MicrosoftDocs
diff --git a/‎.openpublishing.redirection.json
Lines changed: 40 additions & 20 deletions b/‎.openpublishing.redirection.json
Lines changed: 40 additions & 20 deletions
diff --git a/‎articles/azure-government/azure-secure-isolation-guidance.md
Lines changed: 2 additions & 2 deletions b/‎articles/azure-government/azure-secure-isolation-guidance.md
Lines changed: 2 additions & 2 deletions
@@ -6311,6 +6311,46 @@
       "redirect_url": "/azure/azure-cache-for-redis/scripts/create-manage-cache",
       "redirect_document_id": false
     },
+    {
+      "source_path_from_root": "/articles/storage/storage-client-side-encryption.md",
+      "redirect_url": "/azure/storage/common/storage-client-side-encryption",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/storage/common/storage-client-side-encryption.md",
+      "redirect_url": "/azure/storage/blobs/client-side-encryption",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/storage/storage-client-side-encryption-java.md",
+      "redirect_url": "/azure/storage/common/storage-client-side-encryption-java",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/storage/common/storage-client-side-encryption-java.md",
+      "redirect_url": "/azure/storage/blobs/client-side-encryption",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/storage/storage-client-side-encryption-python.md",
+      "redirect_url": "/azure/storage/common/storage-client-side-encryption-python",
+      "redirect_document_id": true
+    },
+    {
+      "source_path_from_root": "/articles/storage/common/storage-client-side-encryption-python.md",
+      "redirect_url": "/azure/storage/blobs/client-side-encryption",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/storage/storage-encrypt-decrypt-blobs-key-vault.md",
+      "redirect_url": "/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault",
+      "redirect_document_id": false
+    },
+    {
+      "source_path_from_root": "/articles/storage/blobs/storage-encrypt-decrypt-blobs-key-vault.md",
+      "redirect_url": "/azure/storage/blobs/client-side-encryption",
+      "redirect_document_id": false
+    },    
     {
       "source_path_from_root": "/articles/storage/blobs/Storage-blob-performance-tiers.md",
       "redirect_url": "/azure/storage/common/storage-account-overview",
@@ -22866,11 +22906,6 @@
       "redirect_url": "/azure/storage/blobs/storage-dotnet-shared-access-signature-part-2",
       "redirect_document_id": true
     },
-    {
-      "source_path_from_root": "/articles/storage/storage-encrypt-decrypt-blobs-key-vault.md",
-      "redirect_url": "/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault",
-      "redirect_document_id": true
-    },
     {
       "source_path_from_root": "/articles/storage/storage-https-custom-domain-cdn.md",
       "redirect_url": "/azure/storage/blobs/storage-https-custom-domain-cdn",
@@ -23267,21 +23302,6 @@
       "redirect_url": "/azure/storage/common/storage-choose-data-transfer-solution",
       "redirect_document_id": true
     },
-    {
-      "source_path_from_root": "/articles/storage/storage-client-side-encryption.md",
-      "redirect_url": "/azure/storage/common/storage-client-side-encryption",
-      "redirect_document_id": true
-    },
-    {
-      "source_path_from_root": "/articles/storage/storage-client-side-encryption-java.md",
-      "redirect_url": "/azure/storage/common/storage-client-side-encryption-java",
-      "redirect_document_id": true
-    },
-    {
-      "source_path_from_root": "/articles/storage/storage-client-side-encryption-python.md",
-      "redirect_url": "/azure/storage/common/storage-client-side-encryption-python",
-      "redirect_document_id": true
-    },
     {
       "source_path_from_root": "/articles/storage/storage-concurrency.md",
       "redirect_url": "/azure/storage/common/storage-concurrency",
 
@@ -37,7 +37,7 @@ A brief summary of isolation approaches is provided below.
 
