Update concepts-connectivity-architecture.md

GennadNY · GennadNY · commit 9933c7ddced1 · 2023-03-09T16:11:52.000-08:00
diff --git a/articles/postgresql/single-server/concepts-connectivity-architecture.md b/articles/postgresql/single-server/concepts-connectivity-architecture.md
@@ -4,9 +4,9 @@ description: Describes the connectivity architecture of your Azure Database for
 ms.service: postgresql
 ms.subservice: single-server
 ms.topic: conceptual
-ms.author: sisawant 
+ms.author: gennadyk 
 author: code-sidd
-ms.date: 06/24/2022
+ms.date: 03/09/2023
 ---
 
 # Connectivity architecture in Azure Database for PostgreSQL
@@ -27,66 +27,65 @@ As client connects to the database, the connection string to the server resolves
 
 The gateway service is hosted on group of stateless compute nodes sitting behind an IP address, which your client would reach first when trying to connect to an Azure Database for PostgreSQL server.
 
-As part of ongoing service maintenance, we'll periodically refresh compute hardware hosting the gateways to ensure we provide the most secure and performant connectivity experience. When the gateway hardware is refreshed, a new ring of the compute nodes is built out first. This new ring serves the traffic for all the newly created Azure Database for PostgreSQL servers and it will have a different IP address from older gateway rings in the same region to differentiate the traffic. The older gateway hardware continues serving existing servers but are planned for decommissioning in future. Before decommissioning a gateway hardware, customers running their servers and connecting to older gateway rings will be notified via email and in the Azure portal, three months in advance before decommissioning. The decommissioning of gateways can impact the connectivity to your servers if
+**As part of ongoing service maintenance, we'll periodically refresh compute hardware hosting the gateways to ensure we provide the most secure and performant connectivity experience.**  When the gateway hardware is refreshed, a new ring of the compute nodes is built out first. This new ring serves the traffic for all the newly created Azure Database for PostgreSQL servers and it will have a different IP address from older gateway rings in the same region to differentiate the traffic. The older gateway hardware continues serving existing servers but are planned for decommissioning in future. Before decommissioning a gateway hardware, customers running their servers and connecting to older gateway rings will be notified via email and in the Azure portal, three months in advance before decommissioning. The decommissioning of gateways can impact the connectivity to your servers if
 
 * You hard code the gateway IP addresses in the connection string of your application. It is **not recommended**.You should use fully qualified domain name (FQDN) of your server in the format `<servername>.postgres.database.azure.com`, in the connection string for your application. 
-* You do not update the newer gateway IP addresses in the client-side firewall to allow outbound traffic to be able to reach our new gateway rings.
+* You do not update the newer gateway IP addresses in the client-side firewall to allow outbound traffic to be able to reach our new gateway rings. 
+
+> [!IMPORTANT]
+> We strongly encourage customers to use the Gateway IP address **subnets** in order to not be impacted by this activity in a region.
 
 The following table lists the gateway IP addresses of the Azure Database for PostgreSQL gateway for all data regions. The most up-to-date information of the gateway IP addresses for each region is maintained in the table below. In the table below, the columns represent following:
 
-* **Gateway IP addresses:** This column lists the current IP addresses of the gateways hosted on the latest generation of hardware. If you are provisioning a new server, we recommend that you open the client-side firewall to allow outbound traffic for the IP addresses listed in this column.
-* **Gateway IP addresses (decommissioning):** This column lists the IP addresses of the gateways hosted on an older generation of hardware that is being decommissioned right now. If you are provisioning a new server, you can ignore these IP addresses. If you have an existing server, continue to retain the outbound rule for the firewall for these IP addresses as we have not decommissioned it yet. If you drop the firewall rules for these IP addresses, you may get connectivity errors. Instead, you are expected to proactively add the new IP addresses listed in Gateway IP addresses column to the outbound firewall rule as soon as you receive the notification for decommissioning. This will ensure when your server is migrated to latest gateway hardware, there is no interruptions in connectivity to your server.
-* **Gateway IP addresses (decommissioned):** This column lists the IP addresses of the gateway rings, which are decommissioned and are no longer in operations. You can safely remove these IP addresses from your outbound firewall rule.
-
-| **Region name** | **Gateway IP addresses** |**Gateway IP addresses (decommissioning)** | **Gateway IP addresses (decommissioned)** |
-|:----------------|:-------------------------|:-------------------------------------------|:------------------------------------------|
-| Australia Central| 20.36.105.0  | | |
-| Australia Central2     | 20.36.113.0  | | |
-| Australia East | 13.75.149.87, 40.79.161.1     |  | |
-| Australia South East |13.77.48.10, 13.77.49.32, 13.73.109.251     |  | |
-| Brazil South |191.233.201.8, 191.233.200.16     |  | 104.41.11.5|
-| Canada Central |40.85.224.249, 52.228.35.221     | | |
-| Canada East | 40.86.226.166, 52.242.30.154     | | |
-| Central US | 23.99.160.139, 52.182.136.37, 52.182.136.38 | 13.67.215.62 | |
-| China East            |  139.219.130.35            |      |    |
-| China East 2          |  40.73.82.1, 52.130.120.89     | 
-| China East 3          |  52.131.155.192        | 
-| China North | 139.219.15.17     | | |
-| China North 2 | 40.73.50.0     | | |
-| China North 3 | 52.131.27.192     | | |
-| East Asia | 13.75.33.20, 52.175.33.150, 13.75.33.20, 13.75.33.21     | | |
-| East US |40.71.8.203, 40.71.83.113 |40.121.158.30|191.238.6.43 |
-| East US 2 | 40.70.144.38, 52.167.105.38  | 52.177.185.181 | |
-| France Central | 40.79.137.0, 40.79.129.1     | | |
-| France South | 40.79.177.0     | | |
-| Germany Central | 51.4.144.100     | | |
-| Germany North | 51.116.56.0 | |
-| Germany North East | 51.5.144.179     | | |
-| Germany West Central | 51.116.152.0 | |
-| India Central | 104.211.96.159     | | |
-| India South | 104.211.224.146     | | |
-| India West | 104.211.160.80     | | |
-| Japan East | 40.79.192.23, 40.79.184.8 | 13.78.61.196 | |
-| Japan West | 104.214.148.156, 40.74.96.6, 40.74.96.7     | 104.214.148.156 | |
-| Korea Central | 52.231.17.13     | 52.231.32.42 | |
-| Korea South | 52.231.145.3     | 52.231.151.97 | |
-| North Central US | 52.162.104.35, 52.162.104.36     | 23.96.178.199 | |
-| North Europe | 52.138.224.6, 52.138.224.7     | 40.113.93.91 |191.235.193.75 |
-| South Africa North  | 102.133.152.0     | | |
-| South Africa West    | 102.133.24.0     | | |
-| South Central US |104.214.16.39, 20.45.120.0  |13.66.62.124  |23.98.162.75 |
-| South East Asia | 40.78.233.2, 23.98.80.12     | 104.43.15.0 | |
-| Switzerland North | 51.107.56.0 ||
-| Switzerland West | 51.107.152.0| ||
-| UAE Central | 20.37.72.64     | | |
-| UAE North | 65.52.248.0     | | |
-| UK South | 51.140.184.11, 51.140.144.32, 51.105.64.0     | | |
-| UK West | 51.141.8.11     | |  |
-| West Central US | 13.78.145.25, 52.161.100.158     | | |
-| West Europe |13.69.105.208, 104.40.169.187 | 40.68.37.158 | 191.237.232.75 |
-| West US |13.86.216.212, 13.86.217.212 |104.42.238.205  | 23.99.34.75|
-| West US 2 | 13.66.226.202, 13.66.136.192,13.66.136.195     | | |
-| West US 3 | 20.150.184.2     | | |
+* **Gateway IP addresses:** This column lists the current IP addresses of the gateways, As hardware is refreshed we will remove these and  recommend that  you open the client-side firewall to allow outbound traffic for the IP address subnets listed in the next column.
+* **Gateway IP address subnets:** This column lists the IP address subnets of the gateway rings located in the particular region. As we retire older gateway hardware we recommend that  you open the client-side firewall to allow outbound traffic for the IP address subnets in the region you are operating. 
+
+| **Region name** | **Gateway IP addresses**  | **Gateway IP address subnets** |
+|:----------------|:-------------------------|:------------------------------------------|
+| Australia Central| 20.36.105.0  | 20.36.105.32/29 |
+| Australia Central2     | 20.36.113.0  | 20.36.113.32/29 |
