Merge pull request #107506 from ThomasWeiss/thweiss-cosmosdb-pe-ga

v-albemi · web-flow · commit 7b53d3575db9 · 2020-03-12T14:30:58.000-07:00
Made GA changes for private endpoints
diff --git a/articles/cosmos-db/how-to-configure-private-endpoints.md b/articles/cosmos-db/how-to-configure-private-endpoints.md
@@ -8,7 +8,7 @@ ms.date: 11/04/2019
 ms.author: thweiss
 ---
 
-# Configure Azure Private Link for an Azure Cosmos account (preview)
+# Configure Azure Private Link for an Azure Cosmos account
 
 By using Azure Private Link, you can connect to an Azure Cosmos account via a private endpoint. The private endpoint is a set of private IP addresses in a subnet within your virtual network. You can then limit access to an Azure Cosmos account over private IP addresses. When Private Link is combined with restricted NSG policies, it helps reduce the risk of data exfiltration. To learn more about private endpoints, see the [Azure Private Link](../private-link/private-link-overview.md) article.
 
@@ -18,6 +18,9 @@ You can connect to an Azure Cosmos account configured with Private Link by using
 
 This article describes the steps to create a private endpoint. It assumes that you're using the automatic approval method.
 
+> [!NOTE]
+> Private endpoint support is currently generally available in supported regions for gateway connection mode only. For direct mode, it is available as a preview feature.
+
 ## Create a private endpoint by using the Azure portal
 
 Use the following steps to create a private endpoint for an existing Azure Cosmos account by using the Azure portal:
@@ -28,7 +31,7 @@ Use the following steps to create a private endpoint for an existing Azure Cosmo
 
    ![Selections for create a private endpoint in the Azure portal](./media/how-to-configure-private-endpoints/create-private-endpoint-portal.png)
 
-1. In the **Create a private endpoint (Preview) - Basics** pane, enter or select the following details:
+1. In the **Create a private endpoint - Basics** pane, enter or select the following details:
 
     | Setting | Value |
     | ------- | ----- |
@@ -52,7 +55,7 @@ Use the following steps to create a private endpoint for an existing Azure Cosmo
     |||
 
 1. Select **Next: Configuration**.
-1. In **Create a private endpoint (Preview) - Configuration**, enter or select this information:
+1. In **Create a private endpoint - Configuration**, enter or select this information:
 
     | Setting | Value |
     | ------- | ----- |
@@ -306,13 +309,13 @@ $virtualNetwork | Set-AzVirtualNetwork
 ## Step 4: Create the private endpoint.
 Write-Output "Deploying private endpoint on $($resourceGroupName)"
 $deploymentOutput = New-AzResourceGroupDeployment -Name "PrivateCosmosDbEndpointDeployment" `
-	-ResourceGroupName $resourceGroupName `
-	-TemplateFile $PrivateEndpointTemplateFilePath `
-	-TemplateParameterFile $PrivateEndpointParametersFilePath `
-	-SubnetId $SubnetResourceId `
-	-ResourceId $CosmosDbResourceId `
-	-GroupId $CosmosDbApiType `
-	-PrivateEndpointName $PrivateEndpointName
+    -ResourceGroupName $resourceGroupName `
+    -TemplateFile $PrivateEndpointTemplateFilePath `
+    -TemplateParameterFile $PrivateEndpointParametersFilePath `
+    -SubnetId $SubnetResourceId `
+    -ResourceId $CosmosDbResourceId `
+    -GroupId $CosmosDbApiType `
+    -PrivateEndpointName $PrivateEndpointName
 
