtual Network
       href: concepts-data-access-and-security-vnet.md
-    - name: Connectivity architecture
-      href: concepts-connectivity-architecture.md      
+    - name: Advanced Threat Protection
+      href: concepts-data-access-and-security-threat-protection.md   
   - name: Business continuity
     items:
     - name: Business continuity intro

articles/mysql/concepts-security.md

@@ -0,0 +1,49 @@
+---
+title: Security in Azure Database for MySQL - Single Server
+description: An overview of the security features in Azure Database for MySQL - Single Server.
+author: ajlam
+ms.author: andrela
+ms.service: mysql
+ms.topic: conceptual
+ms.date: 11/25/2019
+---
+
+# Security in Azure Database for MySQL - Single Server
+
+There are multiple layers of security that are available to protect the data on your Azure Database for MySQL server. This article outlines those security options.
+
+## Information protection and encryption
+
+### In-transit
+Azure Database for MySQL secures your data by encrypting data in-transit with Transport Layer Security. Encryption (SSL/TLS) is enforced by default.
+
+### At-rest
+The Azure Database for MySQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk, with the exception of temporary files created while running queries. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.
+
+
+## Network security
+Connections to an Azure Database for MySQL server are first routed through a regional gateway. The gateway has a publicly accessible IP, while the server IP addresses are protected. For more information about the gateway, visit the [connectivity architecture article](concepts-connectivity-architecture.md).  
+
+A newly created Azure Database for MySQL server has a firewall that blocks all external connections. Though they reach the gateway, they are not allowed to connect to the server. 
+
+### IP firewall rules
+IP firewall rules grant access to servers based on the originating IP address of each request. See the [firewall rules overview](concepts-firewall-rules.md) for more information.
+
+### Virtual network firewall rules
+Virtual network service endpoints extend your virtual network connectivity over the Azure backbone. Using virtual network rules you can enable your Azure Database for MySQL server to allow connections from selected subnets in a virtual network. For more information, see the [virtual network service endpoint overview](concepts-data-access-and-security-vnet.md).
+
+
+## Access management
+
+While creating the Azure Database for MySQL server, you provide credentials for an administrator user. This administrator can be used to create additional MySQL users.
+
+
+## Threat protection
+
+You can opt in to [Advanced Threat Protection](concepts-data-access-and-security-threat-protection.md) which detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit servers.
+
+[Audit logging](concepts-audit-logs.md) is available to track activity in your databases. 
+
+
+## Next steps
+- Enable firewall rules for [IPs](concepts-firewall-rules.md) or [virtual networks](concepts-data-access-and-security-vnet.md)

articles/mysql/overview.md

@@ -6,7 +6,7 @@ ms.service: mysql
 ms.author: andrela
 ms.custom: mvc
 ms.topic: overview
-ms.date: 08/13/2019
+ms.date: 11/25/2019
 ---
 
 # What is Azure Database for MySQL?
@@ -43,11 +43,7 @@ How do you decide when to dial up and down? You use the built-in performance mon
 Azure's industry leading 99.99% availability service level agreement (SLA), powered by a global network of Microsoft-managed datacenters, helps keep your app running 24/7. With every Azure Database for MySQL server, you take advantage of built-in security, fault tolerance, and data protection that you would otherwise have to buy or design, build, and manage. With Azure Database for MySQL, you can use point-in-time restore to recover a server to an earlier state, as far back as 35 days.
 
 ## Secure your data
-Azure database services have a tradition of data security that Azure Database for MySQL upholds, with features that limit access, protect data at-rest and in-motion, and help you monitor activity. Visit the [Azure Trust Center](https://www.microsoft.com/en-us/trustcenter/security) for information about Azure's platform security.
-
-The Azure Database for MySQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk with the exception of temporary files created while running queries. The service uses AES 256-bit cipher that is included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and cannot be disabled.
-
-By default, the Azure Database for MySQL service is configured to require [SSL connection security](./concepts-ssl-connection-security.md) for data in-motion across the network. Enforcing SSL connections between your database server and your client applications helps to protect against "man in the middle" attacks by encrypting the data stream between the server and your application. Optionally, you can disable requiring SSL for connecting to your database service if your client application does not support SSL connectivity.
+Azure database services have a tradition of data security that Azure Database for MySQL upholds, with features that limit access, protect data at-rest and in-motion, and help you monitor activity. Visit the [Azure Trust Center](https://www.microsoft.com/trustcenter/security) for information about Azure's platform security. For more information about Azure Database for MySQL security features, see the [security overview](concepts-security.md).
 
 ## Contacts
 For any questions or suggestions you might have about working with Azure Database for MySQL, send an email to the Azure Database for MySQL Team ([@Ask Azure DB for MySQL](mailto:[email protected])). This email address is not a technical support alias.

articles/postgresql/TOC.yml

@@ -84,16 +84,18 @@
         href: concepts-limits.md
     - name: Data access and security
       items:
-      - name: Firewall rules
-        href: concepts-firewall-rules.md
+      - name: Security overview
+        href: concepts-security.md
       - name: Configure SSL
         href: concepts-ssl-connection-security.md
-      - name: Advanced Threat Protection
-        href: concepts-data-access-and-security-threat-protection.md
-      - name: Virtual network
-        href: concepts-data-access-and-security-vnet.md
       - name: Connectivity architecture
         href: concepts-connectivity-architecture.md
+      - name: Firewall rules
+        href: concepts-firewall-rules.md
+      - name: Virtual network
+        href: concepts-data-access-and-security-vnet.md
+      - name: Advanced Threat Protection
+        href: concepts-data-access-and-security-threat-protection.md
       - name: Azure AD authentication
         href: concepts-aad-authentication.md
     - name: Business continuity

articles/postgresql/concepts-security.md

@@ -0,0 +1,52 @@
+---
+title: Security in Azure Database for PostgreSQL - Single Server
+description: An overview of the security features in Azure Database for PostgreSQL - Single Server.
+author: rachel-msft
+ms.author: raagyema
+ms.service: postgresql
+ms.topic: conceptual
+ms.date: 11/22/2019
+---
+
+# Security in Azure Database for PostgreSQL - Single Server
+
+There are multiple layers of security that are available to protect the data on your Azure Database for PostgreSQL server. This article outlines those security options.
+
+## Information protection and encryption
+
+### In-transit
+Azure Database for PostgreSQL secures your data by encrypting data in-transit with Transport Layer Security. Encryption (SSL/TLS) is enforced by default.
+
+### At-rest
+The Azure Database for PostgreSQL service uses the FIPS 140-2 validated cryptographic module for storage encryption of data at-rest. Data, including backups, are encrypted on disk, with the exception of temporary files created while running queries. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.
+
+
+## Network security
+Connections to an Azure Database for PostgreSQL server are first routed through a regional gateway. The gateway has a publicly accessible IP, while the server IP addresses are protected. For more information about the gateway, visit the [connectivity architecture article](concepts-connectivity-architecture.md).  
+
+A newly created Azure Database for PostgreSQL server has a firewall that blocks all external connections. Though they reach the gateway, they are not allowed to connect to the server. 
+
+### IP firewall rules
+IP firewall rules grant access to servers based on the originating IP address of each request. See the [firewall rules overview](concepts-firewall-rules.md) for more information.
+
+### Virtual network firewall rules
+Virtual network service endpoints extend your virtual network connectivity over the Azure backbone. Using virtual network rules you can enable your Azure Database for PostgreSQL server to allow connections from selected subnets in a virtual network. For more information, see the [virtual network service endpoint overview](concepts-data-access-and-security-vnet.md).
+
+
+## Access management
+
+While creating the Azure Database for PostgreSQL server, you provide credentials for an administrator role. This administrator role can be used to create additional [PostgreSQL roles](https://www.postgresql.org/docs/current/user-manag.html).
+
+You can also connect to the server using [Azure Active Directory (AAD) authentication](concepts-aad-authentication.md).
+
+
+## Threat protection
+
+You can opt in to [Advanced Threat Protection](concepts-data-access-and-security-threat-protection.md) which detects anomalous activities indicating unusual and potentially harmful attempts to access or exploit servers.
+
+[Audit logging](concepts-audit.md) is available to track activity in your databases. 
+
+
+## Next steps
+- Enable firewall rules for [IPs](concepts-firewall-rules.md) or [virtual networks](concepts-data-access-and-security-vnet.md)
+- Learn about [Azure Active Directory authentication](concepts-aad-authentication.md) in Azure Database for PostgreSQL