+| Australia East | 13.75.149.87, 40.79.161.1     |  13.70.112.32/29, 40.79.160.32/29, 40.79.168.32/29 |
+| Australia South East |13.77.48.10, 13.77.49.32, 13.73.109.251     |13.77.49.32/29  |
+| Brazil South |191.233.201.8, 191.233.200.16     | 191.233.200.32/29, 191.234.144.32/29|
+| Canada Central |40.85.224.249, 52.228.35.221     | 	13.71.168.32/29, 20.38.144.32/29, 52.246.152.32/29|
+| Canada East | 40.86.226.166, 52.242.30.154     | 40.69.105.32/29 |
+| Central US | 23.99.160.139, 52.182.136.37, 52.182.136.38 | 104.208.21.192/29, 13.89.168.192/29, 52.182.136.192/29|
+| China East            |  139.219.130.35            |      52.130.112.136/29  |
+| China East 2          |  40.73.82.1, 52.130.120.89     | 52.130.120.88/29|
+| China East 3          |  52.131.155.192        | 52.130.128.88/29|
+| China North | 139.219.15.17     | 52.130.128.88/29 |
+| China North 2 | 40.73.50.0     | 	52.130.40.64/29|
+| China North 3 | 52.131.27.192     | 13.75.32.192/29, 13.75.33.192/29 |
+| East Asia | 13.75.33.20, 52.175.33.150, 13.75.33.20, 13.75.33.21     | 13.75.32.192/29, 13.75.33.192/29|
+| East US |40.71.8.203, 40.71.83.113 |20.42.65.64/29, 20.42.73.0/29, 52.168.116.64/29|
+| East US 2 | 40.70.144.38, 52.167.105.38  |104.208.150.192/29, 40.70.144.192/29, 52.167.104.192/29|
+| France Central | 40.79.137.0, 40.79.129.1     | 40.79.136.32/29, 40.79.144.32/29 |
+| France South | 40.79.177.0     | 	40.79.176.40/29, 40.79.177.32/29|
+| Germany West Central | 51.116.152.0 | 51.116.152.32/29, 51.116.240.32/29, 51.116.248.32/29|
+| India Central | 104.211.96.159     | 104.211.86.32/29, 20.192.96.32/29|
+| India South | 104.211.224.146     | 40.78.192.32/29, 40.78.193.32/29|
+| India West | 104.211.160.80     | 	104.211.144.32/29, 104.211.145.32/29 |
+| Japan East | 40.79.192.23, 40.79.184.8 | 13.78.104.32/29, 40.79.184.32/29, 40.79.192.32/29 |
+| Japan West | 104.214.148.156, 40.74.96.6, 40.74.96.7     | 40.74.96.32/29 |
+| Korea Central | 52.231.17.13     | 20.194.64.32/29,20.44.24.32/29, 52.231.16.32/29 |
+| Korea South | 52.231.145.3     |  |
+| North Central US | 52.162.104.35, 52.162.104.36     | 52.162.105.192/29|
+| North Europe | 52.138.224.6, 52.138.224.7    |13.69.233.136/29, 13.74.105.192/29, 52.138.229.72/29 |
+| South Africa North  | 102.133.152.0     | 102.133.120.32/29, 102.133.152.32/29, 102.133.248.32/29 |
+| South Africa West    | 102.133.24.0     | 102.133.25.32/29|
+| South Central US |104.214.16.39, 20.45.120.0  |20.45.121.32/29, 20.49.88.32/29, 20.49.89.32/29, 40.124.64.136/29|
+| South East Asia | 40.78.233.2, 23.98.80.12     | 13.67.16.192/29, 23.98.80.192/29, 40.78.232.192/29 |
+| Switzerland North | 51.107.56.0 |51.107.56.32/29, 51.103.203.192/29, 20.208.19.192/29, 51.107.242.32/27|
+| Switzerland West | 51.107.152.0| 51.107.153.32/29|
+| UAE Central | 20.37.72.64     | 20.37.72.96/29, 20.37.73.96/29 |
+| UAE North | 65.52.248.0     | 40.120.72.32/29, 65.52.248.32/29 |
+| UK South | 51.140.184.11, 51.140.144.32, 51.105.64.0     |51.105.64.32/29, 51.105.72.32/29, 51.140.144.32/29 |
+| UK West | 51.141.8.11     | 51.140.208.96/29, 51.140.209.32/29 |
+| West Central US | 13.78.145.25, 52.161.100.158     | 13.71.193.32/29 |
+| West Europe |13.69.105.208, 104.40.169.187 | 104.40.169.32/29, 13.69.112.168/29, 52.236.184.32/29|
+| West US |13.86.216.212, 13.86.217.212 |13.86.217.224/29|
+| West US 2 | 13.66.226.202, 13.66.136.192,13.66.136.195     | 13.66.136.192/29, 40.78.240.192/29, 40.78.248.192/29|
+| West US 3 | 20.150.184.2     | 20.150.168.32/29, 20.150.176.32/29, 20.150.184.32/29 |
 
 ## Frequently asked questions
 
@@ -114,7 +113,7 @@ This indicates that your applications connect to server using static IP address
 
 ### Is there any impact for my application connections?
 
-This maintenance is just a DNS change, so it is transparent to the client. Once the DNS cache is refreshed in the client (automatically done by operation system), all the new connections will connect to the new IP address and all the existing connections will still be working fine until the old IP address gets fully decommissioned, which is usually several weeks later. And the retry logic is not required for this case, but it is good to see the application have retry logic configured. Please either use FQDN to connect to the database server or enable list the new 'Gateway IP addresses' in your application connection string.
+This maintenance is just a DNS change, so it is transparent to the client. Once the DNS cache is refreshed in the client (automatically done by operation system), all the new connections will connect to the new IP address and all the existing connections will still be working fine until the old IP address gets fully decommissioned, which is usually several weeks later. And the retry logic is not required for this case, but it is good to see the application have retry logic configured. Please either use FQDN to connect to the database server  in your application connection string.
 This maintenance operation will not drop the existing connections. It only makes the new connection requests go to new gateway ring.
 
 ### Can I request for a specific time window for the maintenance? 