    In addition to robust logical compute isolation available by design to all Azure tenants, if you desire physical compute isolation, you can use Azure Dedicated Host or isolated Virtual Machines, which are deployed on server hardware dedicated to a single customer.
 - **Networking isolation** – Azure Virtual Network (VNet) helps ensure that your private network traffic is logically isolated from traffic belonging to other customers. Services can communicate using public IPs or private (VNet) IPs. Communication between your VMs remains private within a VNet. You can connect your VNets via [VNet peering](../virtual-network/virtual-network-peering-overview.md) or [VPN gateways](../vpn-gateway/vpn-gateway-about-vpngateways.md), depending on your connectivity options, including bandwidth, latency, and encryption requirements. You can use [network security groups](../virtual-network/network-security-groups-overview.md) (NSGs) to achieve network isolation and protect your Azure resources from the Internet while accessing Azure services that have public endpoints. You can use Virtual Network [service tags](../virtual-network/service-tags-overview.md) to define network access controls on [network security groups](../virtual-network/network-security-groups-overview.md#security-rules) or [Azure Firewall](../firewall/service-tags.md). A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, thereby reducing the complexity of frequent updates to network security rules. Moreover, you can use [Private Link](../private-link/private-link-overview.md) to access Azure PaaS services over a private endpoint in your VNet, ensuring that traffic between your VNet and the service travels across the Microsoft global backbone network, which eliminates the need to expose the service to the public Internet. Finally, Azure provides you with options to encrypt data in transit, including [Transport Layer Security (TLS) end-to-end encryption](../application-gateway/ssl-overview.md) of network traffic with [TLS termination using Key Vault certificates](../application-gateway/key-vault-certs.md), [VPN encryption](../vpn-gateway/vpn-gateway-about-compliance-crypto.md) using IPsec, and Azure ExpressRoute encryption using [MACsec with customer-managed keys (CMK) support](../expressroute/expressroute-about-encryption.md#point-to-point-encryption-by-macsec-faq).
-- **Storage isolation** – To ensure cryptographic certainty of logical data isolation, Azure Storage relies on data encryption at rest using advanced algorithms with multiple ciphers. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure AD to ensure secure key access and centralized key management. Azure Storage service encryption ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is [encrypted through FIPS 140 validated 256-bit AES encryption](../storage/common/storage-service-encryption.md#about-azure-storage-encryption) and you can use Key Vault for customer-managed keys (CMK). Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, Azure Disk encryption may optionally be used to encrypt Azure Windows and Linux IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes managed disks.
+- **Storage isolation** – To ensure cryptographic certainty of logical data isolation, Azure Storage relies on data encryption at rest using advanced algorithms with multiple ciphers. This process relies on multiple encryption keys and services such as Azure Key Vault and Azure AD to ensure secure key access and centralized key management. Azure Storage service encryption ensures that data is automatically encrypted before persisting it to Azure Storage and decrypted before retrieval. All data written to Azure Storage is [encrypted through FIPS 140 validated 256-bit AES encryption](../storage/common/storage-service-encryption.md#about-azure-storage-service-side-encryption) and you can use Key Vault for customer-managed keys (CMK). Azure Storage service encryption encrypts the page blobs that store Azure Virtual Machine disks. Moreover, Azure Disk encryption may optionally be used to encrypt Azure Windows and Linux IaaS Virtual Machine disks to increase storage isolation and assure cryptographic certainty of your data stored in Azure. This encryption includes managed disks.
 - **Security assurance processes and practices** – Azure isolation assurance is further enforced by Microsoft’s internal use of the [Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl/) (SDL) and other strong security assurance processes to protect attack surfaces and mitigate threats. Microsoft has established industry-leading processes and tooling that provides high confidence in the Azure isolation guarantee.
 
 In line with the [shared responsibility](../security/fundamentals/shared-responsibility.md) model in cloud computing, as you migrate workloads from your on-premises datacenter to the cloud, the delineation of responsibility between you and cloud service provider varies depending on the cloud service model. For example, with the Infrastructure as a Service (IaaS) model, Microsoft’s responsibility ends at the Hypervisor layer, and you're responsible for all layers above the virtualization layer, including maintaining the base operating system in guest VMs. You can use Azure isolation technologies to achieve the desired level of isolation for your applications and data deployed in the cloud.
@@ -729,7 +729,7 @@ However, you can also choose to manage encryption with your own keys by specifyi
 > [!NOTE]
 > You can configure customer-managed keys (CMK) with Azure Key Vault using the **[Azure portal, Azure PowerShell, or Azure CLI](../storage/common/customer-managed-keys-configure-key-vault.md)**. You can **[use .NET to specify a customer-provided key](../storage/blobs/storage-blob-customer-provided-key.md)** on a request to Blob storage.
 
-Storage service encryption is enabled by default for all new and existing storage accounts and it [can't be disabled](../storage/common/storage-service-encryption.md#about-azure-storage-encryption). As shown in Figure 17, the encryption process uses the following keys to help ensure cryptographic certainty of data isolation at rest:
+Storage service encryption is enabled by default for all new and existing storage accounts and it [can't be disabled](../storage/common/storage-service-encryption.md#about-azure-storage-service-side-encryption). As shown in Figure 17, the encryption process uses the following keys to help ensure cryptographic certainty of data isolation at rest:
 
 -	*Data Encryption Key (DEK)* is a symmetric AES-256 key that is used for bulk encryption, and it's unique per storage account in Azure Storage. It's generated by the Azure Storage service as part of the storage account creation. This key is encrypted by the Key Encryption Key (KEK) and is never stored unencrypted.
 -	*Key Encryption Key (KEK)* is an asymmetric RSA-2048 key that is used to encrypt the Data Encryption Key (DEK) using Azure Key Vault and exists only in Azure Key Vault. It's never exposed directly to the Azure Storage service or other services. You must use Azure Key Vault to store your customer-managed keys for Storage service encryption.