Merge pull request #192394 from JimacoMS4/update-portal-access-with-network-options

Clarify behavior of portal with VNETs and IP filtering enabled

Author: PRMerger8

articles/iot-dps/how-to-manage-enrollments.md

@@ -3,7 +3,7 @@ title: Manage device enrollments for Azure IoT Hub Device Provisioning Service i
 description: How to manage device enrollments for your Device Provisioning Service (DPS) in the Azure portal
 author: kgremban
 ms.author: kgremban
-ms.date: 10/25/2021
+ms.date: 03/21/2022
 ms.topic: how-to
 ms.service: iot-dps
 services: iot-dps
@@ -19,6 +19,9 @@ The Azure IoT Device Provisioning Service supports two types of enrollments:
 * [Enrollment groups](concepts-service.md#enrollment-group): Used to enroll multiple related devices.
 * [Individual enrollments](concepts-service.md#individual-enrollment): Used to enroll a single device.
 
+> [!IMPORTANT]
+> If you have trouble accessing enrollments from the Azure portal, it may be because you have public network access disabled or IP filtering rules configured that block access for the Azure portal. To learn more, see [Disable public network access limitations](public-network-access.md#disable-public-network-access-limitations) and [IP filter rules limitations](iot-dps-ip-filtering.md#ip-filter-rules-limitations).
+
 ## Create an enrollment group
 
  An enrollment group is an entry for a group of devices that share a common attestation mechanism. We recommend that you use an enrollment group for a large number of devices that share an initial configuration, or for devices that go to the same tenant. Devices that use either [symmetric key](concepts-symmetric-key-attestation.md) or [X.509 certificates](concepts-x509-attestation.md) attestation are supported.

articles/iot-dps/iot-dps-ip-filtering.md

@@ -21,8 +21,13 @@ There are two specific use-cases where it is useful to block connections to a DP
 
 * You need to reject traffic from IP addresses that have been identified as suspicious by the DPS administrator.
 
->[!Note]
->If IP filtering is enabled, you'll no longer be able use the Azure portal to perform service operations (i.e. managing enrollments). To perform service operations using the portal, you'll have to temporarily deactivate IP filtering, complete your work, and then re-enable the IP filtering feature. If you want to use your own clients and avoid the deactivation of the IP filter, you can choose to add your machine's IP address to the `ipFilterRules` and manage the enrollments in the DPS through CLI.
+## IP filter rules limitations
+
+Note the following limitations if IP filtering is enabled:
+
+* You might not be able to use the Azure portal to manage enrollments. If this occurs, you can add the IP address of one or more machines to the `ipFilterRules` and manage enrollments in the DPS instance from those machines with Azure CLI, PowerShell, or service APIs.
+
+  This scenario is most likely to happen when you want to use IP filtering to allow access only to selected IP addresses. In this case, you configure rules to enable certain addresses or address ranges and a default rule that blocks all other addresses (0.0.0.0/0). This default rule will block Azure portal from performing operations like managing enrollments on the DPS instance. For more information, see [IP filter rule evaluation](iot-dps-ip-filtering.md#ip-filter-rule-evaluation) later in this article.
 
 ## How filter rules are applied
 

articles/iot-dps/public-network-access.md

@@ -6,7 +6,7 @@ author: kgremban
 ms.service: iot-dps
 services: iot-dps
 ms.topic: conceptual
-ms.date: 10/18/2021
+ms.date: 03/21/2022
 ---
 
 # Manage public network access for your IoT Device Provisioning Service
@@ -31,9 +31,13 @@ To turn on public network access:
 1. Select **All networks**.
 2. Select **Save**.
 
-## Access the DPS after disabling the public network access
+## Disable public network access limitations
 
-After public network access is disabled, the DPS instance is accessible only through [its VNet private endpoint using Azure private link](virtual-network-support.md). This restriction includes accessing through the Azure portal.
+Note the following limitations when public network access is disabled:
+
+- The DPS instance is accessible only through [its VNET private endpoint using Azure private link](virtual-network-support.md).
+
+- You can no longer use the Azure portal to manage enrollments for the DPS instance. Instead you can manage enrollments using the Azure CLI, PowerShell, or service APIs from machines inside the virtual network(s) configured on the DPS instance. To learn more, see [Private endpoint limitations](virtual-network-support.md#private-endpoint-limitations).
 
 ## DPS endpoint, IP address, and ports after disabling public network access
 

articles/iot-dps/virtual-network-support.md

@@ -6,7 +6,7 @@
  ms.service: iot-dps
  manager: lizross
  ms.topic: conceptual
- ms.date: 10/06/2021
+ ms.date: 03/21/2022
  ms.author: kgremban
 ---
 
@@ -57,7 +57,9 @@ Note the following current limitations for DPS when using private endpoints:
 
 * Current DPS VNET support is for data ingress into DPS only. Data egress, which is the traffic from DPS to IoT Hub, uses an internal service-to-service mechanism rather than a dedicated VNET. Support for full VNET-based egress lockdown between DPS and IoT Hub is not currently available.
 
-* The lowest latency allocation policy is used to assign a device to the IoT hub with the lowest latency. This allocation policy is not reliable in a virtual network environment. 
+* The lowest latency allocation policy is used to assign a device to the IoT hub with the lowest latency. This allocation policy is not reliable in a virtual network environment.
+
+* Enabling one or more private endpoints typically involves [disabling public access](public-network-access.md) to your DPS instance. This means that you can no longer use the Azure portal to manage enrollments. Instead you can manage enrollments using the Azure CLI, PowerShell, or service APIs from machines inside the VNET(s)/private endpoint(s) configured on the DPS instance.
 
 >[!NOTE]
 >**Data residency consideration:**