connectivity A2A

Author: mayurigupta13

articles/site-recovery/azure-to-azure-about-networking.md

@@ -6,7 +6,7 @@ author: sujayt
 manager: rochakm
 ms.service: site-recovery
 ms.topic: article
-ms.date: 1/8/2020
+ms.date: 1/23/2020
 ms.author: sutalasi
 
 ---
@@ -45,77 +45,21 @@ If you are using a URL-based firewall proxy to control outbound connectivity, al
 --- | ---
 *.blob.core.windows.net | Required so that data can be written to the cache storage account in the source region from the VM. If you know all the cache storage accounts for your VMs, you can allow access to the specific storage account URLs (Ex: cache1.blob.core.windows.net and cache2.blob.core.windows.net) instead of *.blob.core.windows.net
 login.microsoftonline.com | Required for authorization and authentication to the Site Recovery service URLs.
-*.hypervrecoverymanager.windowsazure.com | Required so that the Site Recovery service communication can occur from the VM. You can use the corresponding 'Site Recovery IP' if your firewall proxy supports IPs.
-*.servicebus.windows.net | Required so that the Site Recovery monitoring and diagnostics data can be written from the VM. You can use the corresponding 'Site Recovery Monitoring IP' if your firewall proxy supports IPs.
+*.hypervrecoverymanager.windowsazure.com | Required so that the Site Recovery service communication can occur from the VM.
+*.servicebus.windows.net | Required so that the Site Recovery monitoring and diagnostics data can be written from the VM.
 
 ## Outbound connectivity for IP address ranges
 
-If you are using an IP-based firewall proxy, or NSG to control outbound connectivity, these IP ranges need to be allowed.
+If you are using an NSG to control outbound connectivity, these service tags need to be allowed.
 
 - All IP address ranges that correspond to the storage accounts in source region
     - Create a [Storage service tag](../virtual-network/security-overview.md#service-tags) based NSG rule for the source region.
     - Allow these addresses so that data can be written to the cache storage account, from the VM.
 - Create a [Azure Active Directory (AAD) service tag](../virtual-network/security-overview.md#service-tags) based NSG rule for allowing access to all IP addresses corresponding to AAD
-    - If new addresses are added to the Azure Active Directory (AAD) in the future, you need to create new NSG rules.
 - Create an EventsHub service tag based NSG rule for the target region, allowing access to Site Recovery monitoring.
 - Create an AzureSiteRecovery service tag based NSG rule for allowing access to Site Recovery service in any region.
 - We recommend that you create the required NSG rules on a test NSG, and verify that there are no problems before you create the rules on a production NSG.
 
-
-If you prefer using Site Recovery IP address ranges (not recommended), please refer the below table:
-
-   **Target** | **Site Recovery IP** |  **Site Recovery monitoring IP**
-   --- | --- | ---
-   East Asia | 52.175.17.132 | 13.94.47.61
-   Southeast Asia | 52.187.58.193 | 13.76.179.223
-   Central India | 52.172.187.37 | 104.211.98.185
-   South India | 52.172.46.220 | 104.211.224.190
-   North Central US | 23.96.195.247 | 168.62.249.226
-   North Europe | 40.69.212.238 | 52.169.18.8
-   West Europe | 52.166.13.64 | 40.68.93.145
-   East US | 13.82.88.226 | 104.45.147.24
-   West US | 40.83.179.48 | 104.40.26.199
-   South Central US | 13.84.148.14 | 104.210.146.250
-   Central US | 40.69.144.231 | 52.165.34.144
-   East US 2 | 52.184.158.163 | 40.79.44.59
-   Japan East | 52.185.150.140 | 138.91.1.105
-   Japan West | 52.175.146.69 | 138.91.17.38
-   Brazil South | 191.234.185.172 | 23.97.97.36
-   Australia East | 104.210.113.114 | 191.239.64.144
-   Australia Southeast | 13.70.159.158 | 191.239.160.45
-   Canada Central | 52.228.36.192 | 40.85.226.62
-   Canada East | 52.229.125.98 | 40.86.225.142
-   West Central US | 52.161.20.168 | 13.78.149.209
-   West US 2 | 52.183.45.166 | 13.66.228.204
-   UK West | 51.141.3.203 | 51.141.14.113
-   UK South | 51.140.43.158 | 51.140.189.52
-   UK South 2 | 13.87.37.4| 13.87.34.139
-   UK North | 51.142.209.167 | 13.87.102.68
-   Korea Central | 52.231.28.253 | 52.231.32.85
-   Korea South | 52.231.198.185 | 52.231.200.144
-   France Central | 52.143.138.106 | 52.143.136.55
-   France South | 52.136.139.227 |52.136.136.62
-   Australia central| 20.36.34.70 | 20.36.46.142
-   Australia Central 2| 20.36.69.62 | 20.36.74.130
-   South Africa West | 102.133.72.51 | 102.133.26.128
-   South Africa North | 102.133.160.44 | 102.133.154.128
-   US Gov Virginia | 52.227.178.114 | 23.97.0.197
-   US Gov Iowa | 13.72.184.23 | 23.97.16.186
-   US Gov Arizona | 52.244.205.45 | 52.244.48.85
-   US Gov Texas | 52.238.119.218 | 52.238.116.60
-   US DoD East | 52.181.164.103 | 52.181.162.129
-   US DoD Central | 52.182.95.237 | 52.182.90.133
-   China North | 40.125.202.254 | 42.159.4.151
-   China North 2 | 40.73.35.193 | 40.73.33.230
-   China East | 42.159.205.45 | 42.159.132.40
-   China East 2 | 40.73.118.52| 40.73.100.125
-   Germany North| 51.116.208.58| 51.116.58.128
-   Germany West Central | 51.116.156.176 | 51.116.154.192
-   Switzerland West | 51.107.231.223| 51.107.154.128
-   Switzerland North | 51.107.68.31| 51.107.58.128
-   Norway East | 51.120.100.64| 51.120.98.128
-   Norway West | 51.120.220.65| 51.120.218.160
-
 ## Example NSG configuration
 
 This example shows how to configure NSG rules for a VM to replicate.

articles/site-recovery/azure-to-azure-architecture.md

@@ -6,7 +6,7 @@ author: rayne-wiselman
 manager: carmonm
 ms.service: site-recovery
 ms.topic: conceptual
-ms.date: 1/08/2020
+ms.date: 1/23/2020
 ms.author: raynew
 ---
 
@@ -142,7 +142,7 @@ Please note that details of network connectivity requirements can be found in  [
 **Rule** |  **Details** | **Service tag**
 --- | --- | --- 
 Allow HTTPS outbound: port 443 | Allow ranges that correspond to storage accounts in the source region | Storage.\<region-name>
-Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Active Directory (Azure AD).<br/><br/> If Azure AD addresses are added in future you need to create new Network Security Group (NSG) rules.  | AzureActiveDirectory
+Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Active Directory (Azure AD)  | AzureActiveDirectory
 Allow HTTPS outbound: port 443 | Allow ranges that correspond to Events Hub in the target region. | EventsHub.\<region-name>
 Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Site Recovery  | AzureSiteRecovery
 
@@ -151,7 +151,7 @@ Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Site Reco
 **Rule** |  **Details** | **Service tag**
 --- | --- | --- 
 Allow HTTPS outbound: port 443 | Allow ranges that correspond to storage accounts in the target region | Storage.\<region-name>
-Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure AD.<br/><br/> If Azure AD addresses are added in future you need to create new NSG rules.  | AzureActiveDirectory
+Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure AD  | AzureActiveDirectory
 Allow HTTPS outbound: port 443 | Allow ranges that correspond to Events Hub in the source region. | EventsHub.\<region-name>
 Allow HTTPS outbound: port 443 | Allow ranges that correspond to Azure Site Recovery  | AzureSiteRecovery
 

articles/site-recovery/azure-to-azure-tutorial-enable-replication.md

@@ -5,7 +5,7 @@ author: rayne-wiselman
 manager: carmonm
 ms.service: site-recovery
 ms.topic: tutorial
-ms.date: 1/8/2020
+ms.date: 1/24/2020
 ms.author: raynew
 ms.custom: mvc
 ---
@@ -77,17 +77,6 @@ If you're using a URL-based firewall proxy to control outbound connectivity, all
 
 If you're using NSG, create service tag based NSG rules for access to Azure Storage, Azure Active Directory, Site Recovery service and Site Recovery monitoring. [Learn more](azure-to-azure-about-networking.md#outbound-connectivity-for-ip-address-ranges).
 
-If you want to control outbound connectivity using IP addresses instead of NSG rules, allow these addresses for IP-based firewalls, proxy, or NSG rules.
-
->[!NOTE]
->It is recommended to always configure NSG rules with service tags for outbound access.
-
-  - [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=41653)
-  - [Windows Azure Datacenter IP Ranges in Germany](https://www.microsoft.com/download/details.aspx?id=54770)
-  - [Windows Azure Datacenter IP Ranges in China](https://www.microsoft.com/download/details.aspx?id=42064)
-  - [Office 365 URLs and IP address ranges](https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_identity)
-  - [Site Recovery service endpoint IP addresses](https://aka.ms/site-recovery-public-ips)
-
 ## Verify Azure VM certificates
 
 Check that the VMs you want to replicate have the latest root certificates. If they don't the VM can't registered to Site Recovery, due to security constraints.

articles/site-recovery/site-recovery-faq.md

@@ -2,7 +2,7 @@
 title: General questions about the Azure Site Recovery service
 description: This article discusses popular general questions about Azure Site Recovery.
 ms.topic: conceptual
-ms.date: 1/10/2020
+ms.date: 1/24/2020
 ms.author: raynew
 
 ---
@@ -142,7 +142,7 @@ Azure Site Recovery replicates data to an Azure storage account or managed disks
 
 ### Why can't I replicate over VPN?
 
-When you replicate to Azure, replication traffic reaches the public endpoints of an Azure Storage. Thus you can only replicate over the public internet with ExpressRoute (Microsoft peering or an existing public peering), and VPN doesn't work.
+When you replicate to Azure, replication traffic reaches the public endpoints of an Azure Storage. Thus you can only replicate over the public internet or via ExpressRoute (Microsoft peering or an existing public peering).
 
 ### Can I use Riverbed SteelHeads for replication?