 $deploymentOutput
 ```
@@ -342,20 +345,20 @@ Use the following code to create a Resource Manager template named "PrivateZone_
         "privateZoneName": {
             "type": "string"
         },
-		"VNetId": {
+        "VNetId": {
             "type": "string"
-        }		
+        }        
     },
-	"resources": [
-		{
+    "resources": [
+        {
             "name": "[parameters('privateZoneName')]",
             "type": "Microsoft.Network/privateDnsZones",
             "apiVersion": "2018-09-01",
             "location": "global",
-			"properties": {                
+            "properties": {                
             }
         },
-		{
+        {
             "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
             "apiVersion": "2018-09-01",
             "name": "[concat(parameters('privateZoneName'), '/myvnetlink')]",
@@ -369,7 +372,7 @@ Use the following code to create a Resource Manager template named "PrivateZone_
                     "id": "[parameters('VNetId')]"
                 }
             }
-        }		
+        }        
     ]
 }
 ```
@@ -384,12 +387,12 @@ Use the following code to create a Resource Manager template named "PrivateZoneR
         "DNSRecordName": {
             "type": "string"
         },
-		"IPAddress": {
-			"type":"string"
-		}		
+        "IPAddress": {
+            "type":"string"
+        }        
     },
-	"resources": [
-		 {
+    "resources": [
+         {
             "type": "Microsoft.Network/privateDnsZones/A",
             "apiVersion": "2018-09-01",
             "name": "[parameters('DNSRecordName')]",
@@ -401,7 +404,7 @@ Use the following code to create a Resource Manager template named "PrivateZoneR
                     }
                 ]
             }
-        }	
+        }    
     ]
 }
 ```
@@ -418,8 +421,8 @@ Create the following two parameters file for the template. Create the "PrivateZo
         "privateZoneName": {
             "value": ""
         },
-		"VNetId": {
-			"value": ""
+        "VNetId": {
+            "value": ""
         }
     }
 }
@@ -435,9 +438,9 @@ Create the "PrivateZoneRecords_parameters.json." with the following code:
         "DNSRecordName": {
             "value": ""
         },
-		"IPAddress": {
-			"type":"object"
-		}
+        "IPAddress": {
+            "type":"object"
+        }
     }
 }
 ```
@@ -490,38 +493,38 @@ $virtualNetwork | Set-AzVirtualNetwork
 
 ## Step 4: Create the private zone
 New-AzResourceGroupDeployment -Name "PrivateZoneDeployment" `
-	-ResourceGroupName $ResourceGroupName `
-	-TemplateFile $PrivateZoneTemplateFilePath `
-	-TemplateParameterFile $PrivateZoneParametersFilePath `
-	-PrivateZoneName $PrivateZoneName `
-	-VNetId $VNetResourceId
+    -ResourceGroupName $ResourceGroupName `
+    -TemplateFile $PrivateZoneTemplateFilePath `
+    -TemplateParameterFile $PrivateZoneParametersFilePath `
+    -PrivateZoneName $PrivateZoneName `
+    -VNetId $VNetResourceId
 
 ## Step 5: Create the private endpoint
 Write-Output "Deploying private endpoint on $($resourceGroupName)"
 $deploymentOutput = New-AzResourceGroupDeployment -Name "PrivateCosmosDbEndpointDeployment" `
-	-ResourceGroupName $resourceGroupName `
-	-TemplateFile $PrivateEndpointTemplateFilePath `
-	-TemplateParameterFile $PrivateEndpointParametersFilePath `
-	-SubnetId $SubnetResourceId `
-	-ResourceId $CosmosDbResourceId `
-	-GroupId $CosmosDbApiType `
-	-PrivateEndpointName $PrivateEndpointName
+    -ResourceGroupName $resourceGroupName `
+    -TemplateFile $PrivateEndpointTemplateFilePath `
+    -TemplateParameterFile $PrivateEndpointParametersFilePath `
+    -SubnetId $SubnetResourceId `
+    -ResourceId $CosmosDbResourceId `
+    -GroupId $CosmosDbApiType `
+    -PrivateEndpointName $PrivateEndpointName
 $deploymentOutput
 
