Merge pull request #269474 from iriaosara/updatevpn

vpn doc update

Author: v-shils

articles/managed-instance-apache-cassandra/create-cluster-portal.md

@@ -47,6 +47,9 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 
    :::image type="content" source="./media/create-cluster-portal/create-cluster-page.png" alt-text="Fill out the create cluster form." lightbox="./media/create-cluster-portal/create-cluster-page.png" border="true":::
 
+   > [!TIP]
+   > If you use [VPN](use-vpn.md) then you don't need to open any other connection.
+
    > [!NOTE]
    > The Deployment of a Azure Managed Instance for Apache Cassandra requires internet access. Deployment fails in environments where internet access is restricted. Make sure you aren't blocking access within your VNet to the following vital Azure services that are necessary for Managed Cassandra to work properly. See [Required outbound network rules](network-rules.md) for more detailed information.
    > - Azure Storage

articles/managed-instance-apache-cassandra/media/use-vpn/vpn-design.png

@@ -1,6 +1,6 @@
 ---
 title: Required outbound network rules for Azure Managed Instance for Apache Cassandra
-description: Learn what are the required outbound network rules and FQDNs for Azure Managed Instance for Apache Cassandra
+description: Learn what are the required outbound network rules and FQDNs for Azure Managed Instance for Apache Cassandra.
 author: rothja
 ms.service: managed-instance-apache-cassandra
 ms.topic: how-to
@@ -17,7 +17,10 @@ The Azure Managed Instance for Apache Cassandra service requires certain network
 
 ## Virtual network service tags
 
-If you're using Azure Firewall to restrict outbound access, we highly recommend using [virtual network service tags](../virtual-network/service-tags-overview.md). Below are the tags required to make Azure SQL Managed Instance for Apache Cassandra function properly.
+> [!TIP]
+> If you use [VPN](use-vpn.md) then you don't need to open any other connection.
+
+If you're using Azure Firewall to restrict outbound access, we highly recommend using [virtual network service tags](../virtual-network/service-tags-overview.md). The tags in the table are required to make Azure SQL Managed Instance for Apache Cassandra function properly.
 
 | Destination Service Tag                                                             | Protocol | Port    | Use  |
 |----------------------------------------------------------------------------------|----------|---------|------|
@@ -32,14 +35,14 @@ If you're using Azure Firewall to restrict outbound access, we highly recommend
 | ApiManagement  | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot) |
 
 > [!NOTE]
-> In addition to the above, you will also need to add the following address prefixes, as a service tag does not exist for the relevant service:
+> In addition to the tags table, you will also need to add the following address prefixes, as a service tag does not exist for the relevant service:
 > 104.40.0.0/13
 > 13.104.0.0/14
 > 40.64.0.0/10
 
 ## User-defined routes
 
-If you're using a third-party Firewall to restrict outbound access, we highly recommend configuring [user-defined routes (UDRs)](../virtual-network/virtual-networks-udr-overview.md#user-defined) for Microsoft address prefixes, rather than attempting to allow connectivity through your own Firewall. See sample [bash script](https://github.com/Azure-Samples/cassandra-managed-instance-tools/blob/main/configureUDR.sh) to add the required address prefixes in user-defined routes.
+If you're using a non-Microsoft Firewall to restrict outbound access, we highly recommend configuring [user-defined routes (UDRs)](../virtual-network/virtual-networks-udr-overview.md#user-defined) for Microsoft address prefixes, rather than attempting to allow connectivity through your own Firewall. See sample [bash script](https://github.com/Azure-Samples/cassandra-managed-instance-tools/blob/main/configureUDR.sh) to add the required address prefixes in user-defined routes.
 
 ## Azure Global required network rules
 
@@ -49,7 +52,7 @@ The required network rules and IP address dependencies are:
 |----------------------------------------------------------------------------------|----------|---------|------|
 |snovap\<region\>.blob.core.windows.net:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) -  Azure Storage | HTTPS | 443 | Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration.|
 |\*.store.core.windows.net:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) -  Azure Storage | HTTPS | 443 | Required for secure communication between the nodes and Azure Storage for Control Plane communication and configuration.|
-|\*.blob.core.windows.net:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) -  Azure Storage | HTTPS | 443 | Required for secure communication between the nodes and Azure Storage to store backups. *Backup feature is being revised and storage name will follow a pattern by GA*|
+|\*.blob.core.windows.net:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) -  Azure Storage | HTTPS | 443 | Required for secure communication between the nodes and Azure Storage to store backups. *Backup feature is being revised and a pattern for storage name follows by GA*|
 |vmc-p-\<region\>.vault.azure.net:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Azure KeyVault | HTTPS | 443 | Required for secure communication between the nodes and Azure Key Vault. Certificates and keys are used to secure communication inside the cluster.|
 |management.azure.com:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Azure Virtual Machine Scale Sets/Azure Management API | HTTPS | 443 | Required to gather information about and manage Cassandra nodes (for example, reboot)|
 |\*.servicebus.windows.net:443</br> Or</br> [ServiceTag](../virtual-network/service-tags-overview.md#available-service-tags) - Azure EventHub | HTTPS | 443 | Required to forward logs to Azure|
@@ -70,7 +73,7 @@ The system uses DNS names to reach the Azure services described in this article
 
 ## Internal port usage
 
-The following ports are only accessible within the VNET (or peered vnets./express routes). SQL Managed Instance for Apache Cassandra instances do not have a public IP and should not be made accessible on the Internet.
+The following ports are only accessible within the virtual network (or peered vnets./express routes). Azure Managed Instances for Apache Cassandra don't have a public IP and shouldn't be made accessible on the Internet.
 
 | Port | Use |
 | ---- | --- |
@@ -84,5 +87,6 @@ The following ports are only accessible within the VNET (or peered vnets./expres
 
 In this article, you learned about network rules to properly manage the service. Learn more about Azure SQL Managed Instance for Apache Cassandra with the following articles:
 
-* [Overview of Azure SQL Managed Instance for Apache Cassandra](introduction.md)
-* [Manage Azure SQL Managed Instance for Apache Cassandra resources using Azure CLI](manage-resources-cli.md)
+* [Overview of Azure Managed Instance for Apache Cassandra](introduction.md)
+* [Manage Azure Managed Instance for Apache Cassandra resources using Azure CLI](manage-resources-cli.md)
+* [Use a VPN with Azure Managed Instance for Apache Cassandra](use-vpn.md)

articles/managed-instance-apache-cassandra/network-rules.md

@@ -11,13 +11,31 @@ ms.devlang: azurecli
 ---
 # Use a VPN with Azure Managed Instance for Apache Cassandra
 
-Azure Managed Instance for Apache Cassandra nodes require access to many other Azure services when they're injected into your virtual network. Normally, you enable this access by ensuring that your virtual network has outbound access to the internet. If your security policy prohibits outbound access, you can configure firewall rules or user-defined routes for the appropriate access. For more information, see [Required outbound network rules](network-rules.md).
+Azure Managed Instance for Apache Cassandra nodes requires access to many other Azure services when they're injected into your virtual network. Normally, access is enabled by ensuring that your virtual network has outbound access to the internet. If your security policy prohibits outbound access, you can configure firewall rules or user-defined routes for the appropriate access. For more information, see [Required outbound network rules](network-rules.md).
 
 However, if you have internal security concerns about data exfiltration, your security policy might prohibit direct access to these services from your virtual network. By using a virtual private network (VPN) with Azure Managed Instance for Apache Cassandra, you can ensure that data nodes in the virtual network communicate with only a single VPN endpoint, with no direct access to any other services.
 
 > [!IMPORTANT]
 > The ability to use a VPN with Azure Managed Instance for Apache Cassandra is in public preview. This feature is provided without a service-level agreement, and we don't recommend it for production workloads. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
+## How it works
+
+A virtual machine called the operator is part of each Azure Managed Instance for Apache Cassandra. It helps manage the cluster, by default, the operator is in the same virtual network as the cluster. Which means that the operator and data VMs have the same Network Security Group (NSG) rules. Which isn't ideal for security reasons, and it also lets customers prevent the operator from reaching necessary Azure services when they set up NSG rules for their subnet. 
+
+Using VPN as your connection method for an Azure Managed Instance for Apache Cassandra lets the operator be in a different virtual network than the cluster by using the private link service. Meaning that the operator can be in a virtual network that has access to the necessary Azure services and the cluster can be in a virtual network that you control.
+
+:::image type="content" source="./media/use-vpn/vpn-design.png" alt-text="Screenshot of a vpn design." lightbox="./media/use-vpn/vpn-design.png" border="true":::
+
+With the VPN, the operator can now connect to a private IP address inside the address range of your virtual network called a private endpoint. The private link routes the data between the operator and the private endpoint through the Azure backbone network, avoiding exposure to the public internet.
+
+## Security Benefits
+
+We want to prevent attackers from accessing the virtual network where the operator is deployed and trying to steal data. So, we have security measures in place to make sure that the Operator can only reach necessary Azure services.
+
+* Service Endpoint Policies: These policies offer granular control over egress traffic within the virtual network, particularly to Azure services. By using service endpoints, they establish restrictions, permitting data access exclusively to specified Azure services like Azure Monitoring, Azure Storage, and Azure KeyVault. Notably, these policies ensure that data egress is limited solely to predetermined Azure Storage accounts, enhancing security and data management within the network infrastructure.
+
+* Network Security Groups: These groups are used to filter network traffic to and from the resources in an Azure virtual network. We block all traffic from the Operator to the internet, and only allow traffic to certain Azure services through a set of NSG rules.
+
 ## How to use a VPN with Azure Managed Instance for Apache Cassandra
 
 1. Create an Azure Managed Instance for Apache Cassandra cluster by using `"VPN"` as the value for the `--azure-connection-method` option: