Merge pull request #176973 from cephalin/msikeyvault

secure networking tutorials

Author: PMEds28

.openpublishing.redirection.json

@@ -4358,6 +4358,11 @@
       "redirect_url": "/azure/app-service/tutorial-auth-aad",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/app-service/app-service-web-tutorial-connect-msi.md",
+      "redirect_url": "/azure/app-service/tutorial-connect-msi-sql-database",
+      "redirect_document_id": false
+    },
     {
       "source_path_from_root": "/articles/app-service/containers/tutorial-auth-aad.md",
       "redirect_url": "/azure/app-service/tutorial-auth-aad?pivots=platform-linux",

articles/app-service/app-service-key-vault-references.md

@@ -85,7 +85,7 @@ Alternatively:
 
 ## Rotation
 
-If a version is not specified in the reference, then the app will use the latest version that exists in Key Vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within one day. Any configuration changes made to the app will cause an immediate update to the latest versions of all referenced secrets.
+If a version is not specified in the reference, then the app will use the latest version that exists in the key vault. When newer versions become available, such as with a rotation event, the app will automatically update and begin using the latest version within 24 hours. The delay is because App Service caches the values of the key vault references and refetches it every 24 hours. Any configuration changes to the app causes an immediate refetch of all referenced secrets.
 
 ## Source Application Settings from Key Vault
 

articles/app-service/app-service-web-tutorial-dotnet-sqldatabase.md

@@ -428,7 +428,7 @@ In this tutorial, you learned how to:
 Advance to the next tutorial to learn how to easily improve the security of your connection Azure SQL Database.
 
 > [!div class="nextstepaction"]
-> [Access SQL Database securely using managed identities for Azure resources](app-service-web-tutorial-connect-msi.md)
+> [Access SQL Database securely using managed identities for Azure resources](tutorial-connect-msi-sql-database.md)
 
 More resources:
 

articles/app-service/index.yml

@@ -55,8 +55,6 @@ landingContent:
             url: configure-ssl-bindings.md
           - text: Run app in staged environments
             url: deploy-staging-slots.md
-          - text: Securely access storage and Microsoft Graph
-            url: scenario-secure-app-overview.md
       - linkListType: how-to-guide
         links:
           - text: Connect to Linux container via SSH
@@ -103,6 +101,25 @@ landingContent:
           - text: Ruby (Rails) app with PostgreSQL
             url: tutorial-ruby-postgres-app.md
 
+  - title: Secure
+    linkLists:
+      - linkListType: concept
+        links:
+          - text: Security in Azure App Service
+            url: overview-security.md
+      - linkListType: tutorial
+        links:
+          - text: Secretless SQL Database access with managed identities
+            url: tutorial-connect-msi-sql-database.md
+          - text: Secretless access of storage and Microsoft Graph with managed identities
+            url: scenario-secure-app-overview.md
+          - text: Connect securely to services with Key Vault secrets
+            url: tutorial-connect-msi-key-vault.md
+          - text: Isolate network traffic for back-end connectivity
+            url: tutorial-networking-isolate-vnet.md
+          - text: Authenticate users
+            url: tutorial-auth-aad.md
+
   - title: Manage and integrate
     linkLists:
       - linkListType: concept
@@ -111,10 +128,6 @@ landingContent:
             url: app-service-plan-manage.md
       - linkListType: tutorial
         links:
-          - text: Secure resource access with managed identities
-            url: app-service-web-tutorial-connect-msi.md
-          - text: Authenticate users
-            url: tutorial-auth-aad.md
           - text: Host RESTful API with CORS
             url: app-service-web-tutorial-rest-api.md
           - text: Add a CDN to your application

articles/app-service/media/tutorial-connect-msi-key-vault/architecture.png

@@ -522,8 +522,9 @@ Update-AzFunctionApp -Name $functionAppName -ResourceGroupName $resourceGroupNam
 
 ## Next steps
 
-- [Access SQL Database securely using a managed identity](app-service-web-tutorial-connect-msi.md)
+- [Access SQL Database securely using a managed identity](tutorial-connect-msi-sql-database.md)
 - [Access Azure Storage securely using a managed identity](scenario-secure-app-access-storage.md)
 - [Call Microsoft Graph securely using a managed identity](scenario-secure-app-access-microsoft-graph-as-app.md)
+- [Connect securely to services with Key Vault secrets](tutorial-connect-msi-key-vault.md)
 
 [Microsoft.Azure.Services.AppAuthentication reference]: /dotnet/api/overview/azure/service-to-service-authentication

articles/app-service/media/tutorial-connect-msi-key-vault/deployed-app.png

@@ -50,7 +50,7 @@ App Service authentication and authorization support multiple authentication pro
 
 When authenticating against a back-end service, App Service provides two different mechanisms depending on your need:
 
-- **Service identity** - Sign in to the remote resource using the identity of the app itself. App Service lets you easily create a [managed identity](overview-managed-identity.md), which you can use to authenticate with other services, such as [Azure SQL Database](/azure/sql-database/) or [Azure Key Vault](../key-vault/index.yml). For an end-to-end tutorial of this approach, see [Secure Azure SQL Database connection from App Service using a managed identity](app-service-web-tutorial-connect-msi.md).
+- **Service identity** - Sign in to the remote resource using the identity of the app itself. App Service lets you easily create a [managed identity](overview-managed-identity.md), which you can use to authenticate with other services, such as [Azure SQL Database](/azure/sql-database/) or [Azure Key Vault](../key-vault/index.yml). For an end-to-end tutorial of this approach, see [Secure Azure SQL Database connection from App Service using a managed identity](tutorial-connect-msi-sql-database.md).
 - **On-behalf-of (OBO)** - Make delegated access to remote resources on behalf of the user. With Azure Active Directory as the authentication provider, your App Service app can perform delegated sign-in to a remote service, such as [Microsoft Graph API](../active-directory/develop/microsoft-graph-intro.md) or a remote API app in App Service. For an end-to-end tutorial of this approach, see [Authenticate and authorize users end-to-end in Azure App Service](tutorial-auth-aad.md).
 
 ## Connectivity to remote resources