Made GA changes for private endpoints

Thomas Weiss · Thomas Weiss · commit 82042e0eb42b · 2020-03-12T11:48:22.000-07:00
diff --git a/articles/cosmos-db/how-to-configure-private-endpoints.md b/articles/cosmos-db/how-to-configure-private-endpoints.md
@@ -8,7 +8,7 @@ ms.date: 11/04/2019
 ms.author: thweiss
 ---
 
-# Configure Azure Private Link for an Azure Cosmos account (preview)
+# Configure Azure Private Link for an Azure Cosmos account
 
 By using Azure Private Link, you can connect to an Azure Cosmos account via a private endpoint. The private endpoint is a set of private IP addresses in a subnet within your virtual network. You can then limit access to an Azure Cosmos account over private IP addresses. When Private Link is combined with restricted NSG policies, it helps reduce the risk of data exfiltration. To learn more about private endpoints, see the [Azure Private Link](../private-link/private-link-overview.md) article.
 
@@ -18,6 +18,9 @@ You can connect to an Azure Cosmos account configured with Private Link by using
 
 This article describes the steps to create a private endpoint. It assumes that you're using the automatic approval method.
 
+> [!NOTE]
+> Private endpoint support is currently generally available for gateway connection mode only. For direct mode, it is available as a preview feature.
+
 ## Create a private endpoint by using the Azure portal
 
 Use the following steps to create a private endpoint for an existing Azure Cosmos account by using the Azure portal:
@@ -28,7 +31,7 @@ Use the following steps to create a private endpoint for an existing Azure Cosmo
 
    ![Selections for create a private endpoint in the Azure portal](./media/how-to-configure-private-endpoints/create-private-endpoint-portal.png)
 
-1. In the **Create a private endpoint (Preview) - Basics** pane, enter or select the following details:
+1. In the **Create a private endpoint - Basics** pane, enter or select the following details:
 
     | Setting | Value |
     | ------- | ----- |
@@ -52,7 +55,7 @@ Use the following steps to create a private endpoint for an existing Azure Cosmo
     |||
 
 1. Select **Next: Configuration**.
-1. In **Create a private endpoint (Preview) - Configuration**, enter or select this information:
+1. In **Create a private endpoint - Configuration**, enter or select this information:
 
     | Setting | Value |
     | ------- | ----- |
@@ -306,13 +309,13 @@ $virtualNetwork | Set-AzVirtualNetwork
 ## Step 4: Create the private endpoint.
 Write-Output "Deploying private endpoint on $($resourceGroupName)"
 $deploymentOutput = New-AzResourceGroupDeployment -Name "PrivateCosmosDbEndpointDeployment" `
-	-ResourceGroupName $resourceGroupName `
-	-TemplateFile $PrivateEndpointTemplateFilePath `
-	-TemplateParameterFile $PrivateEndpointParametersFilePath `
-	-SubnetId $SubnetResourceId `
-	-ResourceId $CosmosDbResourceId `
-	-GroupId $CosmosDbApiType `
-	-PrivateEndpointName $PrivateEndpointName
+    -ResourceGroupName $resourceGroupName `
+    -TemplateFile $PrivateEndpointTemplateFilePath `
+    -TemplateParameterFile $PrivateEndpointParametersFilePath `
+    -SubnetId $SubnetResourceId `
+    -ResourceId $CosmosDbResourceId `
+    -GroupId $CosmosDbApiType `
+    -PrivateEndpointName $PrivateEndpointName
 
 $deploymentOutput
 ```
@@ -342,20 +345,20 @@ Use the following code to create a Resource Manager template named "PrivateZone_
         "privateZoneName": {
             "type": "string"
         },
-		"VNetId": {
+        "VNetId": {
             "type": "string"
-        }		
+        }        
     },
-	"resources": [
-		{
+    "resources": [
+        {
             "name": "[parameters('privateZoneName')]",
             "type": "Microsoft.Network/privateDnsZones",
             "apiVersion": "2018-09-01",
             "location": "global",
-			"properties": {                
+            "properties": {                
             }
         },
-		{
+        {
             "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks",
             "apiVersion": "2018-09-01",
             "name": "[concat(parameters('privateZoneName'), '/myvnetlink')]",
@@ -369,7 +372,7 @@ Use the following code to create a Resource Manager template named "PrivateZone_
                     "id": "[parameters('VNetId')]"
                 }
             }
-        }		
+        }        
     ]
 }
 ```
@@ -384,12 +387,12 @@ Use the following code to create a Resource Manager template named "PrivateZoneR
         "DNSRecordName": {
             "type": "string"
         },
-		"IPAddress": {
-			"type":"string"
-		}		
+        "IPAddress": {
+            "type":"string"
+        }        
     },
-	"resources": [
-		 {
+    "resources": [
+         {
             "type": "Microsoft.Network/privateDnsZones/A",
             "apiVersion": "2018-09-01",
             "name": "[parameters('DNSRecordName')]",
@@ -401,7 +404,7 @@ Use the following code to create a Resource Manager template named "PrivateZoneR
                     }
                 ]
             }
-        }	
+        }    
     ]
 }
 ```
@@ -418,8 +421,8 @@ Create the following two parameters file for the template. Create the "PrivateZo
         "privateZoneName": {
             "value": ""
         },
-		"VNetId": {
-			"value": ""
+        "VNetId": {
+            "value": ""
         }
     }
 }
@@ -435,9 +438,9 @@ Create the "PrivateZoneRecords_parameters.json." with the following code:
         "DNSRecordName": {
             "value": ""
         },
-		"IPAddress": {
-			"type":"object"
-		}
+        "IPAddress": {
+            "type":"object"
+        }
     }
 }
 ```
@@ -490,38 +493,38 @@ $virtualNetwork | Set-AzVirtualNetwork
 
 ## Step 4: Create the private zone
 New-AzResourceGroupDeployment -Name "PrivateZoneDeployment" `
-	-ResourceGroupName $ResourceGroupName `
-	-TemplateFile $PrivateZoneTemplateFilePath `
-	-TemplateParameterFile $PrivateZoneParametersFilePath `
-	-PrivateZoneName $PrivateZoneName `
-	-VNetId $VNetResourceId
+    -ResourceGroupName $ResourceGroupName `
+    -TemplateFile $PrivateZoneTemplateFilePath `
+    -TemplateParameterFile $PrivateZoneParametersFilePath `
+    -PrivateZoneName $PrivateZoneName `
+    -VNetId $VNetResourceId
 
 ## Step 5: Create the private endpoint
 Write-Output "Deploying private endpoint on $($resourceGroupName)"
 $deploymentOutput = New-AzResourceGroupDeployment -Name "PrivateCosmosDbEndpointDeployment" `
-	-ResourceGroupName $resourceGroupName `
-	-TemplateFile $PrivateEndpointTemplateFilePath `
-	-TemplateParameterFile $PrivateEndpointParametersFilePath `
-	-SubnetId $SubnetResourceId `
-	-ResourceId $CosmosDbResourceId `
-	-GroupId $CosmosDbApiType `
-	-PrivateEndpointName $PrivateEndpointName
+    -ResourceGroupName $resourceGroupName `
+    -TemplateFile $PrivateEndpointTemplateFilePath `
+    -TemplateParameterFile $PrivateEndpointParametersFilePath `
+    -SubnetId $SubnetResourceId `
+    -ResourceId $CosmosDbResourceId `
+    -GroupId $CosmosDbApiType `
+    -PrivateEndpointName $PrivateEndpointName
 $deploymentOutput
 
 ## Step 6: Map the private endpoint to the private zone
 $networkInterface = Get-AzResource -ResourceId $deploymentOutput.Outputs.privateEndpointNetworkInterface.Value -ApiVersion "2019-04-01"
 foreach ($ipconfig in $networkInterface.properties.ipConfigurations) {
-	foreach ($fqdn in $ipconfig.properties.privateLinkConnectionProperties.fqdns) {
-		$recordName = $fqdn.split('.',2)[0]
-		$dnsZone = $fqdn.split('.',2)[1]
-		Write-Output "Deploying PrivateEndpoint DNS Record $($PrivateZoneName)/$($recordName) Template on $($resourceGroupName)"
-		New-AzResourceGroupDeployment -Name "PrivateEndpointDNSDeployment" `
-			-ResourceGroupName $ResourceGroupName `
-			-TemplateFile $PrivateZoneRecordsTemplateFilePath `
-			-TemplateParameterFile $PrivateZoneRecordsParametersFilePath `
-			-DNSRecordName "$($PrivateZoneName)/$($RecordName)" `
-			-IPAddress $ipconfig.properties.privateIPAddress
-	}
+    foreach ($fqdn in $ipconfig.properties.privateLinkConnectionProperties.fqdns) {
+        $recordName = $fqdn.split('.',2)[0]
+        $dnsZone = $fqdn.split('.',2)[1]
+        Write-Output "Deploying PrivateEndpoint DNS Record $($PrivateZoneName)/$($recordName) Template on $($resourceGroupName)"
+        New-AzResourceGroupDeployment -Name "PrivateEndpointDNSDeployment" `
+            -ResourceGroupName $ResourceGroupName `
+            -TemplateFile $PrivateZoneRecordsTemplateFilePath `
+            -TemplateParameterFile $PrivateZoneRecordsParametersFilePath `
+            -DNSRecordName "$($PrivateZoneName)/$($RecordName)" `
+            -IPAddress $ipconfig.properties.privateIPAddress
+    }
 }
 ```
 
@@ -543,11 +546,7 @@ The following situations and outcomes are possible when you use Private Link in
 
 ## Update a private endpoint when you add or remove a region
 
-Adding or removing regions to an Azure Cosmos account requires you to add or remove DNS entries for that account. Update these changes accordingly in the private endpoint by using the following steps:
-
-1. When the Azure Cosmos DB administrator adds or removes regions, the network administrator gets a notification about the pending changes. For the private endpoint mapped to an Azure Cosmos account, the value of the `ActionsRequired` property changes from `None` to `Recreate`. Then the network administrator updates the private endpoint by issuing a PUT request with the same Resource Manager payload that was used to create it.
-
-1. After the private endpoint is updated, you can update the subnet's private DNS zone to reflect the added or removed DNS entries and their corresponding private IP addresses.
+Adding or removing regions to an Azure Cosmos account requires you to add or remove DNS entries for that account. After regions have been added or removed, you can update the subnet's private DNS zone to reflect the added or removed DNS entries and their corresponding private IP addresses.
 
 For example, imagine that you deploy an Azure Cosmos account in three regions: "West US," "Central US," and "West Europe." When you create a private endpoint for your account, four private IPs are reserved in the subnet. There's one IP for each of the three regions, and there's one IP for the global/region-agnostic endpoint.
 
@@ -578,6 +577,8 @@ The following limitations apply when you're using Private Link with an Azure Cos
 
 * When you're using Private Link with an Azure Cosmos account by using a direct mode connection, you can use only the TCP protocol. The HTTP protocol is not yet supported.
 
+* Private endpoint support is currently generally available for gateway connection mode only. For direct mode, it is available as a preview feature.
+
 * When you're using Azure Cosmos DB's API for MongoDB accounts, a private endpoint is supported for accounts on server version 3.6 only (that is, accounts using the endpoint in the format `*.mongo.cosmos.azure.com`). Private Link is not supported for accounts on server version 3.2 (that is, accounts using the endpoint in the format `*.documents.azure.com`). To use Private Link, you should migrate old accounts to the new version.
 
 * When you're using the Azure Cosmos DB's API for MongoDB accounts that have Private Link, you can't use tools such as Robo 3T, Studio 3T, and Mongoose. The endpoint can have Private Link support only if the `appName=<account name>` parameter is specified. An example is `replicaSet=globaldb&appName=mydbaccountname`. Because these tools don't pass the app name in the connection string to the service, you can't use Private Link. But you can still access these accounts by using SDK drivers with the 3.6 version.
