Merge pull request #223937 from kgremban/jan13-managedidentities

v-stsavell · web-flow · commit d19682e8d2bd · 2023-01-13T15:12:38.000-06:00
Update virtual network support
diff --git a/articles/iot-hub/virtual-network-support.md b/articles/iot-hub/virtual-network-support.md
@@ -5,36 +5,35 @@
  author: kgremban
  ms.service: iot-hub
  ms.topic: conceptual
- ms.date: 10/20/2021
+ ms.date: 01/13/2023
  ms.author: kgremban
 ---
 
-# IoT Hub support for virtual networks with Private Link and Managed Identity
+# IoT Hub support for virtual networks with Azure Private Link
 
-By default, IoT Hub's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this IoT Hub public endpoint, and IoT devices in over wide-area networks and on-premises networks can all access it.
+By default, IoT Hub's hostnames map to a public endpoint with a publicly routable IP address over the internet. Different customers share this IoT Hub public endpoint, and IoT devices in wide-area networks and on-premises networks can all access it.
 
-![IoT Hub public endpoint](./media/virtual-network-support/public-endpoint.png)
+![Diagram of IoT Hub public endpoint.](./media/virtual-network-support/public-endpoint.png)
 
-IoT Hub features including [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md) also require connectivity from IoT Hub to a customer-owned Azure resource over its public endpoint. These connectivity paths collectively make up the egress traffic from IoT Hub to customer resources.
+Some IoT Hub features, including [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md), also require connectivity from IoT Hub to a customer-owned Azure resource over its public endpoint. These connectivity paths make up the egress traffic from IoT Hub to customer resources.
 
-You might want to restrict connectivity to your Azure resources (including IoT Hub) through a VNet that you own and operate. These reasons include:
+You might want to restrict connectivity to your Azure resources (including IoT Hub) through a VNet that you own and operate for several reasons, including:
 
 * Introducing network isolation for your IoT hub by preventing connectivity exposure to the public internet.
 
-* Enabling a private connectivity experience from your on-premises network assets ensuring that your data and traffic 
-is transmitted directly to Azure backbone network.
+* Enabling a private connectivity experience from your on-premises network assets, which ensures that your data and traffic is transmitted directly to Azure backbone network.
 
-* Preventing exfiltration attacks from sensitive on-premises networks. 
+* Preventing exfiltration attacks from sensitive on-premises networks.
 
 * Following established Azure-wide connectivity patterns using [private endpoints](../private-link/private-endpoint-overview.md).
 
 This article describes how to achieve these goals using [Azure Private Link](../private-link/private-link-overview.md) for ingress connectivity to IoT Hub and using trusted Microsoft services exception for egress connectivity from IoT Hub to other Azure resources.
 
 ## Ingress connectivity to IoT Hub using Azure Private Link
 
-A private endpoint is a private IP address allocated inside a customer-owned VNet via which an Azure resource is reachable. Through Azure Private Link, you can set up a private endpoint for your IoT hub to allow services inside your VNet to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Similarly, your on-premises devices can use [Virtual Private Network (VPN)](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) peering to gain connectivity to your VNet and your IoT Hub (via its private endpoint). As a result, you can restrict or completely block off connectivity to your IoT hub's public endpoints by using [IoT Hub IP filter](./iot-hub-ip-filtering.md) or [the public network access toggle](iot-hub-public-network-access.md). This approach keeps connectivity to your Hub using the private endpoint for devices. The main focus of this setup is for devices inside an on-premises network. This setup isn't advised for devices deployed in a wide-area network.
+A private endpoint is a private IP address allocated inside a customer-owned VNet through which an Azure resource is reachable. With Azure Private Link, you can set up a private endpoint for your IoT hub to allow services inside your VNet to reach IoT Hub without requiring traffic to be sent to IoT Hub's public endpoint. Similarly, your on-premises devices can use [Virtual Private Network (VPN)](../vpn-gateway/vpn-gateway-about-vpngateways.md) or [ExpressRoute](https://azure.microsoft.com/services/expressroute/) peering to gain connectivity to your VNet and your IoT hub (via its private endpoint). As a result, you can restrict or completely block off connectivity to your IoT hub's public endpoints by using [IoT Hub IP filter](./iot-hub-ip-filtering.md) or [the public network access toggle](iot-hub-public-network-access.md). This approach keeps connectivity to your hub using the private endpoint for devices. The main focus of this setup is for devices inside an on-premises network. This setup isn't advised for devices deployed in a wide-area network.
 
