Merge pull request #176352 from HeidiSteen/heidist-gh

[azure search] Addressing GH issue 80167 (IP firewall doc)

Author: Court72

articles/search/media/service-configure-firewall/azure-portal-firewall.png

@@ -85,7 +85,7 @@ You can find out the IP address range of `AzureCognitiveSearch` [service tag](..
 
 If you are using the Azure portal to create an indexer, you must grant the portal inbound access to your SQL Azure virtual machine. An inbound rule in the firewall requires that you provide the IP address of the portal.
 
-To get the portal IP address, ping `stamp2.ext.search.windows.net`, which is the domain of the traffic manager. The request will time out, but the IP address be visible in the status message. Fo example, in the message "Pinging azsyrie.northcentralus.cloudapp.azure.com [52.252.175.48]", the IP address is "52.252.175.48".
+To get the portal IP address, ping `stamp2.ext.search.windows.net`, which is the domain of the traffic manager. The request will time out, but the IP address be visible in the status message. For example, in the message "Pinging azsyrie.northcentralus.cloudapp.azure.com [52.252.175.48]", the IP address is "52.252.175.48".
 
 > [!NOTE]
 > Clusters in different regions connect to different traffic managers. Regardless of the domain name, the IP address returned from the ping is the correct one to use when defining an inbound firewall rule for the Azure portal in your region.

articles/search/search-howto-connecting-azure-sql-iaas-to-azure-search-using-indexers.md

@@ -1,57 +1,56 @@
 ---
-title: Configure an IP firewall for your Azure Cognitive Search service
+title: Configure an IP firewall
 titleSuffix: Azure Cognitive Search
-description: Configure IP control policies to restrict access to your Azure Cognitive Search service.
+description: Configure IP control policies to restrict access to your Azure Cognitive Search service to specific IP addresses.
 
 manager: nitinme
-author: markheff
-ms.author: maheff
+author: HeidiSteen
+ms.author: heidist
 ms.service: cognitive-search
 ms.topic: conceptual
-ms.date: 02/16/2021
+ms.date: 10/19/2021
 ---
 
-# Configure IP firewall for Azure Cognitive Search
+# Configure an IP firewall for Azure Cognitive Search
 
-Azure Cognitive Search supports IP rules for inbound firewall support. This model provides an additional layer of security for your search service similar to the IP rules you'll find in an Azure virtual network security group. With these IP rules, you can configure your search service to be accessible only from an approved set of machines and/or cloud services. Access to data stored in your search service from these approved sets of machines and services will still require the caller to present a valid authorization token.
+Azure Cognitive Search supports IP rules for inbound access through a firewall, similar to the IP rules you'll find in an Azure virtual network security group. By leveraging IP rules, you can restrict search service access to an approved set of machines and cloud services. Access to data stored in your search service from the approved sets of machines and services will still require the caller to present a valid authorization token.
 
-You can set IP rules in the Azure portal, as described in this article. Alternatively, you can use the [Management REST API version 2020-03-13](/rest/api/searchmanagement/), [Azure PowerShell](/powershell/module/az.search), or [Azure CLI](/cli/azure/search).
+You can set IP rules in the Azure portal, as described in this article, on search services provisioned at the Basic tier and above. Alternatively, you can use the [Management REST API version 2020-03-13](/rest/api/searchmanagement/), [Azure PowerShell](/powershell/module/az.search), or [Azure CLI](/cli/azure/search).
 
-## <a id="configure-ip-policy"></a> Configure an IP firewall using the Azure portal
+<a id="configure-ip-policy"></a> 
 
-To set the IP access control policy in the Azure portal, go to your Azure Cognitive Search service page and select **Networking** on the navigation menu. Endpoint networking connectivity must be **Public**. If your connectivity is set to **Private**, you can only access your search service via a Private Endpoint.
+## Configure an IP firewall using the Azure portal
 
-![Screenshot showing how to configure the IP firewall in the Azure portal](./media/service-configure-firewall/azure-portal-firewall.png)
+To set the IP access control policy in the Azure portal, go to your Azure Cognitive Search service page and select **Networking** on the left navigation pane. Endpoint networking connectivity must be **Public Access**. If your connectivity is set to **Private Access** or **Shared Private Access**, you can only access your search service via a Private Endpoint.
 
-The Azure portal provides the ability to specify IP addresses and IP address ranges in the CIDR format. An example of CIDR notation is 8.8.8.0/24, which represents the IPs that range from 8.8.8.0 to 8.8.8.255.
-
-> [!NOTE]
-> After you enable the IP access control policy for your Azure Cognitive Search service, all requests to the data plane from machines outside the allowed list of IP address ranges are rejected. When IP rules are configured, some features of the Azure portal are disabled. You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons. As an alternative to the portal, you can use the [VS Code Extension](https://aka.ms/vscode-search) to interact with the various components in the service.
+:::image type="content" source="media/service-configure-firewall/azure-portal-firewall.png" alt-text="Screenshot showing how to configure the IP firewall in the Azure portal" border="true":::
 
-### Requests from your current IP
+The Azure portal provides the ability to specify IP addresses and IP address ranges in the CIDR format. An example of CIDR notation is 8.8.8.0/24, which represents the IPs that range from 8.8.8.0 to 8.8.8.255.
 
-To simplify development, the Azure portal helps you identify and add the IP of your client machine to the allowed list. Apps running on your machine can then access your Azure Cognitive Search service.
+After you enable the IP access control policy for your Azure Cognitive Search service, all requests to the data plane from machines outside the allowed list of IP address ranges are rejected. 
 
-The portal automatically detects your client IP address. It might be the client IP address of your machine or network gateway. Make sure to remove this IP address before you take your workload to production.
+## Allow access from Azure portal
 
-To add your current IP to the list of IPs, check **Add your client IP address**. Then select **Save**.
+By default, when IP rules are configured, some features of the Azure portal are disabled. You'll be able to view and manage service level information, but portal access to indexes, indexers, and other top-level resources is restricted.
 
-![Screenshot showing a how to configure IP firewall settings to allow the current IP](./media/service-configure-firewall/enable-current-ip.png)
+To retain service administration through the portal, select the "Allow access" option under **Exceptions**. Alternatively, use the [VS Code Extension](https://aka.ms/vscode-search) to manage content.
 
-## <a id="troubleshoot-ip-firewall"></a>Troubleshoot issues with an IP access control policy
+## Allow access from your client
 
-You can troubleshoot issues with an IP access control policy by using the following options:
+Client applications that push indexing and query requests to the search service must be represented in an IP range. On Azure, you can generally determine the IP address by pinging the FQDN of a service (for example, `ping <your-search-service-name>.search.windows.net` will return the IP address of a search service). 
 
-### Azure portal
+Providing IP addresses for clients ensures that the request is not rejected outright, but for successful access to content and operations, authorization is also necessary. Use one of the following methodologies to authenticate your request:
 
-Enabling an IP access control policy for your Azure Cognitive Search service blocks all requests from machines outside the allowed list of IP address ranges, including the Azure portal.  You'll be able to view and manage service level information, but portal access to index data and the various components in the service, such as the index, indexer, and skillset definitions, is restricted for security reasons. 
++ [Key-based authentication](search-security-api-keys.md), where an admin or query API key is provided on the request
++ [Role-based authorization](search-security-rbac.md), where the caller is a member of a security role on a search service, and the [registered app presents an OAuth token](search-howto-aad.md) from Azure Active Directory.
 
-### SDKs
+### Rejected requests
 
-When you access Azure Cognitive Search service using the SDK from machines that are not in the allowed list, a generic **403 Forbidden** response is returned with no additional details. Verify the allowed IP list for your account, and make sure that the correct configuration updated for your search service.
+When requests originate from IP addresses that are not in the allowed list, a generic **403 Forbidden** response is returned with no additional details.
 
 ## Next steps
 
-For more information on accessing your search service via Private Link, see the following article:
+If your client application is a static Web app on Azure, learn how to determine its IP range for inclusion in a search service IP firewall rule.
 
-* [Create a Private Endpoint for a secure connection to Azure Cognitive Search](service-create-private-endpoint.md)
+> [!div class="nextstepaction"]
+> [Inbound and outbound IP addresses in Azure App Service](../app-service/overview-inbound-outbound-ips.md)