Merge pull request #210516 from batamig/cloud-connections

Cloud connections

Author: v-regandowner

articles/defender-for-iot/organizations/architecture-connections.md

@@ -2,14 +2,14 @@
 title: OT sensor cloud connection methods - Microsoft Defender for IoT
 description: Learn about the architecture models available for connecting your sensors to Microsoft Defender for IoT.
 ms.topic: conceptual
-ms.date: 03/08/2022
+ms.date: 09/11/2022
 ---
 
 # OT sensor cloud connection methods
 
 This article describes the architectures and methods supported for connecting your Microsoft Defender for IoT OT sensors to the cloud.
 
-All supported cloud connection methods provide:
+The cloud connection methods described in this article are supported only for OT sensor version 22.x and later. All methods provide:
 
 - **Simple deployment**, requiring no extra installations in your private Azure environment, such as for an IoT Hub
 
@@ -64,7 +64,7 @@ With direct connections
 
 For more information, see [Connect directly](connect-sensors.md#connect-directly).
 
-## Multi-cloud connections
+## Multicloud connections
 
 You can connect your sensors to the Defender for IoT portal in Azure from other public clouds for OT/IoT management process monitoring.
 
@@ -76,7 +76,7 @@ Depending on your environment configuration, you might connect using one of the
 
 - A site-to-site VPN over the internet.
 
-For more information, see [Connect via multi-cloud vendors](connect-sensors.md#connect-via-multi-cloud-vendors).
+For more information, see [Connect via multicloud vendors](connect-sensors.md#connect-via-multicloud-vendors).
 
 ## Working with a mixture of sensor software versions
 

articles/defender-for-iot/organizations/connect-sensors.md

@@ -2,15 +2,20 @@
 title: Connect OT sensors to Microsoft Defender for IoT in the cloud
 description: Learn how to connect your Microsoft Defender for IoT OT sensors to the cloud
 ms.topic: how-to
-ms.date: 06/02/2022
+ms.date: 09/11/2022
 ---
 
 # Connect your OT sensors to the cloud
 
-This article describes how to connect your sensors to the Defender for IoT portal in Azure.
+This article describes how to connect your OT network sensors to the Defender for IoT portal in Azure, for OT sensor software versions 22.x and later.
 
 For more information about each connection method, see [Sensor connection methods](architecture-connections.md).
 
+## Prerequisites
+
+To use the connection methods described in this article, you must have an OT network sensor with software version 22.x or later.
+
+For more information, see [Update Defender for IoT OT monitoring software](update-ot-software.md).
 
 ## Choose a sensor connection method
 
@@ -21,7 +26,7 @@ Use this section to help determine which connection method is right for your org
 |- You require private connectivity between your sensor and Azure,  <br>- Your site is connected to Azure via ExpressRoute, or  <br>- Your site is connected to Azure over a VPN  | **[Connect via an Azure proxy](#connect-via-an-azure-proxy)**        |
 |- Your sensor needs a proxy to reach from the OT network to the cloud, or <br>- You want multiple sensors to connect to Azure through a single point    | **[Connect via proxy chaining](#connect-via-proxy-chaining)**        |
 |- You want to connect your sensor to Azure directly    | **[Connect directly](#connect-directly)**        |
-|- You have sensors hosted in multiple public clouds | **[Connect via multi-cloud vendors](#connect-via-multi-cloud-vendors)** |
+|- You have sensors hosted in multiple public clouds | **[Connect via multicloud vendors](#connect-via-multicloud-vendors)** |
 
 
 ## Connect via an Azure proxy
@@ -46,12 +51,7 @@ Before you start, make sure that you have:
 
 - A proxy server resource, with firewall permissions to access Microsoft cloud services. The procedure described in this article uses a Squid server hosted in Azure.
 
-- Outbound HTTPS traffic on port 443 to the following hostnames:
-
-    - **IoT Hub**: `*.azure-devices.net`
-    - **Blob storage**: `*.blob.core.windows.net`
-    - **EventHub**: `*.servicebus.windows.net`
-    - **Microsoft Download Center**: `download.microsoft.com`
+- Outbound HTTPS traffic on port 443 enabled to the required endpoints for Defender for IoT. Download the list of required endpoints from the **Sites and sensors** page: Select an OT sensor with a supported software version, or a site with one or more supported sensors. And then select **More actions** > **Download endpoint details**.
 
