Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into tamram22-0509

Author: tamram

articles/application-gateway/media/private-link/private-link.png

@@ -25,6 +25,7 @@ The new v2 SKU includes the following enhancements:
 - **Key Vault Integration**: Application Gateway v2 supports integration with Key Vault for server certificates that are attached to HTTPS enabled listeners. For more information, see [TLS termination with Key Vault certificates](key-vault-certs.md).
 - **Mutual Authentication (mTLS)**: Application Gateway v2 supports authentication of client requests. For more information, see [Overview of mutual authentication with Application Gateway](mutual-authentication-overview.md).
 - **Azure Kubernetes Service Ingress Controller**: The Application Gateway v2 Ingress Controller allows the Azure Application Gateway to be used as the ingress for an Azure Kubernetes Service (AKS) known as AKS Cluster. For more information, see [What is Application Gateway Ingress Controller?](ingress-controller-overview.md).
+- **Private link**: The v2 SKU offers private connectivity from other virtual networks in other regions and subscriptions through the use of private endpoints.
 - **Performance enhancements**: The v2 SKU offers up to 5X better TLS offload performance as compared to the Standard/WAF SKU.
 - **Faster deployment and update time** The v2 SKU provides faster deployment and update time as compared to Standard/WAF SKU. This also includes WAF configuration changes.
 
@@ -72,6 +73,7 @@ The following table compares the features available with each SKU.
 | URL-based routing                                 | ✓ | ✓ |
 | Multiple-site hosting                             | ✓ | ✓ |
 | Mutual Authentication (mTLS)                      |          | ✓ |
+| Private Link support                              |          | ✓ |
 | Traffic redirection                               | ✓ | ✓ |
 | Web Application Firewall (WAF)                    | ✓ | ✓ |
 | WAF custom rules                                  |          | ✓ |

articles/application-gateway/overview-v2.md

@@ -0,0 +1,194 @@
+---
+title: Configure Azure Application Gateway Private Link
+description: This article shows you how to configure Application Gateway Private Link.
+services: application-gateway
+author: greglin
+ms.service: application-gateway
+ms.topic: how-to
+ms.date: 05/09/2022
+ms.author: greglin
+
+---
+
+# Configure Azure Application Gateway Private Link
+
+Application Gateway Private Link allows you to connect your workloads over a private connection spanning across VNets and subscriptions. For more information, see [Application Gateway Private Link](private-link.md).
+
+:::image type="content" source="media/private-link/private-link.png" alt-text="Diagram showing Application Gateway Private Link":::
+
+
+## Configuration options
+
+Application Gateway Private Link can be configured via multiple options, such as, but not limited to, the Azure portal, Azure PowerShell, and Azure CLI.
+
+# [Azure portal](#tab/portal)
+
+**Define a subnet for Private Link Configuration**
+
+To enable Private Link Configuration, a subnet, different from the Application Gateway subnet, is required for the private link IP configuration. Private Link must use a subnet that doesn't contain any Application Gateways. Subnet sizing can be determined by the number of connections required for your deployment. Each IP address allocated to this subnet ensures 64-K concurrent TCP connections that can be established via Private Link at single point in time. Allocate more IP addresses to allow more connections via Private Link.  For example: `n * 64K`; where `n` is the number of IP addresses being provisioned.
+
+> [!Note]
+> The maximum number of IP addresses per private link configuration is eight. Only dynamic allocation is supported.
+
+The following steps can be completed to create a new subnet:
+
+[Add, change, or delete a virtual network subnet](../virtual-network/virtual-network-manage-subnet.md#add-a-subnet)
+
+**Configure Private Link**
+
+The Private link configuration defines the infrastructure used by Application Gateway to enable connections from Private Endpoints. To create the Private link configuration, complete the following steps:
+
+1. Go to the [Azure portal](https://portal.azure.com)
+1. Search for and select **Application Gateways**.
+1. Select the name of the application gateway you want to enable private link.
+1. Select **Private link**
+1. Configure the following items:
+
+   - **Name**: The name of the private link configuration.
+   - **Private link subnet**: The subnet IP addresses should be consumed from.
+   - **Frontend IP Configuration**: The frontend IP address that private link should forward traffic to on Application Gateway.
+   - **Private IP address settings**: specify at least one IP address
+1. Select **Add**.
+
+**Configure Private Endpoint**
+
+A private endpoint is a network interface that uses a private IP address from the virtual network containing clients wishing to connect to your gateway. Each of the clients will use the private IP address of the Private Endpoint to tunnel traffic to the Application Gateway. To create a private endpoint, complete the following steps:
+
+1. Select the **Private endpoint connections** tab.
+1. Select **Create**.
+1. On the **Basics** tab, configure a resource group, name, and region for the Private Endpoint.  Select **Next**.
+1. On the **Resource** tab, select **Next**.
+1. On the **Virtual Network** tab, configure a virtual network and subnet where the private endpoint network interface should be provisioned to. Configure whether the private endpoint should have a dynamic or static IP address.  Last, configure if you want a new private link zone to be created to automatically manage IP addressing.  Select **Next**.
+1. On the **Tags** tab, optionally configure resource tags. Select **Next**.
+1. Select **Create**.
+
+> [!Note]
+> If the public or private IP configuration resource is missing when trying to select a _Target sub-resource_ on the _Resource_ tab of private endpoint creation, please ensure a listener is actively utilizing the respected frontend IP configuration. Frontend IP configurations without an associated listener will not be shown as a _Target sub-resource_.
+
+# [Azure PowerShell](#tab/powershell)
+
+To configure Private link on an existing Application Gateway via Azure PowerShell, the following commands can be referenced:
+
+```azurepowershell
+# Disable Private Link Service Network Policies
+# https://docs.microsoft.com/azure/private-link/disable-private-endpoint-network-policy
+$net =@{
+    Name = 'AppGW-PL-PSH'
+    ResourceGroupName = 'AppGW-PL-PSH-RG'
+}
+$vnet = Get-AzVirtualNetwork @net
+
+($vnet | Select -ExpandProperty subnets | Where-Object {$_.Name -eq 'AppGW-PL-Subnet'}).PrivateLinkServiceNetworkPolicies = "Disabled"
+
+$vnet | Set-AzVirtualNetwork
+
+# Get Application Gateway Frontend IP Name
+$agw = Get-AzApplicationGateway -Name AppGW-PL-PSH -ResourceGroupName AppGW-PL-PSH-RG
+# List the names
+$agw.FrontendIPConfigurations | Select Name
+
+# Add a new Private Link configuration and associate it with an existing Frontend IP
+$PrivateLinkIpConfiguration = New-AzApplicationGatewayPrivateLinkIpConfiguration `
+                            -Name "ipConfig01" `
+                            -Subnet ($vnet | Select -ExpandProperty subnets | Where-Object {$_.Name -eq 'AppGW-PL-Subnet'}) `
