Merge pull request #223971 from zeinab-mk/zeinam-purview-fw

Zeinam purview firewall

Author: v-dirichards

articles/purview/catalog-firewall.md

@@ -0,0 +1,82 @@
+---
+title: Configure Microsoft Purview firewall
+description: This article describes how to configure firewall settings for your Microsoft Purview account
+author: zeinab-mk
+ms.author: zeinam
+ms.service: purview
+ms.subservice: purview-data-catalog
+ms.topic: how-to
+ms.date: 01/13/2023
+# Customer intent: As a Microsoft Purview admin, I want to set firewall settings for my Microsoft Purview account.
+---
+
+# Configure firewall settings for your Microsoft Purview account
+
+This article describes how to configure firewall settings for Microsoft Purview.
+
+## Prerequisites
+
+To configure Microsoft Purview account firewall settings, ensure you meet the following prerequisites:
+
+1. An Azure account with an active subscription. [Create an account for free.](https://azure.microsoft.com/free/?WT.mc_id=A261C142F)
+<br>
+2. An existing Microsoft Purview account.
+<br>
+
+## Microsoft Purview firewall deployment scenarios
+
+To configure Microsoft Purview firewall follow these steps:
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+
+2. Navigate to your Microsoft Purview account in the portal.
+
+3. Under **Settings*, choose **Networking**.
+
+4. In the **Firewall** tab, under **Public network access**, change the firewall settings to the option that suits your scenario:
+
+- **Enabled from all networks**
+
+  :::image type="content" source="media/catalog-private-link/purview-firewall-public.png" alt-text="Screenshot showing the purview account firewall page, selecting public network in the Azure portal.":::
+
+  By choosing this option:
+
+  - All public network access into your Microsoft Purview account is allowed. 
+  - Public network access is set to _Enabled from all networks_ on your Microsoft Purview account's Managed storage account. 
+  - Public network access is set to _All networks_ on your Microsoft Purview account's Managed Event Hubs, if it's used. 
+
+  > [!NOTE]
+  > Even though the network access is enaled through public internet, to gain access to Microsoft Purview governance portal, users must be first authenticated and authorized. 
+
+- **Disabled for ingestion only (Preview)**
+
+  :::image type="content" source="media/catalog-private-link/purview-firewall-ingestion.png" alt-text="Screenshot showing the purview account firewall page, selecting ingestion only in the Azure portal.":::
+
+  > [!NOTE]
+  > Currently, this option is available in public preview.
+  
+  By choosing this option:
+  - Public network access to your Microsoft Purview account through API and Microsoft Purview governance portal is allowed.
+  - All public network traffic for ingestion is disabled. In this case, you must configure a private endpoint for ingestion before setting up any scans. For more information, see [Use private endpoints for your Microsoft Purview account](catalog-private-link.md).
+  - Public network access is set to _Disabled_ on your Microsoft Purview account's Managed storage account. 
+  - Public network access is set to _Disabled_ on your Microsoft Purview account's Managed Event Hubs, if it's used. 
+  
+- **Disabled from all networks**
+
+  :::image type="content" source="media/catalog-private-link/purview-firewall-private.png" alt-text="Screenshot showing the purview account firewall page, selecting private network in the Azure portal.":::
+
+  By choosing this option:
+  
+  - All public network access into your Microsoft Purview account is disabled. 
+  - All network access to your Microsoft Purview account through APIs or Microsoft Purview governance portal including traffic to run scans is allowed only through private network using private endpoints. For more information, see [Connect to your Microsoft Purview and scan data sources privately and securely](catalog-private-link-end-to-end.md).
+  - Public network access is set to _Disabled_ on your Microsoft Purview account's Managed storage account. 
+  - Public network access is set to _Disabled_ on your Microsoft Purview account's Managed Event Hubs, if it's used. 
+
+5. Select **Save**.
+
+    :::image type="content" source="media/catalog-private-link/purview-firewall-save.png" alt-text="Screenshot showing the purview account firewall page, selecting save in the Azure portal.":::
+
+## Next steps
+
+- [Deploy end to end private networking](./catalog-private-link-end-to-end.md)
+- [Deploy private networking for the Microsoft Purview governance portal](./catalog-private-link-account-portal.md)

articles/purview/catalog-private-link-end-to-end.md

@@ -6,7 +6,7 @@ ms.author: zeinam
 ms.service: purview
 ms.subservice: purview-data-catalog
 ms.topic: how-to
-ms.date: 12/09/2022
+ms.date: 01/13/2023
 # Customer intent: As a Microsoft Purview admin, I want to set up private endpoints for my Microsoft Purview account to access purview account and scan data sources from restricted network.
 ---
 
@@ -16,7 +16,7 @@ In this guide, you will learn how to deploy _account_, _portal_ and _ingestion_
 
 The Microsoft Purview _account_ private endpoint is used to add another layer of security by enabling scenarios where only client calls that originate from within the virtual network are allowed to access the Microsoft Purview account. This private endpoint is also a prerequisite for the portal private endpoint.
 