 > [!IMPORTANT]
 > Microsoft Defender for IoT does not offer support for Squid or any other proxy services. It is the customer's responsibility to set up and maintain the proxy service.
@@ -335,12 +335,11 @@ This procedure describes how to install and configure a connection between your
         sudo systemctl enable squid
         ```
 
-1. Connect your proxy to Defender for IoT. Enable outbound HTTP traffic on port 443 from the sensor to the following Azure hostnames:
+1. Connect your proxy to Defender for IoT:
+
+    1. Download the list of required endpoints from the **Sites and sensors** page: Select an OT sensor with a supported software version, or a site with one or more supported sensors. And then select **More actions** > **Download endpoint details**.
+    1. Enable outbound HTTPS traffic on port 443 from the sensor to each of the required endpoints for Defender for IoT.
 
-    - **IoT Hub**: `*.azure-devices.net`
-    - **Threat Intelligence**: `*.blob.core.windows.net`
-    - **Eventhub**: `*.servicebus.windows.net`
-    - **Microsoft download site**: `download.microsoft.com`
 
 > [!IMPORTANT]
 > Some organizations must define firewall rules by IP addresses. If this is true for your organization, it's important to know that the Azure public IP ranges are updated weekly.
@@ -352,30 +351,27 @@ This procedure describes how to install and configure a connection between your
 
 This section describes what you need to configure a direct sensor connection to Defender for IoT in Azure. For more information, see [Direct connections](architecture-connections.md#direct-connections).
 
-1. Ensure that your sensor can access the cloud using HTTP on port 443 to the following Microsoft domains:
+1. Download the list of required endpoints from the **Sites and sensors** page on the Azure portal. Select an OT sensor with a supported software version, or a site with one or more supported sensors. And then select **More actions** > **Download endpoint details**.
 
-    - **IoT Hub**: `*.azure-devices.net`
-    - **Threat Intelligence**: `*.blob.core.windows.net`
-    - **Eventhub**: `*.servicebus.windows.net`
-    - **Microsoft Download Center**: `download.microsoft.com`
+1. Ensure that your sensor can access the cloud using HTTPS on port 443 to each of the listed endpoints in the downloaded list.
 
 1. Azure public IP addresses are updated weekly. If you must define firewall rules based on IP addresses, make sure to download the new JSON file each week and make the required changes on your site to correctly identify services running in Azure. You'll need the updated IP ranges for **AzureIoTHub**, **Storage**, and **EventHub**. See the [latest IP ranges](https://www.microsoft.com/en-us/download/details.aspx?id=56519).
 
-## Connect via multi-cloud vendors
+## Connect via multicloud vendors
 
-This section describes how to connect your sensor to Defender for IoT in Azure from sensors deployed in one or more public clouds. For more information, see [Multi-cloud connections](architecture-connections.md#multi-cloud-connections).
+This section describes how to connect your sensor to Defender for IoT in Azure from sensors deployed in one or more public clouds. For more information, see [Multicloud connections](architecture-connections.md#multicloud-connections).
 
 ### Prerequisites
 
 Before you start: 
 
 - Make sure that you have a sensor deployed in a public cloud, such as AWS or Google Cloud, and configured to monitor SPAN traffic.
 
-- Choose the multi-cloud connectivity method that's right for your organization:
+- Choose the multicloud connectivity method that's right for your organization:
 
     Use the following flow chart to determine which connectivity method to use:
 
-    :::image type="content" source="media/architecture-connections/multi-cloud-flow-chart.png" alt-text="Flow chart to determine which connectivity method to use.":::
+    :::image type="content" source="media/architecture-connections/multicloud-flow-chart.png" alt-text="Flow chart to determine which connectivity method to use.":::
 
     - **Use public IP addresses over the internet** if you don't need to exchange data using private IP addresses
 
@@ -429,12 +425,9 @@ If you're an existing customer with a production deployment and sensors connecte
 
     - Check the active resources in your account and make sure there are no other services connected to your IoT Hub.
 
-    - If you're running a hybrid environment with multiple sensor versions, make sure any sensors with software version 22.1.x can connect to Azure. Use firewall rules that allow outbound HTTPS traffic on port 443 to the following hostnames:
+    - If you're running a hybrid environment with multiple sensor versions, make sure any sensors with software version 22.1.x can connect to Azure. Use firewall rules that allow outbound HTTPS traffic on port 443 to each of the required endpoints.
 
