You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/search/search-indexer-securing-resources.md
+25-22Lines changed: 25 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.date: 06/20/2022
13
13
14
14
# Indexer access to content protected by Azure network security
15
15
16
-
If your search application requirements include an Azure virtual network, this article explains how a search indexer can access content that's protected by network security. It describes supported scenarios and options. Because Azure Storage is used for both data access and persistent storage, this article also covers considerations that are specific to search and storage connectivity.
16
+
If your search application requirements include an Azure virtual network, this article explains how a search indexer can access content that's protected by network security. It describes the outbound traffic patterns and indexer execution environments. It also covers the network protections supported by Cognitive Search and factors that might influence feature adoption. Finally, because Azure Storage is used for both data access and persistent storage, this article also covers considerations that are specific to search and storage connectivity.
17
17
18
18
Looking for step-by-step instructions instead? See [How to configure firewall rules to allow indexer access](search-indexer-howto-access-ip-restricted.md) or [How to make outbound connections through a private endpoint](search-indexer-howto-access-private.md).
19
19
@@ -56,26 +56,6 @@ Your Azure resources could be protected using any number of the network isolatio
56
56
| SQL Managed Instance | Supported | N/A |
57
57
| Azure Functions | Supported | Supported, only for certain tiers of Azure functions |
58
58
59
-
## Access to a network-protected storage account
60
-
61
-
A search service stores indexes and synonym lists. For other features that require storage, Cognitive Search takes a dependency on Azure Storage. Enrichment caching, debug sessions, and knowledge stores fall into this category. The location of each service, and any network protections in place for storage, will determine your data access strategy.
62
-
63
-
### Same-region services
64
-
65
-
In Azure Storage, access through a firewall requires that the request originates from a different region. If Azure Storage and Azure Cognitive Search are in the same region, you can bypass the IP restrictions on the storage account by accessing data under the system identity of the search service.
66
-
67
-
There are two options for supporting data access using the system identity:
68
-
69
-
- Configure search to run as a [trusted service](search-indexer-howto-access-trusted-service-exception.md) and use the [trusted service exception](../storage/common/storage-network-security.md#trusted-access-based-on-a-managed-identity) in Azure Storage.
70
-
71
-
- Configure a [resource instance rule](../storage/common/storage-network-security.md#grant-access-from-azure-resource-instances) in Azure Storage that admits inbound requests from an Azure resource.
72
-
73
-
The above options depend on Azure Active Directory for authentication, which means that the connection must be made with an Azure AD login. Currently, only a Cognitive Search [system-assigned managed identity](search-howto-managed-identities-data-sources.md#create-a-system-managed-identity) is supported for same-region connections through a firewall.
74
-
75
-
### Services in different regions
76
-
77
-
When search and storage are in different regions, you can use the previously mentioned options or set up IP rules that admit requests from your service. Depending on the workload, you might need to set up rules for multiple execution environments as described in the next section.
78
-
79
59
## Indexer execution environment
80
60
81
61
Azure Cognitive Search has the concept of an *indexer execution environment* that optimizes processing based on the characteristics of the job. There are two environments. If you're using an IP firewall to control access to Azure resources, knowing about execution environments will help you set up an IP range that is inclusive of both.
@@ -180,6 +160,29 @@ Azure Cognitive Search will validate that callers of the private endpoint have a
180
160
181
161
If the private endpoint isn't approved, or if the indexer didn't use the private endpoint connection, you'll find a `transientFailure` error message in indexer execution history.
182
162
163
+
## Access to a network-protected storage account
164
+
165
+
A search service stores indexes and synonym lists. For other features that require storage, Cognitive Search takes a dependency on Azure Storage. Enrichment caching, debug sessions, and knowledge stores fall into this category. The location of each service, and any network protections in place for storage, will determine your data access strategy.
166
+
167
+
### Same-region services
168
+
169
+
In Azure Storage, access through a firewall requires that the request originates from a different region. If Azure Storage and Azure Cognitive Search are in the same region, you can bypass the IP restrictions on the storage account by accessing data under the system identity of the search service.
170
+
171
+
There are two options for supporting data access using the system identity:
172
+
173
+
- Configure search to run as a [trusted service](search-indexer-howto-access-trusted-service-exception.md) and use the [trusted service exception](../storage/common/storage-network-security.md#trusted-access-based-on-a-managed-identity) in Azure Storage.
174
+
175
+
- Configure a [resource instance rule](../storage/common/storage-network-security.md#grant-access-from-azure-resource-instances) in Azure Storage that admits inbound requests from an Azure resource.
176
+
177
+
The above options depend on Azure Active Directory for authentication, which means that the connection must be made with an Azure AD login. Currently, only a Cognitive Search [system-assigned managed identity](search-howto-managed-identities-data-sources.md#create-a-system-managed-identity) is supported for same-region connections through a firewall.
178
+
179
+
### Services in different regions
180
+
181
+
When search and storage are in different regions, you can use the previously mentioned options or set up IP rules that admit requests from your service. Depending on the workload, you might need to set up rules for multiple execution environments as described in the next section.
182
+
183
183
## Next steps
184
184
185
-
-[How to make indexer connections to a private endpoint](search-indexer-howto-access-private.md)
185
+
Now that you're familiar with indexer data access options for solutions deployed in an Azure virtual network, review either of the following how-to articles as your next step:
186
+
187
+
-[How to make indexer connections to a private endpoint](search-indexer-howto-access-private.md)
188
+
-[How to make indexer connections through an IP firewall](search-indexer-howto-access-ip-restricted.md)
0 commit comments