Merge pull request #279485 from HeidiSteen/heidist-june24

denrea · web-flow · commit 7ba4f16f0ad5 · 2024-06-27T17:13:46.000-07:00
[azure search] Security doc sprint, promote network access article
diff --git a/articles/search/TOC.yml b/articles/search/TOC.yml
@@ -420,28 +420,28 @@
       href: index-add-scoring-profiles.md
   - name: Security
     items:
-    - name: Enable role-based access control
+    - name: Configure network access
+      href: service-configure-firewall.md
+    - name: Enable role-based access
       href: search-security-enable-roles.md
-    - name: Configure a managed identity
-      href: search-howto-managed-identities-data-sources.md
+    - name: Assign roles (users and groups)
+      href: search-security-rbac.md
     - name: Inbound connections
       items:
       - name: Connect using API keys
         href: search-security-api-keys.md
-      - name: Connect using Azure roles
-        href: search-security-rbac.md
       - name: Code without keys
         href: keyless-connections.md       
       - name: Configure apps for Microsoft Entra ID
         href: search-howto-aad.md
-      - name: Configure an IP firewall
-        href: service-configure-firewall.md
       - name: Create a private endpoint
         href: service-create-private-endpoint.md
       - name: Troubleshoot private connections
         href: troubleshoot-shared-private-link-resources.md
     - name: Outbound connections
       items:
+      - name: Configure a managed identity
+        href: search-howto-managed-identities-data-sources.md
       - name: Connect as a trusted service
         href: search-indexer-howto-access-trusted-service-exception.md
       - name: Connect using a managed identity
diff --git a/articles/search/search-security-enable-roles.md b/articles/search/search-security-enable-roles.md
@@ -14,7 +14,7 @@ ms.date: 06/18/2024
 
 # Enable or disable role-based access control in Azure AI Search
 
-If you want to use Azure role-based access control for connections into Azure AI Search, this article explains how to enable it for your search service.
+If you want to use Azure role assignments for authorized access to Azure AI Search, this article explains how to enable role-based access for your search service.
 
 Role-based access for data plane operations is optional, but recommended. The alternative is [key-based authentication](search-security-api-keys.md), which is the default. 
 
@@ -33,10 +33,10 @@ Roles for service administration (control plane) are built in and can't be enabl
 
 When you enable roles for the data plane, the change is effective immediately, but wait a few seconds before assigning roles.
 
-The default failure mode is `http401WithBearerChallenge`. Alternatively, you can set the failure mode to `http403`. 
-
 Once role-based access is enabled, the search service recognizes an **authorization** header on data plane requests that provide an OAuth2 access token.
 
+The default failure mode for unauthorized requests is `http401WithBearerChallenge`. Alternatively, you can set the failure mode to `http403`. 
+
 ### [**Azure portal**](#tab/config-svc-portal)
 
 1. Sign in to the [Azure portal](https://portal.azure.com) and open the search service page.
diff --git a/articles/search/service-configure-firewall.md b/articles/search/service-configure-firewall.md
@@ -10,30 +10,40 @@ ms.service: cognitive-search
 ms.custom:
   - ignite-2023
 ms.topic: how-to
-ms.date: 06/18/2024
+ms.date: 06/27/2024
 ---
 
 # Configure network access and firewall rules for Azure AI Search
 
-As soon as you install Azure AI Search, you can set up network access to limit access to an approved set of devices and cloud services. There are two mechanisms:
+By default, Azure AI Search is configured to allow connections over a public endpoint. Access to a search service *through* the public endpoint is protected by authentication and authorization protocols, but the endpoint itself is open to the internet at the network layer.
+
+If you aren't hosting a public web site, you might want to configure network access to automatically refuse requests unless they originate from an approved set of devices and cloud services. There are two mechanisms:
 
 + Inbound rules listing the IP addresses, ranges, or subnets from which requests are admitted
 + Exceptions to network rules, where requests are admitted with no checks, as long as the request originates from a [trusted service](#grant-access-to-trusted-azure-services)
 
-Network rules aren't required, but it's a security best practice to add them.
+Network rules aren't required, but it's a security best practice to add them if you use Azure AI Search for surfacing private or internal corporate content.
 
 Network rules are scoped to data plane operations against the search service's public endpoint. Data plane operations include creating or querying indexes, and all other actions described by the [Search REST APIs](/rest/api/searchservice/). Control plane operations target service administration. Those operations specify resource provider endpoints, which are subject to the [network protections supported by Azure Resource Manager](/security/benchmark/azure/baselines/azure-resource-manager-security-baseline).
 
 This article explains how to configure network access to a search service's public endpoint. To block *all* data plane access to the public endpoint, use [private endpoints](service-create-private-endpoint.md) and an Azure virtual network.
 
-This article assumes the Azure portal for network access configuration. You can also use the [Management REST API](/rest/api/searchmanagement/), [Azure PowerShell](/powershell/module/az.search), or the [Azure CLI](/cli/azure/search).
+This article assumes the Azure portal to explain network access options. You can also use the [Management REST API](/rest/api/searchmanagement/), [Azure PowerShell](/powershell/module/az.search), or the [Azure CLI](/cli/azure/search).
 
 ## Prerequisites
 
 + A search service, any region, at the Basic tier or higher
 
 + Owner or Contributor permissions
 
+## Limitations
+
+There are a few drawbacks to locking down the public endpoint.
+
++ It takes time to fully identify IP ranges and set up firewalls, and if you're in early stages of proof-of-concept testing and investigation and using sample data, you might want to defer network access controls until you actually need them.
+
++ Some workflows require access to a public endpoint. Specifically, the [Import and vectorize data wizard](search-get-started-portal-import-vectors.md) in the Azure portal currently connects to embedding models over the public endpoint, and the response from the embedding model is returned over the public endpoint. You can switch to code or script to complete the same tasks, but if you want to try the wizard, the public endpoint must be available.
+
 <a id="configure-ip-policy"></a> 
 
 ## Configure network access in Azure portal
@@ -109,27 +119,37 @@ A banner informs you that IP rules affect the portal experience. This banner rem
 
 ## Grant access to trusted Azure services
 
-Did you select the trusted services exception? If yes, your Azure resource must have a managed identity (either system or user-assigned, but usually system), and you must use role-based access controls. 
+Did you select the trusted services exception? If yes, your search service admits requests and responses from a trusted Azure resource without checking for an IP address. A trusted resource must have a managed identity (either system or user-assigned, but usually system). A trusted resource must have a role assignment on Azure AI Search that gives it permission to data and operations. 
 
 The trusted service list for Azure AI Search includes:
 
 + `Microsoft.CognitiveServices` for Azure OpenAI and Azure AI services
 + `Microsoft.MachineLearningServices` for Azure Machine Learning
 
-Workflows for this network exception are requests originating *from* Azure AI Studio, Azure OpenAI Studio, or other AML features *to* Azure AI Search, typically in [Azure OpenAI On Your Data](/azure/ai-services/openai/concepts/use-your-data) scenarios for retrieval augmented generation (RAG) and playground environments. 
+Workflows for this network exception are requests originating *from* Azure AI Studio, Azure OpenAI Studio, or other AML features *to* Azure AI Search, typically in [Azure OpenAI On Your Data](/azure/ai-services/openai/concepts/use-your-data) scenarios for retrieval augmented generation (RAG) and playground environments.
 
-For managed identities on Azure OpenAI and Azure Machine Learning:
+### Trusted resources must have a managed identity
+
+To set up managed identities for Azure OpenAI and Azure Machine Learning:
 
 + [How to configure Azure OpenAI Service with managed identities](/azure/ai-services/openai/how-to/managed-identity)
 + [How to set up authentication between Azure Machine Learning and other services](/azure/machine-learning/how-to-identity-based-service-authentication).
 
-For managed identities on Azure AI services:
+To set up a managed identity for an Azure AI service:
 
 1. [Find your multiservice account](https://portal.azure.com/#blade/HubsExtension/BrowseResourceBlade/resourceType/microsoft.cognitiveServices%2Faccounts).
 1. On the leftmost pane, under **Resource management**, select **Identity**.
 1. Set **System-assigned** to **On**.
 
-Once your Azure resource has a managed identity, [assign roles on Azure AI Search](search-security-rbac.md) to grant permissions to data and operations. We recommend Search Index Data Reader.
+### Trusted resources must have a role assignment
+
+Once your Azure resource has a managed identity, [assign roles on Azure AI Search](keyless-connections.md) to grant permissions to data and operations. 
+
+The trusted services are used for vectorization workloads: generating vectors from text and image content, and sending payloads back to the search service for query execution or indexing. Connections from a trusted service are used to deliver payloads to Azure AI search.
+
++ To load a search index with vectors generated by an embedding model, assign **Search Index Data Contributor**.
+
++ To provide queries with a vector generated by an embedding model, assign **Search Index Data Reader**. The embedding used in a query isn't written to an index, so no write permissions are required.
 
 > [!NOTE]
 > This article covers the trusted exception for admitting requests to your search service, but Azure AI Search is itself on the trusted services list of other Azure resources. Specifically, you can use the trusted service exception for [connections from Azure AI Search to Azure Storage](search-indexer-howto-access-trusted-service-exception.md).
@@ -138,9 +158,9 @@ Once your Azure resource has a managed identity, [assign roles on Azure AI Searc
 
 Once a request is allowed through the firewall, it must be authenticated and authorized. You have two options:
 
-+ [Key-based authentication](search-security-api-keys.md), where an admin or query API key is provided on the request. This is the default.
++ [Key-based authentication](search-security-api-keys.md), where an admin or query API key is provided on the request. This option is the default.
 
-+ [Role-based access control (RBAC)](search-security-rbac.md) using Microsoft Entra ID, where the caller is a member of a security role on a search service. This is the most secure option. It uses Microsoft Entra ID for authentication and role assignments on Azure AI Search for permissions to data and operations.
++ [Role-based access control](search-security-rbac.md) using Microsoft Entra ID, where the caller is a member of a security role on a search service. This is the most secure option. It uses Microsoft Entra ID for authentication and role assignments on Azure AI Search for permissions to data and operations.
 
 > [!div class="nextstepaction"]
 > [Enable RBAC on your search service](search-security-enable-roles.md)
