Merge pull request #100783 from HeidiSteen/heidist-vnet

Jak-MS · web-flow · commit 9d30d34b66d7 · 2020-01-13T11:51:51.000-06:00
Azure Cognitive Search: private endpoint
diff --git a/articles/search/service-create-private-endpoint.md b/articles/search/service-create-private-endpoint.md
@@ -1,48 +1,50 @@
 ---
-title: Create a Private Endpoint for secure connections
+title: Create a Private Endpoint for a secure connection
 titleSuffix: Azure Cognitive Search
-description: Currently in preview, you can restrict access to a search service endpoint using Private Endpoint and a secure VNet connection.
+description: Set up a private endpoint in a virtual network for a secure connection to an Azure Cognitive Search service
 
 manager: nitinme
 author: mrcarter8
 ms.author: mcarter
 ms.service: cognitive-search
 ms.topic: conceptual
-ms.date: 01/09/2020
+ms.date: 01/13/2020
 ---
 
-# Restrict access to Azure Cognitive Search using Private Endpoint and a virtual network connection.
+# Create a Private Endpoint for a secure connection to Azure Cognitive Search (Preview)
 
-> [!IMPORTANT] 
-> Support for Private Endpoint is currently available as a limited-access preview. This preview is only available for search services on the **Basic tier**.
-> This preview version is provided without a service level agreement, and it's not recommended for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/). 
-> The [REST API version 2019-10-01-Preview](search-api-preview.md) provides this feature. There is no portal or .NET SDK support at this time.
+[Private Endpoints](../private-link/private-endpoint-overview.md) for Azure Cognitive Search allow a client on a virtual network to securely access data in a search index over a [Private Link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the [virtual network address space](../virtual-network/virtual-network-ip-addresses-overview-arm.md#private-ip-addresses) for your search service. Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure from the public internet. For a list of other PaaS services that support Private Link, check the [availability section](../private-link/private-link-overview.md#availability) in the product documentation.
 
-In this article, learn how to create a new search service that is accessible over secure connections, with no access from public IP addresses. Client connections are allowed from Azure virtual machines deployed in the same virtual network as the service.
+> [!Important]
+> Private Endpoint support for Azure Cognitive Search is available as a limited-access preview and not currently intended for production use. Please fill out and submit the [access request form](https://aka.ms/SearchPrivateLinkRequestAccess) if you would like to access the preview. The form requests information about you, your company, and general application architecture. Once we review your request, you'll receive a confirmation email with additional instructions.
+>
+> Once you are granted access to the preview, you'll be able to configure Private Endpoints for your service using the Azure portal and REST API version [2019-10-06-Preview](search-api-preview.md).
+>   
 
-## About Private Endpoint support
+Private endpoints for your search service enables you to:
 
-[Private Endpoints](../private-link/private-endpoint-overview.md) for Azure Cognitive Search allow a client on a virtual network to securely access data over a [Private Link](../private-link/private-link-overview.md). The private endpoint uses an IP address from the [virtual network address space](../virtual-network/virtual-network-ip-addresses-overview-arm.md#private-ip-addresses) for your search service. Network traffic between the client and the search service traverses over the virtual network and a private link on the Microsoft backbone network, eliminating exposure to the public internet. For a list of PaaS services that support Private Link, check the [availability section](../private-link/private-link-overview.md#availability) in the product documentation.
-
-A private endpoint for your search service enables you to:
-
-+ Block all connections on the public endpoint for your search service.
-+ Increase security for the virtual network by enabling you to block exfiltration of data from the virtual network.
-+ Securely connect to your search service from on-premises networks that connect to the virtual network using [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../expressroute/expressroute-locations.md) with private-peering.
+- Block all connections on the public endpoint for your search service.
+- Increase security for the virtual network, by enabling you to block exfiltration of data from the virtual network.
+- Securely connect to your search service from on-premises networks that connect to the virtual network using [VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoutes](../expressroute/expressroute-locations.md) with private-peering.
 
 > [!NOTE]
-> When the service endpoint is private, some portal features are disabled. You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.
+> There are currently some limitations in the preview that you should be aware of:
+> * Available only for search services on the **Basic** tier. 
+> * Available in the West US 2, West Central US, East US, South Central US, Australia East, and Australia Southeast regions.
+> * When the service endpoint is private, some portal features are disabled. You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons.
+> * When the service endpoint is private, you must use the search API to upload documents to the index.
+> * You must use the following link to see the private endpoint support option in the Azure portal: https://portal.azure.com/?feature.enablePrivateEndpoints=true
 
-## Request access 
+In this article, you'll learn how to use the portal to create a new Azure Cognitive Search service instance that can't be accessed via a public IP address, configure an Azure virtual machine in the same virtual network, and use it to access the search service via a private endpoint.
 
-Click [request access](https://aka.ms/SearchPrivateLinkRequestAccess) to sign up for this preview feature. The form requests information about you, your company, and  general network topology. Once we review your request, you'll receive a confirmation email with additional instructions.
 
 ## Create a VM
 In this section, you will create a virtual network and subnet to host the VM that will be used to access your search service's private endpoint.
 
-### Set up the virtual network
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. On the top left, select **Create a resource** > **Networking** > **Virtual network**.
+### Create the virtual network
+
+1. From the Azure portal home tab, select **Create a resource** > **Networking** > **Virtual network**.
+
 1. In **Create virtual network**, enter or select this information:
 
     | Setting | Value |
@@ -59,59 +61,11 @@ In this section, you will create a virtual network and subnet to host the VM tha
 1. Leave the rest as default and select **Create**.
 
 
-### Create a virtual machine
-
-1. On the top left of main portal page, select **Create a resource** > **Compute** > **Virtual machine**.
-
-1. In **Create a virtual machine - Basics**, enter or select this information:
-
-    | Setting | Value |
-    | ------- | ----- |
-    | **PROJECT DETAILS** | |
-    | Subscription | Select your subscription. |
-    | Resource group | Select **myResourceGroup**. You created this in the previous section.  |
-    | **INSTANCE DETAILS** |  |
-    | Virtual machine name | Enter *myVm*. |
-    | Region | Select **West US** or whatever region you are using. |
-    | Availability options | Leave the default **No infrastructure redundancy required**. |
-    | Image | Select **Windows Server 2019 Datacenter**. |
-    | Size | Leave the default **Standard DS1 v2**. |
-    | **ADMINISTRATOR ACCOUNT** |  |
-    | Username | Enter a username of your choosing. |
-    | Password | Enter a password of your choosing. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.md?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm).|
-    | Confirm Password | Reenter password. |
-    | **INBOUND PORT RULES** |  |
-    | Public inbound ports | Leave the default **None**. |
-    | **SAVE MONEY** |  |
-    | Already have a Windows license? | Leave the default **No**. |
-    |||
-
-1. Select **Next: Disks**.
-
-1. In **Create a virtual machine - Disks**, leave the defaults and select **Next: Networking**.
-
-1. In **Create a virtual machine - Networking**, select this information:
-
-    | Setting | Value |
-    | ------- | ----- |
-    | Virtual network | Leave the default **MyVirtualNetwork**.  |
-    | Address space | Leave the default **10.1.0.0/24**.|
-    | Subnet | Leave the default **mySubnet (10.1.0.0/24)**.|
-    | Public IP | Leave the default **(new) myVm-ip**. |
-    | Public inbound ports | Select **Allow selected ports**. |
-    | Select inbound ports | Select **HTTP** and **RDP**.|
-    ||
-
-1. Select **Review + create**. You're taken to the **Review + create** page where Azure validates your configuration.
-
-1. When you see the **Validation passed** message, select **Create**.
-
-
 ## Create your search service with a private endpoint
 
 In this section, you will create a new Azure Cognitive Search service with a Private Endpoint. 
 
