MicrosoftDocs
diff --git a/‎articles/mariadb/TOC.yml
Lines changed: 9 additions & 1 deletion b/‎articles/mariadb/TOC.yml
Lines changed: 9 additions & 1 deletion
diff --git a/‎articles/mariadb/concepts-data-access-security-private-link.md
Lines changed: 117 additions & 0 deletions b/‎articles/mariadb/concepts-data-access-security-private-link.md
Lines changed: 117 additions & 0 deletions
diff --git a/‎articles/mariadb/howto-configure-privatelink-cli.md
Lines changed: 185 additions & 0 deletions b/‎articles/mariadb/howto-configure-privatelink-cli.md
Lines changed: 185 additions & 0 deletions
@@ -59,8 +59,10 @@
       href: concepts-firewall-rules.md
     - name: Virtual Network
       href: concepts-data-access-security-vnet.md
+    - name: Private Link
+      href: concepts-data-access-security-private-link.md
     - name: Advanced Threat Protection
-      href: concepts-data-access-and-security-threat-protection.md
+      href: concepts-data-access-and-security-threat-protection.md      
   - name: Business continuity
     items:
     - name: Business continuity intro
@@ -176,6 +178,12 @@
       href: howto-manage-vnet-portal.md
     - name: Azure CLI
       href: howto-manage-vnet-cli.md
+  - name: Private Link
+    items:
+    - name: Azure portal
+      href: howto-configure-privatelink-portal.md
+    - name: Azure CLI
+      href: howto-configure-privatelink-cli.md
   - name: Restart server
     items:
     - name: Azure portal
 
@@ -0,0 +1,117 @@
+---
+title: Private Link for Azure Database for MariaDB (Preview)
+description: Learn how Private link works for Azure Database for MariaDB.
+author: kummanish
+ms.author: manishku
+ms.service: mariadb
+ms.topic: conceptual
+ms.date: 01/09/2020
+---
+
+# Private Link for Azure Database for MariaDB (Preview)
+
+Private Link allows you to connect to various PaaS services in Azure via a private endpoint. Azure Private Link essentially brings Azure services inside your private Virtual Network (VNet). The PaaS resources can be accessed using the private IP address just like any other resource in the VNet.
+
+For a list to PaaS services that support Private Link functionality, review the Private Link [documentation](https://docs.microsoft.com/azure/private-link/index). A private endpoint is a private IP address within a specific [VNet](https://docs.microsoft.com/azure/virtual-network/virtual-networks-overview) and Subnet.
+
+> [!NOTE]
+> This feature is available in all Azure regions where Azure Database for MariaDB supports General Purpose and Memory Optimized pricing tiers.
+
+## Data exfiltration prevention
+
+Data ex-filtration in Azure Database for MariaDB is when an authorized user, such as a database admin, is able to extract data from one system and move it to another location or system outside the organization. For example, the user moves the data to a storage account owned by a third party.
+
+Consider a scenario with a user running MariaDB workbench inside an Azure VM connecting to an Azure Database for MariaDB instance. This MariaDB instance is in the West US data center. The example below shows how to limit access with public endpoints on Azure Database for MariaDB using network access controls.
+
+* Disable all Azure service traffic to Azure Database for MariaDB via the public endpoint by setting Allow Azure Services to OFF. Ensure no IP addresses or ranges are allowed to access the server either via [firewall rules](https://docs.microsoft.com/azure/mariadb/concepts-firewall-rules) or [virtual network service endpoints](https://docs.microsoft.com/azure/mariadb/concepts-data-access-and-security-vnet).
+
+* Only allow traffic to the Azure Database for MariaDB using the Private IP address of the VM. For more information, see the articles on [Service Endpoint](concepts-data-access-security-vnet.md) and [VNet firewall rules](howto-manage-vnet-portal.md).
+
+* On the Azure VM, narrow down the scope of outgoing connection by using Network Security Groups (NSGs) and Service Tags as follows:
+
+    * Specify an NSG rule to allow traffic for Service Tag = SQL.WestUs - only allowing connection to Azure Database for MariaDB in West US
+    * Specify an NSG rule (with a higher priority) to deny traffic for Service Tag = SQL - denying connections to MariaDB Database in all regions</br></br>
+
+At the end of this setup, the Azure VM can connect only to Azure Database for MariaDB in the West US region. However, the connectivity isn't restricted to a single Azure Database for MariaDB. The VM can still connect to any Azure Database for MariaDB in the West US region, including the databases that aren't part of the subscription. While we've reduced the scope of data exfiltration in the above scenario to a specific region, we haven't eliminated it altogether.</br>
+
+With Private Link, you can now set up network access controls like NSGs to restrict access to the private endpoint. Individual Azure PaaS resources are then mapped to specific private endpoints. A malicious insider can only access the mapped PaaS resource (for example an Azure Database for MariaDB) and no other resource.
+
+## On-premises connectivity over private peering
+
+When you connect to the public endpoint from on-premises machines, your IP address needs to be added to the IP-based firewall using a server-level firewall rule. While this model works well for allowing access to individual machines for dev or test workloads, it's difficult to manage in a production environment.
+
+With Private Link, you can enable cross-premises access to the private endpoint using [Express Route](https://azure.microsoft.com/services/expressroute/) (ER), private peering or [VPN tunnel](https://docs.microsoft.com/azure/vpn-gateway/). They can subsequently disable all access via public endpoint and not use the IP-based firewall.
+
+## Configure Private Link for Azure Database for MariaDB
+
+### Creation Process
+
+Private Endpoints are required to enable Private Link. This can be done using the following how-to guides.
+
+* [Azure portal](https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-portal)
+* [CLI](https://docs.microsoft.com/azure/mariadb/howto-configure-privatelink-cli)
+
+### Approval Process
+
+Once the network admin creates the Private Endpoint (PE), the admin can manage the Private Endpoint Connection (PEC) to Azure Database for MariaDB.
+
+> [!NOTE]
+> Currently, Azure Database for MariaDB only supports auto-approval for the private endpoint.
+
+* Navigate to the Azure Database for MariaDB server resource in the Azure portal. 
+    * Select the Private endpoint connections in the left pane
+    * Shows a list of all Private Endpoint Connections (PECs)
+    * Corresponding Private Endpoint (PE) created
+
+![select the Private endpoint portal](media/concepts-data-access-and-security-private-link/select-private-link-portal.png)
+
+* Select an individual PEC from the list by selecting it.
+
+![select the Private endpoint pending approval](media/concepts-data-access-and-security-private-link/select-private-link.png)
+
+* The MariaDB server admin can choose to approve or reject a PEC and optionally add a short text response.
+
+![select the Private endpoint message](media/concepts-data-access-and-security-private-link/select-private-link-message.png)
+
+* After approval or rejection, the list will reflect the appropriate state along with the response text
+
+![select the Private endpoint final state](media/concepts-data-access-and-security-private-link/show-private-link-approved-connection.png)
+
+## Use cases of Private Link for Azure Database for MariaDB
+
+Clients can connect to the Private endpoint from the same VNet, peered VNet in same region, or via VNet-to-VNet connection across regions. Additionally, clients can connect from on-premises using ExpressRoute, private peering, or VPN tunneling. Below is a simplified diagram showing the common use cases.
+
+![select the Private endpoint overview](media/concepts-data-access-and-security-private-link/show-private-link-overview.png)
+
+### Connecting from an Azure VM in Peered Virtual Network (VNet)
+Configure [VNet peering](https://docs.microsoft.com/azure/virtual-network/tutorial-connect-virtual-networks-powershell) to establish connectivity to the Azure Database for MariaDB from an Azure VM in a peered VNet.
+
+### Connecting from an Azure VM in VNet-to-VNet environment
+Configure [VNet-to-VNet VPN gateway connection](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal) to establish connectivity to a Azure Database for MariaDB from an Azure VM in a different region or subscription.
+
+### Connecting from an on-premises environment over VPN
+To establish connectivity from an on-premises environment to the Azure Database for MariaDB, choose and implement one of the options:
+
+* [Point-to-Site connection](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps)
+* [Site-to-Site VPN connection](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell)
+* [ExpressRoute circuit](https://docs.microsoft.com/azure/expressroute/expressroute-howto-linkvnet-portal-resource-manager)
+
+## Private Link combined with firewall rules
+
+The following situations and outcomes are possible when you use Private Link in combination with firewall rules:
+
+* If you don't configure any firewall rules, then by default, no traffic will be able to access the Azure Database for MariaDB.
+
+* If you configure public traffic or a service endpoint and you create private endpoints, then different types of incoming traffic are authorized by the corresponding type of firewall rule.
+
+* If you don't configure any public traffic or service endpoint and you create private endpoints, then the Azure Database for MariaDB is accessible only through the private endpoints. If you don't configure public traffic or a service endpoint, after all approved private endpoints are rejected or deleted, no traffic will be able to access the Azure Database for MariaDB.
+
+## Next steps
+
+To learn more about Azure Database for MariaDB security features, see the following articles:
+
+* To configure a firewall for Azure Database for MariaDB, see [Firewall support](https://docs.microsoft.com/azure/mariadb/concepts-firewall-rules).
+
+* To learn how to configure a virtual network service endpoint for your Azure Database for MariaDB, see [Configure access from virtual networks](https://docs.microsoft.com/azure/mariadb/concepts-data-access-security-vnet).
+
+* For an overview of Azure Database for MariaDB connectivity, see [Azure Database for MariaDB Connectivity Architecture](https://docs.microsoft.com/azure/MariaDB/concepts-connectivity-architecture)
@@ -0,0 +1,185 @@
+---
+title: Private Link for Azure Database for MariaDB (Preview) CLI setup method
+description: Learn how to configure private link for Azure Database for MariaDB from Azure CLI
+author: kummanish
+ms.author: manishku
+ms.service: mariadb
+ms.topic: conceptual
+ms.date: 01/09/2020
+---
+
+# Create and manage Private Link for Azure Database for MariaDB (Preview) using CLI
+
+A Private Endpoint is the fundamental building block for private link in Azure. It enables Azure resources, like Virtual Machines (VMs), to communicate privately with private link resources. In this article, you will learn how to use the Azure CLI to create a VM in an Azure Virtual Network and an Azure Database for MariaDB server with an Azure private endpoint.
+
+> [!NOTE]
+> This feature is available in all Azure regions where Azure Database for MariaDB supports General Purpose and Memory Optimized pricing tiers.
+
+## Prerequisites
+
+To step through this how-to guide, you need:
+
+- An [Azure Database for MariaDB server](quickstart-create-mariadb-server-database-using-azure-cli.md).
+
+[!INCLUDE [cloud-shell-try-it.md](../../includes/cloud-shell-try-it.md)]
+
+If you decide to install and use Azure CLI locally instead, this quickstart requires you to use Azure CLI version 2.0.28 or later. To find your installed version, run `az --version`. See [Install Azure CLI](/cli/azure/install-azure-cli) for install or upgrade info.
+
+## Create a resource group
+
+Before you can create any resource, you have to create a resource group to host the Virtual Network. Create a resource group with [az group create](/cli/azure/group). This example creates a resource group named *myResourceGroup* in the *westeurope* location:
+
+```azurecli-interactive
+az group create --name myResourceGroup --location westeurope
+```
+
+## Create a Virtual Network
+Create a Virtual Network with [az network vnet create](/cli/azure/network/vnet). This example creates a default Virtual Network named *myVirtualNetwork* with one subnet named *mySubnet*:
+
+```azurecli-interactive
+az network vnet create \
+ --name myVirtualNetwork \
+ --resource-group myResourceGroup \
+ --subnet-name mySubnet
+```
+
+## Disable subnet private endpoint policies 
+Azure deploys resources to a subnet within a virtual network, so you need to create or update the subnet to disable private endpoint network policies. Update a subnet configuration named *mySubnet* with [az network vnet subnet update](https://docs.microsoft.com/cli/azure/network/vnet/subnet?view=azure-cli-latest#az-network-vnet-subnet-update):
+
+```azurecli-interactive
+az network vnet subnet update \
+ --name mySubnet \
+ --resource-group myResourceGroup \
+ --vnet-name myVirtualNetwork \
+ --disable-private-endpoint-network-policies true
+```
+## Create the VM 
+Create a VM with az vm create. When prompted, provide a password to be used as the sign-in credentials for the VM. This example creates a VM named *myVm*: 
+```azurecli-interactive
+az vm create \
+  --resource-group myResourceGroup \
+  --name myVm \
+  --image Win2019Datacenter
+```
+ Note the public IP address of the VM. You will use this address to connect to the VM from the internet in the next step.
+
+## Create an Azure Database for MariaDB server 
+Create a Azure Database for MariaDB with the az mariadb server create command. Remember that the name of your MariaDB Server must be unique across Azure, so replace the placeholder value in brackets with your own unique value: 
+
+```azurecli-interactive
+# Create a logical server in the resource group 
+az mariadb server create \
+--name mydemoserver \
+--resource-group myResourcegroup \
+--location westeurope \
+--admin-user mylogin \
+--admin-password <server_admin_password> \
+--sku-name GP_Gen5_2
+```
+
+Note the MariaDB Server ID is similar to ```/subscriptions/subscriptionId/resourceGroups/myResourceGroup/providers/Microsoft.DBforMariaDB/servers/servername.``` 
+You will use the MariaDB Server ID in the next step. 