+                            -Primary
+
+# Add the Private Link configuration to the gateway configuration
+Add-AzApplicationGatewayPrivateLinkConfiguration `
+                            -ApplicationGateway $agw `
+                            -Name "privateLinkConfig01" `
+                            -IpConfiguration $PrivateLinkIpConfiguration
+
+# Associate private link configuration to Frontend IP
+$agwPip = ($agw | Select -ExpandProperty FrontendIpConfigurations| Where-Object {$_.Name -eq 'appGwPublicFrontendIp'}).PublicIPAddress.Id
+$privateLinkConfiguration = ($agw | Select -ExpandProperty PrivateLinkConfigurations | Where-Object {$_.Name -eq 'privateLinkConfig01'}).Id
+Set-AzApplicationGatewayFrontendIPConfig -ApplicationGateway $agw -Name "appGwPublicFrontendIp" -PublicIPAddressId $agwPip -PrivateLinkConfigurationId $privateLinkConfiguration
+
+# Apply the change to the gateway
+Set-AzApplicationGateway -ApplicationGateway $agw
+
+# Disable Private Endpoint Network Policies
+# https://docs.microsoft.com/azure/private-link/disable-private-endpoint-network-policy
+$net =@{
+    Name = 'AppGW-PL-Endpoint-PSH-VNET'
+    ResourceGroupName = 'AppGW-PL-Endpoint-PSH-RG'
+}
+$vnet_plendpoint = Get-AzVirtualNetwork @net
+
+($vnet_plendpoint | Select -ExpandProperty subnets | Where-Object {$_.Name -eq 'MySubnet'}).PrivateEndpointNetworkPolicies = "Disabled"
+
+$vnet_plendpoint | Set-AzVirtualNetwork
+
+# Create Private Link Endpoint - Group ID is the same as the frontend IP configuration
+$privateEndpointConnection = New-AzPrivateLinkServiceConnection -Name "AppGW-PL-Connection" -PrivateLinkServiceId $agw.Id -GroupID "appGwPublicFrontendIp"
+
+## Create private endpoint
+New-AzPrivateEndpoint -Name "AppGWPrivateEndpoint" -ResourceGroupName $vnet_plendpoint.ResourceGroupName -Location $vnet_plendpoint.Location -Subnet ($vnet_plendpoint | Select -ExpandProperty subnets | Where-Object {$_.Name -eq 'MySubnet'}) -PrivateLinkServiceConnection $privateEndpointConnection
+```
+A list of all Azure PowerShell references for Private Link Configuration on Application Gateway can be found here:
+- [Get-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/get-azapplicationgatewayprivatelinkconfiguration)
+- [New-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/new-azapplicationgatewayprivatelinkconfiguration)
+- [New-AzApplicationGatewayPrivateLinkIpConfiguration](/powershell/module/az.network/new-azapplicationgatewayprivatelinkipconfiguration)
+- [Add-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/add-azapplicationgatewayprivatelinkconfiguration)
+- [Remove-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/remove-azapplicationgatewayprivatelinkconfiguration)
+- [Set-AzApplicationGatewayPrivateLinkConfiguration](/powershell/module/az.network/set-azapplicationgatewayprivatelinkconfiguration)
+
+# [Azure CLI](#tab/cli)
+
+To configure Private link on an existing Application Gateway via Azure CLI, the following commands can be referenced:
+
+```azurecli
+# Disable Private Link Service Network Policies
+# https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy
+az network vnet subnet update \
+				--name AppGW-PL-Subnet \
+				--vnet-name AppGW-PL-CLI-VNET \
+				--resource-group AppGW-PL-CLI-RG \
+				--disable-private-link-service-network-policies true
+
+# Get Application Gateway Frontend IP Name
+az network application-gateway frontend-ip list \
+							--gateway-name AppGW-PL-CLI \
+							--resource-group AppGW-PL-CLI-RG
+
+# Add a new Private Link configuration and associate it with an existing Frontend IP
+az network application-gateway private-link add \
+							--frontend-ip appGwPublicFrontendIp \
+							--name privateLinkConfig01 \
+							--subnet /subscriptions/XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/AppGW-PL-CLI-RG/providers/Microsoft.Network/virtualNetworks/AppGW-PL-CLI-VNET/subnets/AppGW-PL-Subnet \
+							--gateway-name AppGW-PL-CLI \
+							--resource-group AppGW-PL-CLI-RG
+
+# Get Private Link resource ID
+az network application-gateway private-link list \
+				--gateway-name AppGW-PL-CLI \
+				--resource-group AppGW-PL-CLI-RG
+
+
+
+# Disable Private Endpoint Network Policies
+# https://docs.microsoft.com/en-us/azure/private-link/disable-private-endpoint-network-policy
+az network vnet subnet update \
+				--name MySubnet \
+				--vnet-name AppGW-PL-Endpoint-CLI-VNET \
+				--resource-group AppGW-PL-Endpoint-CLI-RG \
+				--disable-private-endpoint-network-policies true
+
+# Create Private Link Endpoint - Group ID is the same as the frontend IP configuration
+az network private-endpoint create \
+	--name AppGWPrivateEndpoint \
+	--resource-group AppGW-PL-Endpoint-CLI-RG \
+	--vnet-name AppGW-PL-Endpoint-CLI-VNET \
+	--subnet MySubnet \
+	--group-id appGwPublicFrontendIp \
+	--private-connection-resource-id /subscriptions/XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/resourceGroups/AppGW-PL-CLI-RG/providers/Microsoft.Network/applicationGateways/AppGW-PL-CLI \
+	--connection-name AppGW-PL-Connection
+```
+
+A list of all Azure CLI references for Private Link Configuration on Application Gateway can be found here: [Azure CLI CLI - Private Link](/cli/azure/network/application-gateway/private-link)
+
+---
+
+## Next steps
+
+- Learn about Azure Private Link: [What is Azure Private Link?](../private-link/private-link-overview.md)

articles/application-gateway/private-link-configure.md

@@ -0,0 +1,68 @@
+---
+title: Azure Application Gateway Private Link
+description: This article is an overview of Application Gateway Private Link.
+services: application-gateway
+author: greglin
+ms.service: application-gateway
+ms.topic: conceptual
+ms.date: 05/09/2022
+ms.author: greglin
+
+---
+
+# Application Gateway Private Link
+
+Today, you can deploy your critical workloads securely behind Application Gateway, gaining the flexibility of Layer 7 load balancing features. Access to the backend workloads is possible in two ways:
+
+- Public IP address - your workloads are accessible over the Internet. 
+- Private IP address- your workloads are accessible via a private IP address, but within the same VNet as the Application Gateway.
+
+Private Link for Application Gateway allows you to connect workloads over a private connection spanning across VNets and subscriptions. When configured, a private endpoint will be placed into a defined virtual network's subnet, providing a private IP address for clients looking to communicate to the gateway. For a list of other PaaS services that support Private Link functionality, see [What is Azure Private Link?](../private-link/private-link-overview.md).
+
+:::image type="content" source="media/private-link/private-link.png" alt-text="Diagram showing Application Gateway Private Link":::
+
+
+## Features and capabilities
+
+Private Link allows you to extend private connectivity to Application Gateway via a Private Endpoint in the following scenarios:
+-	VNet in the same or different region from Application Gateway
+-	VNet in the same or different subscription from Application Gateway
+-	VNet in the same or different subscription and the same or different Azure AD tenant from Application Gateway
+
+You may also choose to block inbound public (Internet) access to Application Gateway and allow access only via private endpoints. Inbound management traffic still needs to be allowed to application gateway. For more information, see [Application Gateway infrastructure configuration](configuration-infrastructure.md#network-security-groups)
+
+All features supported by Application Gateway are supported when accessed through a private endpoint, including support for AGIC.
+
+## Private Link components
+
+Four components are required to implement Private Link with Application Gateway:
+
+- Application Gateway Private Link Configuration
+
+   A Private link configuration can be associated with an Application Gateway Frontend IP address, which can then be used to establish a connection using a Private Endpoint. If there's no association to an Application Gateway frontend IP address, then the Private Link feature won't be enabled.
+
+- Application Gateway Frontend IP address
+
+   The public or private IP address where the Application Gateway Private Link Configuration needs to be associated to enable the Private Link Capabilities.
+
+- Private Endpoint
+
+   An Azure network resource that allocates a private IP address in your VNet address space. It's used to connect to the Application Gateway via the private IP address similar to many other Azure Services like Storage, KeyVault, etc., that provide private link access.
+
+- Private Endpoint Connection
+
+   A connection on Application Gateway originated by Private Endpoints. You can auto-approve, manually approve, or reject connections to grant or deny access.
+
+## Limitations
+- API version 2020-03-01 or later should be used to configure Private Link configurations.
+- Static IP allocation method in the Private Link Configuration object isn't supported.
+- The subnet used for PrivateLinkConfiguration cannot be same as the Application Gateway subnet.
+- Private link configuration for Application Gateway does not expose the "Alias" property and must be referenced via resource URI.
+- Private Endpoint creation does not create a \*.privatelink DNS record/zone. All DNS records should be entered in existing zones used for your Application Gateway.
+- Azure Front Door and Application Gateway do not support chaining via Private Link.
+- Source IP address and x-forwarded-for headers will contain the Private link IP addresses
+
+## Next steps
+
+- [Configure Azure Application Gateway Private Link](private-link-configure.md)
+- [What is Azure Private Link?](../private-link/private-link-overview.md)

articles/application-gateway/private-link.md

@@ -93,6 +93,8 @@
     items:
     - name: Security baseline
       href: /security/benchmark/azure/baselines/application-gateway-security-baseline?toc=/azure/application-gateway/toc.json
+    - name: Private Link
+      href: private-link.md
   - name: SSL
     items:
     - name: SSL termination and end to end SSL
@@ -298,7 +300,9 @@
   - name: Configure alerts
     href: configure-alerts-with-templates.md
   - name: Classic to Resource Manager
-    href: classic-to-resource-manager.md  
+    href: classic-to-resource-manager.md
+  - name: Configure Private Link
+    href: private-link-configure.md
 - name: Reference
   items:
   - name: Monitoring data

articles/application-gateway/toc.yml

@@ -182,7 +182,7 @@
     - name: Monitor in Azure portal
       href: cache-how-to-monitor.md
     - name: Set alerts for exceptions
-      href: cache-how-to-monitor.md#operations-and-alerts
+      href: cache-how-to-monitor.md#alerts
     - name: Monitor with diagnostic logs
       href: cache-monitor-diagnostic-settings.md
   - name: Scale