 ## Step 6: Map the private endpoint to the private zone
 $networkInterface = Get-AzResource -ResourceId $deploymentOutput.Outputs.privateEndpointNetworkInterface.Value -ApiVersion "2019-04-01"
 foreach ($ipconfig in $networkInterface.properties.ipConfigurations) {
-	foreach ($fqdn in $ipconfig.properties.privateLinkConnectionProperties.fqdns) {
-		$recordName = $fqdn.split('.',2)[0]
-		$dnsZone = $fqdn.split('.',2)[1]
-		Write-Output "Deploying PrivateEndpoint DNS Record $($PrivateZoneName)/$($recordName) Template on $($resourceGroupName)"
-		New-AzResourceGroupDeployment -Name "PrivateEndpointDNSDeployment" `
-			-ResourceGroupName $ResourceGroupName `
-			-TemplateFile $PrivateZoneRecordsTemplateFilePath `
-			-TemplateParameterFile $PrivateZoneRecordsParametersFilePath `
-			-DNSRecordName "$($PrivateZoneName)/$($RecordName)" `
-			-IPAddress $ipconfig.properties.privateIPAddress
-	}
+    foreach ($fqdn in $ipconfig.properties.privateLinkConnectionProperties.fqdns) {
+        $recordName = $fqdn.split('.',2)[0]
+        $dnsZone = $fqdn.split('.',2)[1]
+        Write-Output "Deploying PrivateEndpoint DNS Record $($PrivateZoneName)/$($recordName) Template on $($resourceGroupName)"
+        New-AzResourceGroupDeployment -Name "PrivateEndpointDNSDeployment" `
+            -ResourceGroupName $ResourceGroupName `
+            -TemplateFile $PrivateZoneRecordsTemplateFilePath `
+            -TemplateParameterFile $PrivateZoneRecordsParametersFilePath `
+            -DNSRecordName "$($PrivateZoneName)/$($RecordName)" `
+            -IPAddress $ipconfig.properties.privateIPAddress
+    }
 }
 ```
 
@@ -543,29 +546,13 @@ The following situations and outcomes are possible when you use Private Link in
 
 ## Update a private endpoint when you add or remove a region
 
-Adding or removing regions to an Azure Cosmos account requires you to add or remove DNS entries for that account. Update these changes accordingly in the private endpoint by using the following steps:
-
-1. When the Azure Cosmos DB administrator adds or removes regions, the network administrator gets a notification about the pending changes. For the private endpoint mapped to an Azure Cosmos account, the value of the `ActionsRequired` property changes from `None` to `Recreate`. Then the network administrator updates the private endpoint by issuing a PUT request with the same Resource Manager payload that was used to create it.
-
-1. After the private endpoint is updated, you can update the subnet's private DNS zone to reflect the added or removed DNS entries and their corresponding private IP addresses.
+Adding or removing regions to an Azure Cosmos account requires you to add or remove DNS entries for that account. After regions have been added or removed, you can update the subnet's private DNS zone to reflect the added or removed DNS entries and their corresponding private IP addresses.
 
 For example, imagine that you deploy an Azure Cosmos account in three regions: "West US," "Central US," and "West Europe." When you create a private endpoint for your account, four private IPs are reserved in the subnet. There's one IP for each of the three regions, and there's one IP for the global/region-agnostic endpoint.
 
-Later, you might add a new region (for example, "East US") to the Azure Cosmos account. By default, the new region is not accessible from the existing private endpoint. The Azure Cosmos account administrator should refresh the private endpoint connection before accessing it from the new region. 
-
-When you run the ` Get-AzPrivateEndpoint -Name <your private endpoint name> -ResourceGroupName <your resource group name>` command, the output of the command contains the `actionsRequired` parameter. This parameter is set to `Recreate`. This value indicates that the private endpoint should be refreshed. Next, the Azure Cosmos account administrator runs the `Set-AzPrivateEndpoint` command to trigger the private endpoint refresh.
-
-```powershell
-$pe = Get-AzPrivateEndpoint -Name <your private endpoint name> -ResourceGroupName <your resource group name>
-
-Set-AzPrivateEndpoint -PrivateEndpoint $pe
-```
-
-A new private IP is automatically reserved in the subnet under this private endpoint. The value for `actionsRequired` becomes `None`. If you don't have any private DNZ zone integration (in other words, if you're using a custom private DNS zone), you have to configure your private DNS zone to add a new DNS record for the private IP that corresponds to the new region.
+Later, you might add a new region (for example, "East US") to the Azure Cosmos account. After adding the new region, you need to add a corresponding DNS record to either your private DNS zone or your custom DNS.
 
-You can use the same steps when you remove a region. The private IP of the removed region is automatically reclaimed, and the `actionsRequired` flag becomes `None`. If you don't have any private DNZ zone integration, you must configure your private DNS zone to remove the DNS record for the removed region.
-
-DNS records in the private DNS zone are not removed automatically when a private endpoint is deleted or a region from the Azure Cosmos account is removed. You must manually remove the DNS records.
+You can use the same steps when you remove a region. After removing the region, you need to remove the corresponding DNS record from either your private DNS zone or your custom DNS.
 
 ## Current limitations
 
@@ -578,6 +565,8 @@ The following limitations apply when you're using Private Link with an Azure Cos
 
 * When you're using Private Link with an Azure Cosmos account by using a direct mode connection, you can use only the TCP protocol. The HTTP protocol is not yet supported.
 
+* Private endpoint support is currently generally available in supported regions for gateway connection mode only. For direct mode, it is available as a preview feature.
+
 * When you're using Azure Cosmos DB's API for MongoDB accounts, a private endpoint is supported for accounts on server version 3.6 only (that is, accounts using the endpoint in the format `*.mongo.cosmos.azure.com`). Private Link is not supported for accounts on server version 3.2 (that is, accounts using the endpoint in the format `*.documents.azure.com`). To use Private Link, you should migrate old accounts to the new version.
 
 * When you're using the Azure Cosmos DB's API for MongoDB accounts that have Private Link, you can't use tools such as Robo 3T, Studio 3T, and Mongoose. The endpoint can have Private Link support only if the `appName=<account name>` parameter is specified. An example is `replicaSet=globaldb&appName=mydbaccountname`. Because these tools don't pass the app name in the connection string to the service, you can't use Private Link. But you can still access these accounts by using SDK drivers with the 3.6 version.