+
+## Create the Private Endpoint 
+Create a private endpoint for the MariaDB server in your Virtual Network: 
+```azurecli-interactive
+az network private-endpoint create \  
+    --name myPrivateEndpoint \  
+    --resource-group myResourceGroup \  
+    --vnet-name myVirtualNetwork  \  
+    --subnet mySubnet \  
+    --private-connection-resource-id "<MariaDB Server ID>" \  
+    --group-ids mariadbServer \  
+    --connection-name myConnection  
+ ```
+
+## Configure the Private DNS Zone 
+Create a Private DNS Zone for MariDB server domain and create an association link with the Virtual Network. 
+```azurecli-interactive
+az network private-dns zone create --resource-group myResourceGroup \ 
+   --name  "privatelink.database.azure.com" 
+az network private-dns link vnet create --resource-group myResourceGroup \ 
+   --zone-name  "privatelink.database.azure.com"\ 
+   --name MyDNSLink \ 
+   --virtual-network myVirtualNetwork \ 
+   --registration-enabled false 
+
+#Query for the network interface ID  
+networkInterfaceId=$(az network private-endpoint show --name myPrivateEndpoint --resource-group myResourceGroup --query 'networkInterfaces[0].id' -o tsv)
+ 
+ 
+az resource show --ids $networkInterfaceId --api-version 2019-04-01 -o json 
+# Copy the content for privateIPAddress and FQDN matching the Azure database for MariaDB name 
+ 
+ 
+#Create DNS records 
+az network private-dns record-set a create --name mydemoserver --zone-name privatelink.database.azure.com --resource-group myResourceGroup  
+az network private-dns record-set a add-record --record-set-name mydemoserver --zone-name privatelink.database.windows.net --resource-group myResourceGroup -a <Private IP Address>
+```
+
+## Connect to a VM from the internet
+
+Connect to the VM *myVm* from the internet as follows:
+
+1. In the portal's search bar, enter *myVm*.
+
+1. Select the **Connect** button. After selecting the **Connect** button, **Connect to virtual machine** opens.
+
+1. Select **Download RDP File**. Azure creates a Remote Desktop Protocol (*.rdp*) file and downloads it to your computer.
+
+1. Open the downloaded.rdp* file.
+
+    1. If prompted, select **Connect**.
+
+    1. Enter the username and password you specified when creating the VM.
+
+        > [!NOTE]
+        > You may need to select **More choices** > **Use a different account**, to specify the credentials you entered when you created the VM.
+
+1. Select **OK**.
+
+1. You may receive a certificate warning during the sign-in process. If you receive a certificate warning, select **Yes** or **Continue**.
+
+1. Once the VM desktop appears, minimize it to go back to your local desktop.  
+
+## Access the MariaDB server privately from the VM
+
+1. In the Remote Desktop of *myVM*, open PowerShell.
+
+2. Enter  `nslookup mydemoserver.mariadb.privatelink.database.azure.com`. 
+
+    You'll receive a message similar to this:
+    ```azurepowershell
+    Server:  UnKnown
+    Address:  168.63.129.16
+    Non-authoritative answer:
+    Name:    mydemoserver.mariadb.privatelink.database.azure.com
+    Address:  10.1.3.4
+
+3. Test the private link connection for the MariaDB server using any available client. In the example below I have used [MySQL Workbench](https://dev.mysql.com/doc/workbench/wb-installing-windows.html) to do the operation.
+
+4. In **New connection**, enter or select this information:
+
+    | Setting | Value |
+    | ------- | ----- |
+    | Connection Name| Select the connection name of your choice.|
+    | Hostname | Select *mydemoserver.mariadb.privatelink.database.azure.com* |
+    | Username | Enter username as *username@servername* which is provided during the MariaDB server creation. |
+    | Password | Enter a password provided during the MariaDB server creation. |
+    ||
+
+5. Select **Test Connection** or **OK**.
+
+6. (Optionally) Browse databases from left menu and Create or query information from the MariaDB database
+
+8. Close the remote desktop connection to myVm.
+
+## Clean up resources 
+When no longer needed, you can use az group delete to remove the resource group and all the resources it has: 
+
+```azurecli-interactive
+az group delete --name myResourceGroup --yes 
+```
+
+## Next steps
+Learn more about [What is Azure private endpoint](https://docs.microsoft.com/azure/private-link/private-endpoint-overview)