MicrosoftDocs
diff --git a/‎articles/mysql/concepts-data-encryption-mysql.md
Lines changed: 3 additions & 1 deletion b/‎articles/mysql/concepts-data-encryption-mysql.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/mysql/media/concepts-data-access-and-security-data-encryption/keyvault-trusted-service.png
115 KB b/‎articles/mysql/media/concepts-data-access-and-security-data-encryption/keyvault-trusted-service.png
115 KB
diff --git a/‎articles/postgresql/concepts-data-encryption-postgresql.md
Lines changed: 3 additions & 1 deletion b/‎articles/postgresql/concepts-data-encryption-postgresql.md
Lines changed: 3 additions & 1 deletion
diff --git a/‎articles/postgresql/media/concepts-data-access-and-security-data-encryption/keyvault-trusted-service.png
115 KB b/‎articles/postgresql/media/concepts-data-access-and-security-data-encryption/keyvault-trusted-service.png
115 KB
@@ -77,8 +77,10 @@ When you're using data encryption by using a customer-managed key, here are reco
 
 * Set a resource lock on Key Vault to control who can delete this critical resource and prevent accidental or unauthorized deletion.
 * Enable auditing and reporting on all encryption keys. Key Vault provides logs that are easy to inject into other security information and event management tools. Azure Monitor Log Analytics is one example of a service that's already integrated.
-
 * Ensure that Key Vault and Azure Database for MySQL reside in the same region, to ensure a faster access for DEK wrap, and unwrap operations.
+* Lock down the Azure KeyVault to only **private endpoint and selected networks** and allow only *trusted Microsoft* services to secure the resources.
+
+    ![trusted-service-with-AKV](media/concepts-data-access-and-security-data-encryption/keyvault-trusted-service.png)
 
 Here are recommendations for configuring a customer-managed key:
 
 
@@ -76,8 +76,10 @@ When you're using data encryption by using a customer-managed key, here are reco
 
 * Set a resource lock on Key Vault to control who can delete this critical resource and prevent accidental or unauthorized deletion.
 * Enable auditing and reporting on all encryption keys. Key Vault provides logs that are easy to inject into other security information and event management tools. Azure Monitor Log Analytics is one example of a service that's already integrated.
-
 * Ensure that Key Vault and Azure Database for PostgreSQL Single server reside in the same region, to ensure a faster access for DEK wrap, and unwrap operations.
+* Lock down the Azure KeyVault to only **private endpoint and selected networks** and allow only *trusted Microsoft* services to secure the resources.
+
+    ![trusted-service-with-AKV](media/concepts-data-access-and-security-data-encryption/keyvault-trusted-service.png)
 
 Here are recommendations for configuring a customer-managed key: