Merge pull request #296486 from AbhishekMallick01/Mar-18-2025-PE

prmerger-automator[bot] · web-flow · commit 9c77dd599b0d · 2025-03-27T06:54:38.000Z
Private Endpoint updates
diff --git a/articles/backup/backup-azure-private-endpoints-concept.md b/articles/backup/backup-azure-private-endpoints-concept.md
@@ -3,7 +3,7 @@ title: Private endpoints for Azure Backup - Overview
 description: This article explains about the concept of private endpoints for Azure Backup that helps to perform backups while maintaining the security of your resources.
 ms.topic: overview
 ms.service: azure-backup
-ms.date: 11/20/2024
+ms.date: 03/27/2025
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -26,10 +26,12 @@ This article describes how the [enhanced capabilities of private endpoints](#key
 
 - While a Recovery Services vault is used by (both) Azure Backup and Azure Site Recovery, this article discusses the use of private endpoints for Azure Backup only.
 
+- CMK with network restricted key vault isn't supported with private endpoint enabled vault.
+
 - You can create private endpoints for new Recovery Services vaults that don't have any items registered/protected to the vault, only. However, private endpoints are currently not supported for Backup vaults.
 
   >[!Note]
-  >You can't create private endpoints using static IP.
+  >Private endpoints with static IPs are unsupported in the V2 experience due to dynamic IP expansion. While creation succeeds, registration might fail for vaults with existing protected items.
 
 - You can't upgrade vaults (that contains private endpoints) created using the classic experience to the new experience. You can delete all existing private endpoints, and then create new private endpoints with the v2 experience. 
 
@@ -91,6 +93,8 @@ When the workload extension or MARS agent is installed for Recovery Services vau
 >- [Germany](../germany/germany-developer-guide.md#endpoint-mapping)
 >- [US Gov](../azure-government/documentation-government-developer-guide.md)
 
+To auto-update the MARS Agent allow access to the `*.login.microsoft.com` domain.
+
 For a Recovery Services vault with private endpoint setup, the name resolution for the FQDNs (`privatelink.<geo>.backup.windowsazure.com`, `*.blob.core.windows.net`, `*.queue.core.windows.net`, `*.blob.storage.azure.net`) should return a private IP address. This can be achieved by using: 
 
 - Azure Private DNS zones
diff --git a/articles/backup/backup-azure-private-endpoints-configure-manage.md b/articles/backup/backup-azure-private-endpoints-configure-manage.md
@@ -3,7 +3,7 @@ title: How to create and manage private endpoints (with v2 experience) for Azure
 description: This article explains how to configure and manage private endpoints for Azure Backup.
 ms.topic: how-to
 ms.service: azure-backup
-ms.date: 12/20/2024
+ms.date: 03/27/2025
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -201,6 +201,8 @@ But if you remove private endpoints for the vault after a MARS agent has been re
 >- Private endpoints are supported with only DPM server 2022 (10.22.123.0) and later.
 >- Private endpoints are supported with only MABS V4 (14.0.30.0) and later.
 
+To auto-update the MARS Agent allow access to the `*.login.microsoft.com` domain.
+
 #### Cross Subscription Restore to a Private Endpoint enabled vault
 
 To perform Cross Subscription Restore to a Private Endpoint enabled vault:
diff --git a/articles/backup/private-endpoints-overview.md b/articles/backup/private-endpoints-overview.md
@@ -2,7 +2,7 @@
 title: Private endpoints overview
 description: Understand the use of private endpoints for Azure Backup and the scenarios where using private endpoints helps maintain the security of your resources.
 ms.topic: overview
-ms.date: 11/20/2024
+ms.date: 03/27/2025
 ms.custom:
 ms.service: azure-backup
 author: jyothisuri
@@ -21,6 +21,7 @@ This article will help you understand how private endpoints for Azure Backup wor
 ## Before you start
 
 - Private endpoints can be created for new Recovery Services vaults only (that doesn't have any items registered to the vault). So private endpoints must be created before you attempt to protect any items to the vault. However, private endpoints are currently not supported for Backup vaults.
+- CMK with network restricted key vault isn't supported with private endpoint enabled vault.
 - One virtual network can contain private endpoints for multiple Recovery Services vaults. Also, one Recovery Services vault can have private endpoints for it in multiple virtual networks. However, the maximum number of private endpoints that can be created for a vault is 12.
 - If the public network access for the vault is set to **Allow from all networks**, the vault allows backups and restores from any machine registered to the vault. If the public network access for the vault is set to **Deny**, the vault only allows backups and restores from the machines registered to the vault that are requesting backups/restores via private IPs allocated for the vault.
 - A private endpoint connection for Backup uses a total of 11 private IPs in your subnet, including those used by Azure Backup for storage. This number may be higher for certain Azure regions. So we suggest that you have enough private IPs (/26) available when you attempt to create private endpoints for Backup.
@@ -73,6 +74,8 @@ When the workload extension or MARS agent is installed for Recovery Services vau
 >- [Germany](../germany/germany-developer-guide.md#endpoint-mapping)
 >- [US Gov](../azure-government/documentation-government-developer-guide.md)
 
+To auto-update the MARS Agent allow access to the `*.login.microsoft.com` domain.
+
 For a Recovery Services vault with private endpoint setup, the name resolution for the FQDNs (`privatelink.<geo>.backup.windowsazure.com`, `*.blob.core.windows.net`, `*.queue.core.windows.net`, `*.blob.storage.azure.net`) should return a private IP address. This can be achieved by using:
 
 - Azure Private DNS zones
diff --git a/articles/backup/private-endpoints.md b/articles/backup/private-endpoints.md
@@ -2,7 +2,7 @@
 title: Create and use private endpoints for Azure Backup
 description: Understand the process to creating private endpoints for Azure Backup where using private endpoints helps maintain the security of your resources.
 ms.topic: how-to
-ms.date: 11/20/2024
+ms.date: 03/27/2025
 ms.custom: devx-track-azurepowershell
 ms.service: azure-backup
 author: jyothisuri
@@ -555,6 +555,8 @@ The following diagram shows a setup (while using the Azure Private DNS zones) wi
 
 :::image type="content" source="./media/private-endpoints/setup-with-proxy-server.png" alt-text="Diagram showing a setup with a proxy server." lightbox="./media/private-endpoints/setup-with-proxy-server.png":::
 
+3. To auto-update the MARS Agent allow access to the `*.login.microsoft.com` domain.
+
 ### Create DNS entries when the DNS server/DNS zone is present in another subscription
 
 In this section, we’ll discuss the cases where you’re using a DNS zone that’s present in a subscription, or a Resource Group that’s different from the one containing the private endpoint for the Recovery Services vault, such as a hub and spoke topology. As the managed identity used for creating private endpoints (and the DNS entries) has permissions only on the Resource Group in which the private endpoints are created, the required DNS entries are needed additionally. Use the following PowerShell scripts to create DNS entries.
