Merge pull request #115767 from jlian/master

New experience for private link and MSI

Author: PMEds28

articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md

@@ -119,6 +119,16 @@ Refer to the following list to configure managed identity for Azure Functions (i
 - [Azure PowerShell](/azure/app-service/overview-managed-identity#using-azure-powershell)
 - [Azure Resource Manager template](/azure/app-service/overview-managed-identity#using-an-azure-resource-manager-template)
 
+### Azure IoT Hub
+
+Managed identity type | All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
+| --- | :-: | :-: | :-: | :-: |
+| System assigned | ![Available][check] | ![Available][check] | Not available | ![Available][check] |
+| User assigned | Not available | Not available | Not available | Not available |
+
+Refer to the following list to configure managed identity for Azure Data Factory V2 (in regions where available):
+
+- [Azure portal](../../iot-hub/virtual-network-support.md#turn-on-managed-identity-for-iot-hub)
 
 ### Azure Kubernetes Service (AKS)
 

articles/iot-hub/iot-hub-ip-filtering.md

@@ -5,7 +5,7 @@ author: robinsh
 ms.service: iot-hub
 services: iot-hub
 ms.topic: conceptual
-ms.date: 05/12/2020
+ms.date: 05/25/2020
 ms.author: robinsh
 ---
 
@@ -34,17 +34,19 @@ Any connection attempt from an IP address that matches a rejecting IP rule in yo
 
 By default, the **IP Filter** grid in the portal for an IoT hub is empty. This default setting means that your hub accepts connections from any IP address. This default setting is equivalent to a rule that accepts the 0.0.0.0/0 IP address range.
 
-![IoT Hub default IP filter settings](./media/iot-hub-ip-filtering/ip-filter-default.png)
+To get to the IP Filter settings page, select **Networking**, **Public access**, then choose **Selected IP Ranges**:
+
+:::image type="content" source="media/iot-hub-ip-filtering/ip-filter-default.png" alt-text="IoT Hub default IP filter settings":::
 
 ## Add or edit an IP filter rule
 
 To add an IP filter rule, select **+ Add IP Filter Rule**.
 
-![Add an IP filter rule to an IoT hub](./media/iot-hub-ip-filtering/ip-filter-add-rule.png)
+:::image type="content" source="./media/iot-hub-ip-filtering/ip-filter-add-rule.png" alt-text="Add an IP filter rule to an IoT hub":::
 
 After selecting **Add IP Filter Rule**, fill in the fields.
 
-![After selecting Add an IP Filter rule](./media/iot-hub-ip-filtering/ip-filter-after-selecting-add.png)
+:::image type="content" source="./media/iot-hub-ip-filtering/ip-filter-after-selecting-add.png" alt-text="After selecting Add an IP Filter rule":::
 
 * Provide a **name** for the IP Filter rule. This must be a unique, case-insensitive, alphanumeric string up to 128 characters long. Only the ASCII 7-bit alphanumeric characters plus `{'-', ':', '/', '\', '.', '+', '%', '_', '#', '*', '?', '!', '(', ')', ',', '=', '@', ';', '''}` are accepted.
 
@@ -54,7 +56,7 @@ After selecting **Add IP Filter Rule**, fill in the fields.
 
 After filling in the fields, select **Save** to save the rule. You see an alert notifying you that the update is in progress.
 
-![Notification about saving an IP filter rule](./media/iot-hub-ip-filtering/ip-filter-save-new-rule.png)
+:::image type="content" source="./media/iot-hub-ip-filtering/ip-filter-save-new-rule.png" alt-text="Notification about saving an IP filter rule":::
 
 The **Add** option is disabled when you reach the maximum of 10 IP filter rules.
 
@@ -64,7 +66,7 @@ To edit an existing rule, select the data you want to change, make the change, t
 
 To delete an IP filter rule, select the trash can icon on that row and then select **Save**. The rule is removed and the change is saved.
 
-![Delete an IoT Hub IP filter rule](./media/iot-hub-ip-filtering/ip-filter-delete-rule.png)
+:::image type="content" source="./media/iot-hub-ip-filtering/ip-filter-delete-rule.png" alt-text="Delete an IoT Hub IP filter rule":::
 
 ## Retrieve and update IP filters using Azure CLI
 
@@ -154,11 +156,10 @@ You can change the order of your IP filter rules in the grid by clicking the thr
 
 To save your new IP filter rule order, click **Save**.
 
-![Change the order of your IoT Hub IP filter rules](./media/iot-hub-ip-filtering/ip-filter-rule-order.png)
+:::image type="content" source="media/iot-hub-ip-filtering/ip-filter-rule-order.png" alt-text="Change the order of your IoT HUb IP filter rules":::
 
 ## Next steps
 
 To further explore the capabilities of IoT Hub, see:
 
-* [Operations monitoring](iot-hub-operations-monitoring.md)
 * [IoT Hub metrics](iot-hub-metrics.md)

articles/iot-hub/iot-hub-tls-deprecating-1-0-and-1-1.md

@@ -17,15 +17,26 @@ To provide best-in-class encryption, IoT Hub is moving to Transport Layer Securi
 
 IoT Hub will continue to support TLS 1.0/1.1 until further notice. However, we recommend that all customers migrate to TLS 1.2 as soon as possible.
 
-## Supported ciphers
+## Deprecating TLS 1.1 ciphers
 
-The timeline for availability of various ciphers used in TLS handshake is as follows:
+* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SH`
+* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
+* `TLS_RSA_WITH_AES_256_CBC_SHA`
+* `TLS_RSA_WITH_AES_128_CBC_SHA`
+* `TLS_RSA_WITH_3DES_EDE_CBC_SHA`
 
-* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (currently supported)
-* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (will be supported in second half of 2020)
-* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (will be supported in second half of 2020)
-* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (will be supported in second half of 2020)
+## Deprecating TLS 1.0 ciphers
 
+* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
+* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
+* `TLS_RSA_WITH_AES_256_CBC_SHA`
+* `TLS_RSA_WITH_AES_128_CBC_SHA`
+* `TLS_RSA_WITH_3DES_EDE_CBC_SHA`
+
+## TLS 1.2 ciphers
+
+See [IoT Hub TLS 1.2 recommended ciphers](iot-hub-tls-support.md#recommended-ciphers).
+ 
 ## Customer feedback
 
 While the TLS 1.2 enforcement is an industry-wide best-in-class encryption choice and will be enabled as planned, we still would like to hear from customers regarding their specific deployments and difficulties adopting TLS 1.2. For this purpose, you can send your comments to [[email protected]](mailto:[email protected]).

articles/iot-hub/iot-hub-tls-support.md

@@ -49,7 +49,7 @@ The created IoT Hub resource using this configuration will refuse device and ser
 > [!NOTE]
 > The `minTlsVersion` property is read-only and cannot be changed once your IoT Hub resource is created. It is therefore essential that you properly test and validate that *all* your IoT devices and services are compatible with TLS 1.2 and the [recommended ciphers](#recommended-ciphers) in advance.
 
-### Supported regions
+## Supported regions
 
 IoT Hubs that require the use of TLS 1.2 can be created in the following regions:
 
@@ -62,7 +62,7 @@ IoT Hubs that require the use of TLS 1.2 can be created in the following regions
 > [!NOTE]
 > Upon failovers, the `minTlsVersion` property of your IoT Hub will remain effective in the geo-paired region post-failover.
 
-### Recommended ciphers
+## Recommended ciphers
 
 IoT Hubs that are configured to accept only TLS 1.2 will also enforce the use of the following recommended ciphers:
 
@@ -71,7 +71,22 @@ IoT Hubs that are configured to accept only TLS 1.2 will also enforce the use of
 * `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
 * `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`
 
-### Use TLS 1.2 in your IoT Hub SDKs
+For IoT Hubs not configured for TLS 1.2 enforcement, TLS 1.2 still works with the following ciphers:
+
+* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`
+* `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`
+* `TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`
+* `TLS_RSA_WITH_AES_256_GCM_SHA384`
+* `TLS_RSA_WITH_AES_128_GCM_SHA256`
+* `TLS_RSA_WITH_AES_256_CBC_SHA256`
+* `TLS_RSA_WITH_AES_128_CBC_SHA256`
+* `TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`
+* `TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`
+* `TLS_RSA_WITH_AES_256_CBC_SHA`
+* `TLS_RSA_WITH_AES_128_CBC_SHA`
+* `TLS_RSA_WITH_3DES_EDE_CBC_SHA`
+
+## Use TLS 1.2 in your IoT Hub SDKs
 
 Use the links below to configure TLS 1.2 and allowed ciphers in IoT Hub client SDKs.
 
@@ -84,6 +99,6 @@ Use the links below to configure TLS 1.2 and allowed ciphers in IoT Hub client S
 | NodeJS   | Version 1.12.2 or newer            | [Link](https://aka.ms/Tls_Node_SDK_IoT) |
 
 
-### Use TLS 1.2 in your IoT Edge setup
+## Use TLS 1.2 in your IoT Edge setup
 
 IoT Edge devices can be configured to use TLS 1.2 when communicating with IoT Hub. For this purpose, use the [IoT Edge documentation page](https://github.com/Azure/iotedge/blob/master/edge-modules/edgehub-proxy/README.md).

articles/iot-hub/iot-hub-understand-ip-address.md

@@ -15,7 +15,7 @@ ms.date: 11/21/2019
 The IP address prefixes of IoT Hub public endpoints are published periodically under the _AzureIoTHub_ [service tag](../virtual-network/service-tags-overview.md).
 
 > [!NOTE]
-> For devices that are deployed inside of on-premises networks, Azure IoT Hub supports VNET  connectivity integration with private endpoints. See [IoT Hub support for VNET's](./virtual-network-support.md#ingress-connectivity-to-iot-hub-using-private-endpoints) for more information.
+> For devices that are deployed inside of on-premises networks, Azure IoT Hub supports VNET  connectivity integration with private endpoints. See [IoT Hub support for VNet](./virtual-network-support.md) for more information.
 
 
 You may use these IP address prefixes to control connectivity between IoT Hub and your devices or network assets in order to implement a variety of network isolation goals: