Merge pull request #115079 from jlian/master

ShannonLeavitt · web-flow · commit 835d02f61806 · 2020-05-19T08:06:58.000-06:00
Clarify access for built-in endpoint
diff --git a/articles/iot-hub/iot-hub-ip-filtering.md b/articles/iot-hub/iot-hub-ip-filtering.md
@@ -5,7 +5,7 @@ author: robinsh
 ms.service: iot-hub
 services: iot-hub
 ms.topic: conceptual
-ms.date: 07/22/2017
+ms.date: 05/12/2020
 ms.author: robinsh
 ---
 
@@ -23,9 +23,12 @@ There are two specific use-cases when it is useful to block the IoT Hub endpoint
 
 ## How filter rules are applied
 
-The IP filter rules are applied at the IoT Hub service level. Therefore the IP filter rules apply to all connections from devices and back-end apps using any supported protocol.
+The IP filter rules are applied at the IoT Hub service level. Therefore, the IP filter rules apply to all connections from devices and back-end apps using any supported protocol. However,  clients reading directly from the [built-in Event Hub compatible endpoint](iot-hub-devguide-messages-read-builtin.md) (not via the IoT Hub connection string) are not bound to the IP filter rules. 
 
-Any connection attempt from an IP address that matches a rejecting IP rule in your IoT hub receives an unauthorized 401 status code and description. The response message does not mention the IP rule.
+Any connection attempt from an IP address that matches a rejecting IP rule in your IoT hub receives an unauthorized 401 status code and description. The response message does not mention the IP rule. Rejecting IP addresses can prevent other Azure services such as Azure Stream Analytics, Azure Virtual Machines, or the Device Explorer in Azure portal from interacting with the IoT hub.
+
+> [!NOTE]
+> If you must use Azure Stream Analytics (ASA) to read messages from an IoT hub with IP filter enabled, use the event hub-compatible name and endpoint of your IoT hub to manually add an [Event Hubs stream input](../stream-analytics/stream-analytics-define-inputs.md#stream-data-from-event-hubs) in the ASA.
 
 ## Default setting
 
@@ -57,12 +60,6 @@ The **Add** option is disabled when you reach the maximum of 10 IP filter rules.
 
 To edit an existing rule, select the data you want to change, make the change, then select **Save** to save your edit.
 
-> [!NOTE]
-> Rejecting IP addresses can prevent other Azure Services (such as Azure Stream Analytics, Azure Virtual Machines, or the Device Explorer in the portal) from interacting with the IoT hub.
-
-> [!WARNING]
-> If you use Azure Stream Analytics (ASA) to read messages from an IoT hub with IP filtering enabled, use the event hub-compatible name and endpoint of your IoT hub to manually add an [Event Hubs stream input](https://docs.microsoft.com/azure/stream-analytics/stream-analytics-define-inputs#stream-data-from-event-hubs) in the ASA.
-
 ## Delete an IP filter rule
 
 To delete an IP filter rule, select the trash can icon on that row and then select **Save**. The rule is removed and the change is saved.
diff --git a/articles/iot-hub/virtual-network-support.md b/articles/iot-hub/virtual-network-support.md
@@ -5,7 +5,7 @@
  author: jlian
  ms.service: iot-fundamentals
  ms.topic: conceptual
- ms.date: 04/28/2020
+ ms.date: 05/12/2020
  ms.author: jlian
 ---
 
@@ -42,10 +42,7 @@ This article describes how to achieve these goals using [private endpoints](../p
 
 ## Ingress connectivity to IoT Hub using private endpoints
 
-A private endpoint is a private IP address allocated inside a customer-owned VNET via which an Azure resource is reachable. By having a private endpoint for your IoT hub, you will be able to allow services operating inside your VNET to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Similarly, devices that operate in your on-premises can use [Virtual Private Network (VPN)](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) Private Peering to gain connectivity to your VNET in Azure and subsequently to your IoT Hub (via its private endpoint). As a result, customers who wish to restrict connectivity to their IoT hub's public endpoints (or possibly completely block it off) can achieve this goal by using [IoT Hub firewall rules](./iot-hub-ip-filtering.md) while retaining connectivity to their Hub using the private endpoint.
-
-> [!NOTE]
-> The main focus of this setup is for devices inside an on-premises network. This setup is not advised for devices deployed in a wide-area network.
+A private endpoint is a private IP address allocated inside a customer-owned VNET via which an Azure resource is reachable. By having a private endpoint for your IoT hub, you will be able to allow services operating inside your VNET to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Similarly, devices that operate in your on-premises can use [Virtual Private Network (VPN)](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-about-vpngateways) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) Private Peering to gain connectivity to your VNET in Azure and subsequently to your IoT Hub (via its private endpoint). As a result, customers who wish to restrict connectivity to their IoT hub's public endpoints (or possibly completely block it off) can achieve this goal by using [IoT Hub IP filter](./iot-hub-ip-filtering.md) and [configuring routing to not send any data to the built-in endpoint](#built-in-event-hub-compatible-endpoint-doesnt-support-access-over-private-endpoint). This approach retains connectivity to their Hub using the private endpoint for devices. The main focus of this setup is for devices inside an on-premises network. This setup is not advised for devices deployed in a wide-area network.
 
 ![IoT Hub public endpoint](./media/virtual-network-support/virtual-network-ingress.png)
 
@@ -91,8 +88,19 @@ To set up a private endpoint, follow these steps:
 
 6. Click **Next: Tags**, and optionally provide any tags for your resource.
 
-7. Click **Review + create** to create your private endpoint resource.
+7. Click **Review + create** to create your private link resource.
+
+### Built-in Event Hub compatible endpoint doesn't support access over private endpoint
+
+The [built-in Event Hub compatible endpoint](iot-hub-devguide-messages-read-builtin.md) doesn't support access over private endpoint. When configured, an IoT hub's private endpoint is for ingress connectivity only. Consuming data from built-in Event Hub compatible endpoint can only be done over the public internet. 
+
+IoT Hub's [IP filter](iot-hub-ip-filtering.md) also doesn't control public access to the built-in endpoint. To completely block public network access to your IoT hub, you must: 
 
+1. Configure private endpoint access for IoT Hub
+1. Turn off public network access by using IP filter to block all IP
+1. Turn off the built-in Event Hub endpoint by [setting up routing to not send data to it](iot-hub-devguide-messages-d2c.md)
+1. Turn off the [fallback route](iot-hub-devguide-messages-d2c.md#fallback-route)
+1. Configure egress to other Azure resources using [Azure first party trusted services](#egress-connectivity-from-iot-hub-to-other-azure-resources)
 
 ### Pricing (private endpoints)
 
