security overview outbound traffic clean up

Author: HeidiSteen

articles/search/search-security-overview.md

@@ -10,7 +10,7 @@ ms.service: cognitive-search
 ms.custom:
   - ignite-2023
 ms.topic: conceptual
-ms.date: 11/10/2023
+ms.date: 03/25/2024
 ---
 
 # Security overview for Azure AI Search
@@ -29,32 +29,41 @@ Azure AI Search has three basic network traffic patterns:
 
 ### Inbound traffic
 
-Inbound requests that target a search service endpoint can be characterized as:
+Inbound requests that target a search service endpoint include:
 
-+ Create or manage indexes, indexers, data sources, skillsets, and synonym maps
++ Create or manage objects on the search service (indexes, indexers, data sources, skillsets, synonym maps)
 + Trigger indexer or skillset execution
-+ Load or query an index
++ Load an index
++ Query an index
 
 You can review the [REST APIs](/rest/api/searchservice/) to understand the full range of inbound requests that are handled by a search service.
 
-At a minimum, all inbound requests must be authenticated:
+At a minimum, all inbound requests must be authenticated using either of these options:
 
-+ Key-based authentication is the default. Inbound requests that include a valid API key are accepted by the search service as originating from a trusted party.
-+ Microsoft Entra ID and role-based access control are also widely used for data plane operations. 
++ Key-based authentication (default). Inbound requests provide a valid API key.
++ Role-based access control. Microsoft Entra identities and role assignments authorize access.
 
 Additionally, you can add [network security features](#service-access-and-authentication) to further restrict access to the endpoint. You can create either inbound rules in an IP firewall, or create private endpoints that fully shield your search service from the public internet. 
 
 ### Outbound traffic
 
 Outbound requests from a search service to other applications are typically made by indexers for text-based indexing, skills-based AI enrichment, and vectorization. Outbound requests include both read and write operations.
 
-The following list is a full enumeration of the outbound requests that can be made by a search service. A search service makes requests on its own behalf, and on the behalf of an indexer or custom skill:
+The following list is a full enumeration of the outbound requests that can be made by a search service. A search service makes requests on its own behalf, and on the behalf of an indexer or custom skill.
 
-+ Indexers [read from external data sources](search-indexer-securing-resources.md).
+| Operation | Scenario |
+| ----------| -------- |
+| Indexers | Connect to external data sources to retrieve data. For more information, see [Indexer access to content protected by Azure network security](search-indexer-securing-resources.md). |
+| Indexers | Connect to Azure Storage to persist [knowledge stores](knowledge-store-concept-intro.md), [cached enrichments](cognitive-search-incremental-indexing-conceptual.md), [debug sessions](cognitive-search-debug-session.md). |
+| Custom skills | Connect to Azure functions, Azure web apps, or other apps running external code that's hosted off-service. The request for external processing is sent during skillset execution. |
+| Indexers and [integrated vectorization](vector-search-integrated-vectorization.md) | Connect to Azure OpenAI and a deployed embedding model, or it goes through a custom skill to connect to an embedding model that you provide. The search service sends text to embedding models for vectorization during indexing or query execution. |
+| Search service | Connect to Azure Key Vault for customer-managed keys, used to encrypt and decrypt sensitive data. |
+
+<!-- + Indexers connect to external data sources. For more information, see [Indexer access to content protected by Azure network security](search-indexer-securing-resources.md).
 + Indexers write to Azure Storage when creating knowledge stores, persisting cached enrichments, and persisting debug sessions.
-+ If you're using custom skills, custom skills connect to an external Azure function or app to run external code that's hosted off-service. The request for external processing is sent during skillset execution.
-+ If you're using [integrated vectorization](vector-search-integrated-vectorization.md), the search service connects to Azure OpenAI and a deployed embedding model, or it goes through a custom skill to connect to an embedding model that you provide. The search service sends text to embedding models for vectorization during indexing or query execution.
-+ If you're using customer-managed keys, the service connects to an external Azure Key Vault for a customer-managed key used to encrypt and decrypt sensitive data.
++ Custom skills connect to an external Azure function or app to run external code that's hosted off-service. The request for external processing is sent during skillset execution.
++ During [integrated vectorization](vector-search-integrated-vectorization.md), the search service connects to Azure OpenAI and a deployed embedding model, or it goes through a custom skill to connect to an embedding model that you provide. The search service sends text to embedding models for vectorization during indexing or query execution.
++ Search services connect to Azure Key Vault for customer-managed keys, used to encrypt and decrypt sensitive data. -->
 
 Outbound connections can be made using a resource's full access connection string that includes a key or a database login, or [a managed identity](search-howto-managed-identities-data-sources.md) if you're using Microsoft Entra ID and role-based access.
 
@@ -123,7 +132,7 @@ Azure AI Search provides authorization models for service management and content
 
 ### Authorize service management
 
-Resource management is authorized through [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). Azure RBAC is the authorization system for [Azure Resource Manager](../azure-resource-manager/management/overview.md). 
+Resource management is authorized through [role-based access control](../role-based-access-control/overview.md) in your Microsoft Entra tenant. 
 
 In Azure AI Search, Resource Manager is used to create or delete the service, manage API keys, scale the service, and configure security. As such, Azure role assignments will determine who can perform those tasks, regardless of whether they're using the [portal](search-manage.md), [PowerShell](search-manage-powershell.md), or the [Management REST APIs](/rest/api/searchmanagement).
 
@@ -163,7 +172,7 @@ If you require permissioned access over content in search results, there's a tec
 
 When you set up a search service, you choose a location or region that determines where customer data is stored and processed. Azure AI Search won't store customer data outside of your specified region unless you configure a feature that has a dependency on another Azure resource, and that resource is provisioned in a different region.
 
-Currently, the only external resource that a search service writes customer data to is Azure Storage. The storage account is one that you provide, and it could be in any region. A search service will write to Azure Storage if you use any of the following features: [enrichment cache](cognitive-search-incremental-indexing-conceptual.md), [debug session](cognitive-search-debug-session.md), [knowledge store](knowledge-store-concept-intro.md). 
+Currently, the only external resource that a search service writes to is Azure Storage. The storage account is one that you provide, and it could be in any region. A search service will write to Azure Storage if you use any of the following features: [enrichment cache](cognitive-search-incremental-indexing-conceptual.md), [debug session](cognitive-search-debug-session.md), [knowledge store](knowledge-store-concept-intro.md). 
 
 ### Exceptions to data residency commitments