-![IoT Hub virtual network engress](./media/virtual-network-support/virtual-network-ingress.png)
+![Diagram of IoT Hub virtual network ingress.](./media/virtual-network-support/virtual-network-ingress.png)
 
 Before proceeding ensure that the following prerequisites are met:
 
@@ -44,29 +43,31 @@ Before proceeding ensure that the following prerequisites are met:
 
 ### Set up a private endpoint for IoT Hub ingress
 
-Private endpoint works for IoT Hub device APIs (like device-to-cloud messages) as well as service APIs (like creating and updating devices).
+Private endpoint works for IoT Hub device APIs (like device-to-cloud messages) and service APIs (like creating and updating devices).
 
-1. In Azure portal, select **Networking**, **Private access**, and click the **+ Create a private endpoint** option.
+1. In the [Azure portal](https://portal.azure.com), navigate to your IoT hub.
 
-    :::image type="content" source="media/virtual-network-support/private-link.png" alt-text="Screenshot showing where to add private endpoint for IoT Hub" border="true":::
+1. Select **Networking** > **Private access**, and then select **Create a private endpoint**.
 
-1. Provide the subscription, resource group, name, and region to create the new private endpoint in. Ideally, private endpoint should be created in the same region as your hub.
+    :::image type="content" source="media/virtual-network-support/private-link.png" alt-text="Screenshot showing where to add private endpoint for IoT Hub." border="true":::
 
-1. Click **Next: Resource**, and provide the subscription for your IoT Hub resource, and select **"Microsoft.Devices/IotHubs"** as resource type, your IoT Hub name as **resource**, and **iotHub** as target subresource.
+1. Provide the subscription, resource group, name, and region to create the new private endpoint. Ideally, a private endpoint should be created in the same region as your hub.
 
-1. Click **Next: Configuration** and provide your virtual network and subnet to create the private endpoint in. Select the option to integrate with Azure private DNS zone, if desired.
+1. Select **Next: Resource**, and provide the subscription for your IoT Hub resource, and select **"Microsoft.Devices/IotHubs"** as resource type, your IoT hub name as **resource**, and **iotHub** as target subresource.
 
-1. Click **Next: Tags**, and optionally provide any tags for your resource.
+1. Select **Next: Configuration** and provide your virtual network and subnet to create the private endpoint in. Select the option to integrate with Azure private DNS zone, if desired.
 
-1. Click **Review + create** to create your private link resource.
+1. Select **Next: Tags**, and optionally provide any tags for your resource.
 
-### Built-in Event Hub compatible endpoint 
+1. Select **Review + create** to create your private link resource.
 
-The [built-in Event Hub compatible endpoint](iot-hub-devguide-messages-read-builtin.md) can also be accessed over private endpoint. When private link is configured, you should see an additional private endpoint connection for the built-in endpoint. It's the one with `servicebus.windows.net` in the FQDN.
+### Built-in Event Hubs compatible endpoint
 
-:::image type="content" source="media/virtual-network-support/private-built-in-endpoint.png" alt-text="Image showing two private endpoints given each IoT Hub private link":::
+The [built-in Event Hubs compatible endpoint](iot-hub-devguide-messages-read-builtin.md) can also be accessed over private endpoint. When private link is configured, you should see another private endpoint connection for the built-in endpoint. It's the one with `servicebus.windows.net` in the FQDN.
 
-IoT Hub's [IP filter](iot-hub-ip-filtering.md) can optionally control public access to the built-in endpoint. 
+:::image type="content" source="media/virtual-network-support/private-built-in-endpoint.png" alt-text="Screenshot showing two private endpoints given each IoT Hub private link":::
+
+IoT Hub's [IP filter](iot-hub-ip-filtering.md) can optionally control public access to the built-in endpoint.
 
 To completely block public network access to your IoT hub, [turn off public network access](iot-hub-public-network-access.md) or use IP filter to block all IP and select the option to apply rules to the built-in endpoint.
 
@@ -76,15 +77,17 @@ For pricing details, see [Azure Private Link pricing](https://azure.microsoft.co
 
 ## Egress connectivity from IoT Hub to other Azure resources
 
-IoT Hub can connect to your Azure blob storage, event hub, service bus resources for [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md) over the resources' public endpoint. Binding your resource to a VNet blocks connectivity to the resource by default. As a result, this configuration prevents IoT Hub's from working sending data to your resources. To fix this issue, enable connectivity from your IoT Hub resource to your storage account, event hub, or service bus resources via the **trusted Microsoft service** option. 
+IoT Hub can connect to your Azure blob storage, event hub, service bus resources for [message routing](./iot-hub-devguide-messages-d2c.md), [file upload](./iot-hub-devguide-file-upload.md), and [bulk device import/export](./iot-hub-bulk-identity-mgmt.md) over the resources' public endpoint. Binding your resource to a VNet blocks connectivity to the resource by default. As a result, this configuration prevents IoT hubs from sending data to your resources. To fix this issue, enable connectivity from your IoT Hub resource to your storage account, event hub, or service bus resources via the **trusted Microsoft service** option.
 
-To allow other services to find your IoT hub as a trusted Microsoft service, your hub must use the managed identity. Once a managed identity is provisioned, you need to grant the Azure RBAC permission to your hub's managed identity to access your custom endpoint. Follow the article [Managed identities support in IoT Hub](./iot-hub-managed-identity.md) to provision a managed identity with Azure RBAC permission, and add the custom endpoint to your IoT Hub. Make sure you turn on the trusted Microsoft first party exception to allow your IoT Hub's access to the custom endpoint if you have the firewall configurations in place.
+To allow other services to find your IoT hub as a trusted Microsoft service, your hub must use a managed identity. Once a managed identity is provisioned, grant permission to your hub's managed identity to access your custom endpoint. Follow the article [Managed identities support in IoT Hub](./iot-hub-managed-identity.md) to provision a managed identity with Azure role-based access control (RBAC) permission, and add the custom endpoint to your IoT hub. Make sure you turn on the trusted Microsoft first party exception to allow your IoT hubs access to the custom endpoint if you have the firewall configurations in place.
 
 ### Pricing for trusted Microsoft service option
+
 Trusted Microsoft first party services exception feature is free of charge. Charges for the provisioned storage accounts, event hubs, or service bus resources apply separately.
+
 ## Next steps
 
-Use the links below to learn more about IoT Hub features:
+Use the following links to learn more about IoT Hub features:
 
 * [Message routing](./iot-hub-devguide-messages-d2c.md)
 * [File upload](./iot-hub-devguide-file-upload.md)
diff --git a/articles/private-link/private-endpoint-dns.md b/articles/private-link/private-endpoint-dns.md
@@ -105,7 +105,7 @@ For Azure services, use the recommended zone names as described in the following
 | Azure Bot Service (Microsoft.BotService/botServices) / Token | privatelink.token.botframework.com | token.botframework.com </br> europe.token.botframework.com |
 | Azure Data Health Data Services (Microsoft.HealthcareApis/workspaces) / healthcareworkspace | workspace.privatelink.azurehealthcareapis.com </br> fhir.privatelink.azurehealthcareapis.com </br> dicom.privatelink.azurehealthcareapis.com | workspace.azurehealthcareapis.com </br> fhir.azurehealthcareapis.com </br> dicom.azurehealthcareapis.com |
 
-<sup>1</sup>To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see [private link support for IoT Hub's built-in endpoint](../iot-hub/virtual-network-support.md#built-in-event-hub-compatible-endpoint)
+<sup>1</sup>To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see [private link support for IoT Hub's built-in endpoint](../iot-hub/virtual-network-support.md#built-in-event-hubs-compatible-endpoint)
 
 >[!Note]
 >In the above text, `{region}` refers to the region code (for example, **eus** for East US and **ne** for North Europe). Refer to the following lists for regions codes:
@@ -189,7 +189,7 @@ For Azure services, use the recommended zone names as described in the following
 | Azure HDInsight (Microsoft.HDInsight) | privatelink.azurehdinsight.cn | azurehdinsight.cn |
 | Azure Data Explorer (Microsoft.Kusto) | privatelink.{region}.kusto.windows.cn | {region}.kusto.windows.cn |
 
-<sup>1</sup>To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see [private link support for IoT Hub's built-in endpoint](../iot-hub/virtual-network-support.md#built-in-event-hub-compatible-endpoint)
+<sup>1</sup>To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see [private link support for IoT Hub's built-in endpoint](../iot-hub/virtual-network-support.md#built-in-event-hubs-compatible-endpoint)
 
 ## DNS configuration scenarios
 