-The Microsoft Purview _portal_ private endpoint is required to enable connectivity to [Microsoft Purview governance portal](https://web.purview.azure.com/resource/) using a private network.
+The Microsoft Purview _compliance portal_ private endpoint is required to enable connectivity to [Microsoft Purview governance portal](https://web.purview.azure.com/resource/) using a private network.
 
 Microsoft Purview can scan data sources in Azure or an on-premises environment by using _ingestion_ private endpoints. Three private endpoint resources are required to be deployed and linked to Microsoft Purview managed or configured resources when ingestion private endpoint is deployed:
 
@@ -129,7 +129,7 @@ Using one of the deployment options explained further in this guide, you can dep
 ## Enable access to Azure Active Directory
 
 > [!NOTE]
-> If your VM, VPN gateway, or VNet Peering gateway has public internet access, it can access the Microsoft Purview portal and the Microsoft Purview account enabled with private endpoints. For this reason, you don't have to follow the rest of the instructions. If your private network has network security group rules set to deny all public internet traffic, you'll need to add some rules to enable Azure Active Directory (Azure AD) access. Follow the instructions to do so.
+> If your VM, VPN gateway, or VNet Peering gateway has public internet access, it can access the  Microsoft Purview governance portal and the Microsoft Purview account enabled with private endpoints. For this reason, you don't have to follow the rest of the instructions. If your private network has network security group rules set to deny all public internet traffic, you'll need to add some rules to enable Azure Active Directory (Azure AD) access. Follow the instructions to do so.
 
 These instructions are provided for accessing Microsoft Purview securely from an Azure VM. Similar steps must be followed if you're using VPN or other VNet Peering gateways.
 
@@ -161,11 +161,11 @@ These instructions are provided for accessing Microsoft Purview securely from an
 
    :::image type="content" source="media/catalog-private-link/aadcdn-rule.png" alt-text="Screenshot that shows the Azure A D Content Delivery Network rule.":::
 
-1. After the new rule is created, go back to the VM and try to sign in by using your Azure AD credentials again. If sign-in succeeds, then the Microsoft Purview portal is ready to use. But in some cases, Azure AD redirects to other domains to sign in based on a customer's account type. For example, for a live.com account, Azure AD redirects to live.com to sign in, and then those requests are blocked again. For Microsoft employee accounts, Azure AD accesses msft.sts.microsoft.com for sign-in information.
+1. After the new rule is created, go back to the VM and try to sign in by using your Azure AD credentials again. If sign-in succeeds, then the  Microsoft Purview governance portal is ready to use. But in some cases, Azure AD redirects to other domains to sign in based on a customer's account type. For example, for a live.com account, Azure AD redirects to live.com to sign in, and then those requests are blocked again. For Microsoft employee accounts, Azure AD accesses msft.sts.microsoft.com for sign-in information.
 
    Check the networking requests on the browser **Networking** tab to see which domain's requests are getting blocked, redo the previous step to get its IP, and add outbound port rules in the network security group to allow requests for that IP. If possible, add the URL and IP to the VM's host file to fix the DNS resolution. If you know the exact sign-in domain's IP ranges, you can also directly add them into networking rules.
 
-1. Now your Azure AD sign-in should be successful. The Microsoft Purview portal will load successfully, but listing all the Microsoft Purview accounts won't work because it can only access a specific Microsoft Purview account. Enter `web.purview.azure.com/resource/{PurviewAccountName}` to directly visit the Microsoft Purview account that you successfully set up a private endpoint for.
+1. Now your Azure AD sign-in should be successful. The  Microsoft Purview governance portal will load successfully, but listing all the Microsoft Purview accounts won't work because it can only access a specific Microsoft Purview account. Enter `web.purview.azure.com/resource/{PurviewAccountName}` to directly visit the Microsoft Purview account that you successfully set up a private endpoint for.
 
 ## Deploy self-hosted integration runtime (IR) and scan your data sources.
 Once you deploy ingestion private endpoints for your Microsoft Purview, you need to setup and register at least one self-hosted integration runtime (IR):
@@ -185,11 +185,11 @@ Follow the steps in [Create and manage a self-hosted integration runtime](manage
 
 To cut off access to the Microsoft Purview account completely from the public internet, follow these steps. This setting applies to both private endpoint and ingestion private endpoint connections.
 
-1. Go to the Microsoft Purview account from the Azure portal, and under **Settings** > **Networking**, select **Private endpoint connections**.
+1. From the [Azure portal](https://portal.azure.com), go to the Microsoft Purview account, and under **Settings**, select **Networking**.
 
-1. Go to the **Firewall** tab, and ensure that the toggle is set to **Deny**.
+1. Go to the **Firewall** tab, and ensure that the toggle is set to **Disable from all networks**.
 