-1. On the top left of main portal page, select **Create a resource** > **Web** > **Azure Cognitive Search**.
+1. On the upper-left side of the screen in the Azure portal, select **Create a resource** > **Web** > **Azure Cognitive Search**.
 
 1. In **New Search Service - Basics**, enter or select this information:
 
@@ -156,11 +110,62 @@ In this section, you will create a new Azure Cognitive Search service with a Pri
 1. Select **Review + create**. You're taken to the **Review + create** page where Azure validates your configuration. 
 
 1. When you see the **Validation passed** message, select **Create**. 
-1. Once the service is created, browse to the resource that you just created.
+
+1. Once provisioning of your new service is complete, browse to the resource that you just created.
+
 1. Select **Keys** from the left content menu.
-1. Copy the **Primary admin key** for use in the next step.
 
- 
+1. Copy the **Primary admin key** for later.
+
+### Create a virtual machine
+
+1. On the upper-left side of the screen in the Azure portal, select **Create a resource** > **Compute** > **Virtual machine**.
+
+1. In **Create a virtual machine - Basics**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | **PROJECT DETAILS** | |
+    | Subscription | Select your subscription. |
+    | Resource group | Select **myResourceGroup**. You created this in the previous section.  |
+    | **INSTANCE DETAILS** |  |
+    | Virtual machine name | Enter *myVm*. |
+    | Region | Select **West US** or whatever region you are using. |
+    | Availability options | Leave the default **No infrastructure redundancy required**. |
+    | Image | Select **Windows Server 2019 Datacenter**. |
+    | Size | Leave the default **Standard DS1 v2**. |
+    | **ADMINISTRATOR ACCOUNT** |  |
+    | Username | Enter a username of your choosing. |
+    | Password | Enter a password of your choosing. The password must be at least 12 characters long and meet the [defined complexity requirements](../virtual-machines/windows/faq.md?toc=%2fazure%2fvirtual-network%2ftoc.json#what-are-the-password-requirements-when-creating-a-vm).|
+    | Confirm Password | Reenter password. |
+    | **INBOUND PORT RULES** |  |
+    | Public inbound ports | Leave the default **Allow selected ports**. |
+    | Select inbound ports | Leave the default **RDP (3389)**. |
+    | **SAVE MONEY** |  |
+    | Already have a Windows license? | Leave the default **No**. |
+    |||
+
+1. Select **Next: Disks**.
+
+1. In **Create a virtual machine - Disks**, leave the defaults and select **Next: Networking**.
+
+1. In **Create a virtual machine - Networking**, select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | Virtual network | Leave the default **MyVirtualNetwork**.  |
+    | Address space | Leave the default **10.1.0.0/24**.|
+    | Subnet | Leave the default **mySubnet (10.1.0.0/24)**.|
+    | Public IP | Leave the default **(new) myVm-ip**. |
+    | Public inbound ports | Select **Allow selected ports**. |
+    | Select inbound ports | Select **HTTP** and **RDP**.|
+    ||
+
+1. Select **Review + create**. You're taken to the **Review + create** page where Azure validates your configuration.
+
+1. When you see the **Validation passed** message, select **Create**. 
+
+
 ## Connect to a VM from the internet
 
 Connect to the VM *myVm* from the internet as follows:
@@ -182,14 +187,14 @@ Connect to the VM *myVm* from the internet as follows:
 
 1. Select **OK**.
 
-1. You may receive a certificate warning when signing in. If you receive a certificate warning, select **Yes** or **Continue**.
+1. You may receive a certificate warning during the sign-in process. If you receive a certificate warning, select **Yes** or **Continue**.
 
 1. Once the VM desktop appears, minimize it to go back to your local desktop.  
 
 
 ## Access the search service privately from the VM
 
-In this section, you will verify private network access to the search service and connect privately to the storage account using the Private Endpoint.
+In this section, you will verify private network access to the search service and connect privately to the using the Private Endpoint.
 
 1. In the Remote Desktop of *myVM*, open PowerShell.
 
@@ -204,25 +209,20 @@ In this section, you will verify private network access to the search service an
     Address:  10.0.0.5
     Aliases:  [search service name].search.windows.net
     ```
-1. Follow this [Quickstart](search-get-started-postman.md) from the VM to create a new search index in your service in Postman using the REST API.
+1. Follow this [Quickstart](search-get-started-postman.md) from the VM to create a new search index in your service in Postman using the REST API.  Use the key you copied in a previous step to authenticate to the service.
 
 1. Try several of these same requests in Postman on your local workstation.
 
 1. If you are able to complete the Quickstart from the VM, but receive an error that the remote server does not exist on your local workstation, you have successfully configured a private endpoint for your search service.
 
 1. Close the remote desktop connection to *myVM*. 
 
-## Clean up resources 
-
-When you're done using the Private Endpoint, search service account, and the VM, delete the resource group and all of the resources it contains: 
 
+## Clean up resources 
+When you're done using the Private Endpoint, search service, and the VM, delete the resource group and all of the resources it contains:
 1. Enter *myResourceGroup* in the **Search** box at the top of the portal and select *myResourceGroup* from the search results. 
 1. Select **Delete resource group**. 
 1. Enter *myResourceGroup* for **TYPE THE RESOURCE GROUP NAME** and select **Delete**.
 
 ## Next steps
-
-In this article, you created a VM on a virtual network and a search service with a Private Endpoint. You connected to the VM from the internet and securely communicated to the search service using Private Link. 
-
-> [!div class="nextstepaction"]
-> [What is Azure Private Endpoint?](../private-link/private-endpoint-overview.md).
+In this article, you created a VM on a virtual network and a search service with a Private Endpoint. You connected to the VM from the internet and securely communicated to the search service using Private Link. To learn more about Private Endpoint, see [What is Azure Private Endpoint?](../private-link/private-endpoint-overview.md).
diff --git a/articles/search/whats-new.md b/articles/search/whats-new.md
@@ -8,7 +8,7 @@ author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
 ms.topic: conceptual
-ms.date: 01/07/2020
+ms.date: 01/13/2020
 ---
 # What's new in Azure Cognitive Search
 
@@ -28,7 +28,11 @@ API versions, Nuget packages, namespaces, and endpoints are unchanged. Your exis
 
 + [Customer-managed encryption keys](search-security-manage-encryption-keys.md) is now generally available. If you are using REST, you can access the feature using `api-version=2019-05-06`. For managed code, the correct package is still [.NET SDK version 8.0-preview](search-dotnet-sdk-migration-version-9.md) even though the feature is out of preview. 
 
-+ *Restricted IP access and private endpoint (preview)* on a search service endpoint is now available in **api-version=2019-10-01-Preview**. You can set up a secure endpoint using the new **IpRule** and **NetworkRuleSet** properties in the [Create or Update](https://docs.microsoft.com/rest/api/searchmanagement/services/createorupdate) Management REST API. For more information about API versions and regional availability, see [How to use the Management REST API](https://docs.microsoft.com/rest/api/searchmanagement/search-howto-management-rest-api).
++ Private access to a search service is available through two mechanisms:
+
+  + You can restrict access to specific IP addresses by using the Management REST API  `api-version=2019-10-01-Preview` to create the service. The preview API has new **IpRule** and **NetworkRuleSet** properties in [CreateOrUpdate API](https://docs.microsoft.com/rest/api/searchmanagement/services/createorupdate). This preview feature is available in selected regions. For more information, see [How to use the Management REST API](https://docs.microsoft.com/rest/api/searchmanagement/search-howto-management-rest-api).
+
+  + Currently available through a limited-access preview, you can provision an Azure Search service that supports Azure Private Endpoint for connections from clients on the same virtual network. For more information, see [Create a Private Endpoint for a secure connection](service-create-private-endpoint.md).
 
 ### December 2019
 