-        - **IoT Hub**: `*.azure-devices.net`
-        - **Threat Intelligence**: `*.blob.core.windows.net`
-        - **EventHub**: `*.servicebus.windows.net`
-        - **Microsoft Download Center**: `download.microsoft.com`
+        Find the list of required endpoints for Defender for IoT from the **Sites and sensors** page on the Azure portal. Select an OT sensor with a supported software version, or a site with one or more supported sensors. And then select **More actions** > **Download endpoint details**.
 
 While you'll need to migrate your connections before the [legacy version reaches end of support](release-notes.md#versioning-and-support-for-on-premises-software-versions), you can currently deploy a hybrid network of sensors, including legacy software versions with their IoT Hub connections, and sensors with the connection methods described in this article.
 

articles/defender-for-iot/organizations/how-to-manage-individual-sensors.md

@@ -69,7 +69,9 @@ You'll receive an error message if the activation file couldn't be uploaded. The
 
 - **For locally connected sensors**: The activation file isn't valid. If the file isn't valid, go to [Defender for IoT in the Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started). On the **Sensor Management** page, select the sensor with the invalid file, and download a new activation file.
 
-- **For cloud-connected sensors**: The sensor can't connect to the internet. Check the sensor's network configuration. If your sensor needs to connect through a web proxy to access the internet, verify that your proxy server is configured correctly on the **Sensor Network Configuration** screen. Verify that \*.azure-devices.net:443 is allowed in the firewall and/or proxy. If wildcards are not supported or you want more control, the FQDN for your specific endpoint (either a sensor, or for legacy connections, an IoT hub) should be opened in your firewall and/or proxy. For more information, see [Reference - IoT Hub endpoints](../../iot-hub/iot-hub-devguide-endpoints.md).
+- **For cloud-connected sensors**: The sensor can't connect to the internet. Check the sensor's network configuration. If your sensor needs to connect through a web proxy to access the internet, verify that your proxy server is configured correctly on the **Sensor Network Configuration** screen. Verify that the required endpoints are allowed in the firewall and/or proxy.
+
+    For OT sensors version 22.x, download the list of required endpoints from the  **Sites and sensors** page on the Azure portal. Select an OT sensor with a supported software version, or a site with one or more supported sensors. And then select **More actions** > **Download endpoint details**. For sensors with earlier versions, see [Sensor access to Azure portal](how-to-set-up-your-network.md#sensor-access-to-azure-portal).
 
 - **For cloud-connected sensors**: The activation file is valid but Defender for IoT rejected it. If you can't resolve this problem, you can download another activation from the **Sites and Sensors** page in the [Azure portal](https://portal.azure.com/#blade/Microsoft_Azure_IoT_Defender/IoTDefenderDashboard/Getting_Started). If this doesn't work, contact Microsoft Support.
 

articles/defender-for-iot/organizations/how-to-manage-sensors-on-the-cloud.md

@@ -1,7 +1,7 @@
 ---
 title: Manage sensors with Defender for IoT in the Azure portal
 description: Learn how to onboard, view, and manage sensors with Defender for IoT in the Azure portal.
-ms.date: 08/08/2022
+ms.date: 09/08/2022
 ms.topic: how-to
 ---
 
@@ -14,7 +14,7 @@ This article describes how to view and manage sensors with [Defender for IoT in
 This procedure describes how to use the Azure portal to contact vendors for pre-configured appliances, or how to download software for you to install on your own appliances.
 
 1. In the Azure portal, go to **Defender for IoT** > **Getting started** > **Sensor**.
- 
+
 1. Do one of the following:
 
     - To buy a pre-configured appliance, select **Contact** under **Buy preconfigured appliance**. This opens an email to [[email protected]](mailto:[email protected]) with a template request for Defender for IoT appliances. For more information, see [Pre-configured physical appliances for OT monitoring](ot-pre-configured-appliances.md).
@@ -135,9 +135,10 @@ Use the options on the **Sites and sensor** page and a sensor details page to do
 |:::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-edit.png" border="false":::  **Create an activation command**     | Individual, Enterprise IoT sensors only. <br><br>Available from the **...** options menu or a sensor details page.  Select **Edit** and   then select **Create activation command**. <br><br>For more information, see [Install an Enterprise IoT sensor](tutorial-getting-started-eiot-sensor.md#install-the-sensor-software).        |
 |:::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-edit.png" border="false":::  **Edit automatic threat intelligence updates**     | Individual, OT sensors only. <br><br>Available from the **...** options menu or a sensor details page.  <br><br>Select **Edit** and then toggle the **Automatic Threat Intelligence Updates (Preview)** option on or off as needed. Select **Submit** to save your changes. |
 |:::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-delete.png" border="false"::: **Delete a sensor**    |   For individual sensors only, from the **...** options menu or a sensor details page.      |
+| :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-diagnostics.png" border="false"::: **Send diagnostic files to support** | Individual, locally managed OT sensors only. <br><br>Available from the **...** options menu. <br><br>For more information, see [Upload a diagnostics log for support (Public preview)](#upload-a-diagnostics-log-for-support-public-preview).|
 | **Download SNMP MIB file** | Available from the **Sites and sensors** toolbar **More actions** menu. <br><br>For more information, see [Set up SNMP MIB monitoring](how-to-set-up-snmp-mib-monitoring.md).|
 | **Recover an on-premises management console password** | Available from the **Sites and sensors** toolbar **More actions** menu. <br><br>For more information, see [Manage the on-premises management console](how-to-manage-the-on-premises-management-console.md). |
-| :::image type="icon" source="media/how-to-manage-sensors-on-the-cloud/icon-diagnostics.png" border="false"::: **Send diagnostic files to support** | Individual, locally managed OT sensors only. <br><br>Available from the **...** options menu. <br><br>For more information, see [Upload a diagnostics log for support (Public preview)](#upload-a-diagnostics-log-for-support-public-preview).|
+| **Download endpoint details** | Available from the **Sites and sensors** toolbar **More actions** menu, for OT sensor versions 22.x only. <br><br>Download the list of endpoints that must be enabled as secure endpoints from OT network sensors. Make sure that HTTPS traffic is enabled over port 443 to the listed endpoints for your sensor to connect to Azure. Outbound allow rules are defined once for all OT sensors onboarded to the same subscription.<br><br>To enable this option, select a sensor with a supported software version, or a site with one or more sensors with supported versions. |
 
 ## Reactivate an OT sensor
 

articles/defender-for-iot/organizations/how-to-set-up-your-network.md

@@ -132,8 +132,9 @@ Use the following tables to ensure that required firewalls are open on your work
 
 | Protocol | Transport | In/Out | Port | Purpose | Source | Destination |
 |--|--|--|--|--|--|--|
-| HTTPS | TCP | Out | 443 | Access to Azure | Sensor |  `*.azure-devices.net`<br> `*.blob.core.windows.net`<br> `*.servicebus.windows.net`|
-| HTTPS | TCP | Out | 443 | Remote sensor upgrades from the Azure portal  | Sensor| `download.microsoft.com`|
+| HTTPS | TCP | Out | 443 | Access to Azure | Sensor |**For OT sensor versions 22.x**: Download the list from the **Sites and sensors** page in the Azure portal. Select an OT sensor with software versions 22.x or higher, or a site with one or more supported sensor versions. Then, select **More options > Download endpoint details**. For more information, see [Sensor management options from the Azure portal](how-to-manage-sensors-on-the-cloud.md#sensor-management-options-from-the-azure-portal).<br><br>**For OT sensor versions 10.x**:  `*.azure-devices.net`<br> `*.blob.core.windows.net`<br> `*.servicebus.windows.net`|
+| HTTPS | TCP | Out | 443 | Remote sensor updates from the Azure portal  | Sensor| `download.microsoft.com`|
+
 
 ### Sensor access to the on-premises management console
 

articles/defender-for-iot/organizations/integrate-with-active-directory.md

@@ -46,7 +46,7 @@ You can associate Active Directory groups defined here with specific permission
    | Domain controller port | Define the port on which your LDAP is configured. |
    | Primary domain | Set the domain name (for example, `subdomain.domain.com`) and the connection type according to your LDAP configuration. |
    | Active Directory groups | Enter the group names that are defined in your Active Directory configuration on the LDAP server. You can enter a group name that you'll associate with Admin, Security Analyst and Read-only permission levels. Use these groups when creating new sensor users.|
-   | Trusted domains | To add a trusted domain, add the domain name and the connection type of a trusted domain. <br />You can configure trusted domains only for users who were defined under users. |
+   | Trusted endpoints | To add a trusted domain, add the domain name and the connection type of a trusted domain. <br />You can configure trusted endpoints only for users who were defined under users. |
 
     ### Active Directory groups for the on-premises management console