-   :::image type="content" source="media/catalog-private-link/private-endpoint-firewall.png" alt-text="Screenshot that shows private endpoint firewall settings.":::
+   :::image type="content" source="media/catalog-private-link/purview-firewall-private.png" alt-text="Screenshot that shows private endpoint firewall settings.":::
 
 ## Next steps
 

articles/purview/concept-best-practices-network.md

@@ -6,7 +6,7 @@ ms.author: zeinam
 ms.service: purview
 ms.subservice: purview-data-catalog
 ms.topic: conceptual
-ms.date: 12/09/2022
+ms.date: 01/13/2023
 ms.custom: fasttrack-edit
 ---
 
@@ -28,6 +28,7 @@ This guide covers the following network options:
 - Use [Azure public endpoints](#option-1-use-public-endpoints). 
 - Use [private endpoints](#option-2-use-private-endpoints). 
 - Use [private endpoints and allow public access on the same Microsoft Purview account](#option-3-use-both-private-and-public-endpoints). 
+- Use Azure [public endpoints to access Microsoft Purview governance portal and private endpoints for ingestion](#option-4-use-private-endpoints-for-ingestion-only).
 
 This guide describes a few of the most common network architecture scenarios for Microsoft Purview. Though you're not limited to those scenarios, keep in mind the [limitations](#current-limitations) of the service when you're planning networking for your Microsoft Purview accounts. 
 
@@ -229,7 +230,7 @@ You might choose an option in which a subset of your data sources uses private e
 If you need to scan some data sources by using an ingestion private endpoint and some data sources by using public endpoints or a service endpoint, you can:
 
 1. Use private endpoints for your Microsoft Purview account.
-1. Set **Public network access** to **allow** on your Microsoft Purview account.
+1. Set **Public network access** to **Enabled from all networks** on your Microsoft Purview account.
 
 ### Integration runtime options 
 
@@ -255,6 +256,27 @@ If you need to scan some data sources by using an ingestion private endpoint and
 
   - You must create a credential in Microsoft Purview based on each secret that you create in Azure Key Vault. At minimum, assign _get_ and _list_ access for secrets for Microsoft Purview on the Key Vault resource in Azure. Otherwise, the credentials won't work in the Microsoft Purview account. 
 
+## Option 4: Use private endpoints for ingestion only
+
+You might choose this option if you need to:
+
+- Scan all data sources using ingestion private endpoint. 
+- Managed resources must be configured to disable public network.
+- Enable access to Microsoft Purview governance portal through public network.  
+
+To enable this option:
+
+1. Configure ingestion private endpoint for your Microsoft Purview account.
+1. Set **Public network access** to **Disabled for ingestion only (Preview)** on your [Microsoft Purview account](catalog-firewall.md).
+
+### Integration runtime options 
+
+Follow recommendation for option 2.
+
+### Authentication options  
+
+Follow recommendation for option 2.
+
 ## Self-hosted integration runtime network and proxy recommendations
 
 For scanning data sources across your on-premises and Azure networks, you may need to deploy and use one or multiple [self-hosted integration runtime virtual machines](manage-integration-runtimes.md) inside an Azure VNet or an on-premises network, for any of the scenarios mentioned earlier in this document. 

articles/purview/create-microsoft-purview-portal.md

@@ -3,7 +3,7 @@ title: 'Quickstart: Create a Microsoft Purview (formerly Azure Purview) account'
 description: This Quickstart describes how to create a Microsoft Purview (formerly Azure Purview) account and configure permissions to begin using it.
 author: nayenama
 ms.author: nayenama
-ms.date: 12/09/2022
+ms.date: 01/13/2023
 ms.topic: quickstart
 ms.service: purview
 ms.custom: mode-ui
@@ -54,7 +54,7 @@ For more information about the governance capabilities of Microsoft Purview, for
 
 1. You can choose a name for your managed resource group. Microsoft Purview will create a managed storage account in this group that it will use during its processes.
 
-1. On  the **Networking** tab you can choose to connect to all networks, or to use private endpoints. For more information and configuration options, see our [private endpoints for Microsoft Purview articles.](catalog-private-link.md)
+1. On the **Networking** tab you can choose to connect to all networks, or to use private endpoints. For more information and configuration options, see [Configure firewall settings for your Microsoft Purview account](catalog-firewall.md) and [private endpoints for Microsoft Purview articles.](catalog-private-link.md)
 
 1. On **Configuration** tab you can choose to configure Event Hubs namespaces to programmatically monitor your Microsoft Purview account using Event Hubs and Atlas Kafka.
     - [Steps to configure Event Hubs namespaces](configure-event-hubs-for-kafka.md)

articles/purview/media/catalog-private-link/purview-firewall-ingestion.png

@@ -341,6 +341,8 @@ items:
       items:
       - name: Private endpoints overview
         href: catalog-private-link.md
+      - name: Network firewall settings
+        href: catalog-firewall.md        
       - name: End-to-end network isolation
         href: catalog-private-link-end-to-end.md
       - name: Isolate network for account and portal