Merge pull request #187382 from HeidiSteen/heidist-fresh2

[azure search] Firewall connection doc updates

Author: LJSpiller

articles/search/media/search-indexer-howto-secure-access/search-service-portal.png

@@ -1,5 +1,5 @@
 ---
-title: Allow access to indexer IP ranges
+title: Connect through firewalls
 titleSuffix: Azure Cognitive Search
 description: Configure IP firewall rules to allow data access by an Azure Cognitive Search indexer.
 
@@ -8,25 +8,25 @@ author: arv100kri
 ms.author: arjagann
 ms.service: cognitive-search
 ms.topic: how-to
-ms.date: 11/11/2021
+ms.date: 02/02/2022
 ---
 
-# Configure IP firewall rules to allow indexer connections in Azure Cognitive Search
+# Configure IP firewall rules to allow indexer connections from Azure Cognitive Search
 
 On behalf of an indexer, a search service will issue outbound calls to an external Azure resource to pull in data during indexing. If your Azure resource uses IP firewall rules to filter incoming calls, you'll need to create an inbound rule in your firewall that admits indexer requests.
 
-This article explains how to find the IP address of your search service, and then use Azure portal to configure an inbound IP rule on an Azure Storage account. While specific to Azure Storage, this approach also works for other Azure resources that use IP firewall rules for data access, such as Cosmos DB and Azure SQL.
+This article explains how to find the IP address of your search service and configure an inbound IP rule on an Azure Storage account. While specific to Azure Storage, this approach also works for other Azure resources that use IP firewall rules for data access, such as Cosmos DB and Azure SQL.
 
 > [!NOTE]
 > IP firewall rules for a storage account are only effective if the storage account and the search service are in different regions. If your setup does not permit this, we recommend utilizing the [trusted service exception option](search-indexer-howto-access-trusted-service-exception.md) as an alternative.
 
 ## Get a search service IP address
 
-1. Determine the fully qualified domain name (FQDN) of your search service. This will look like `<search-service-name>.search.windows.net`. You can find out the FQDN by looking up your search service on the Azure portal.
+1. Determine the fully qualified domain name (FQDN) of your search service. This will look like `<search-service-name>.search.windows.net`. You can find the FQDN by looking up your search service on the Azure portal.
 
-   ![Obtain service FQDN](media\search-indexer-howto-secure-access\search-service-portal.png "Obtain service FQDN")
+   :::image type="content" source="media\search-indexer-howto-secure-access\search-service-portal.png" alt-text="Screenshot of the search service Overview page." border="true":::
 
-1. Look up the IP address of the search service by performing a `nslookup` (or a `ping`) of the FQDN on a command prompt.
+1. Look up the IP address of the search service by performing a `nslookup` (or a `ping`) of the FQDN on a command prompt. Make sure you remove the "https://" prefix from the FQDN.
 
 1. Copy the IP address so that you can specify it on an inbound rule in the next step. In the example below, the IP address that you should copy is "150.0.0.1".
 
@@ -43,48 +43,55 @@ This article explains how to find the IP address of your search service, and the
 
 ## Get IP addresses for "AzureCognitiveSearch" service tag
 
-Depending on your search service configuration, you might also need to create an inbound rule that admits requests from a range of IP addresses. Specifically, additional IP addresses are used for requests that originate from the indexer's [multi-tenant execution environment](search-indexer-securing-resources.md#indexer-execution-environment). 
+If your search service workloads include skillset execution, create an inbound rule that allows requests from the [multi-tenant execution environment](search-indexer-securing-resources.md#indexer-execution-environment). This step explains how to get the range of IP addresses needed for this inbound rule.
 
-You can get this IP address range from the `AzureCognitiveSearch` service tag.
+An IP address range is defined for each region that supports Azure Cognitive Search. You can get this IP address range from the `AzureCognitiveSearch` service tag.
 
 1. Get the IP address ranges for the `AzureCognitiveSearch` service tag using either the [discovery API](../virtual-network/service-tags-overview.md#use-the-service-tag-discovery-api) or the [downloadable JSON file](../virtual-network/service-tags-overview.md#discover-service-tags-by-using-downloadable-json-files).
 
-1. If the search service is the Azure Public cloud, the [Azure Public JSON file](https://www.microsoft.com/download/details.aspx?id=56519) should be downloaded.
-
-   ![Download JSON file](media\search-indexer-howto-secure-access\service-tag.png "Download JSON file")
-
-1. From the JSON file, assuming the search service is in West Central US, the list of IP addresses for the multi-tenant indexer execution environment are listed below.
-
-```json
-{
-"name": "AzureCognitiveSearch.WestCentralUS",
-"id": "AzureCognitiveSearch.WestCentralUS",
-"properties": {
-   "changeNumber": 1,
-   "region": "westcentralus",
-   "platform": "Azure",
-   "systemService": "AzureCognitiveSearch",
-   "addressPrefixes": [
-      "52.150.139.0/26",
-      "52.253.133.74/32"
-   ]
-}
-}
-```
-
-For `/32` IP addresses, drop the "/32" (52.253.133.74/32 becomes 52.253.133.74 in the rule definition). All other IP addresses can be used verbatim.
+1. If the search service is the Azure Public cloud, download the [Azure Public JSON file](https://www.microsoft.com/download/details.aspx?id=56519).
+
+1. Open the JSON file and search for "AzureCognitiveSearch". For a search service in WestUS2, the IP addresses for the multi-tenant indexer execution environment are:
+
+    ```json
+    {
+    "name": "AzureCognitiveSearch.WestUS2",
+    "id": "AzureCognitiveSearch.WestUS2",
+    "properties": {
+       "changeNumber": 1,
+       "region": "westus2",
+       "regionId": 38,
+       "platform": "Azure",
+       "systemService": "AzureCognitiveSearch",
+       "addressPrefixes": [
+          "20.42.129.192/26",
+          "40.91.93.84/32",
+          "40.91.127.116/32",
+          "40.91.127.241/32",
+          "51.143.104.54/32",
+          "51.143.104.90/32",
+          "2603:1030:c06:1::180/121"
+       ],
+       "networkFeatures": null
+    }
+    },
+    ```
+
+1. For IP addresses have the "/32" suffix, drop the "/32" (40.91.93.84/32 becomes 40.91.93.84 in the rule definition). All other IP addresses can be used verbatim.
 
 ## Add IP addresses to IP firewall rules
 
-Once you have the IP addresses, you are ready to set up the rule. The easiest way to add IP address ranges to a storage account's firewall rule is via the Azure portal. 
+Now that you have the necessary IP addresses, you can set up the inbound rule. The easiest way to add IP address ranges to a storage account's firewall rule is through the Azure portal. 
+
+1. Locate the storage account on the portal and open **Networking** on the left navigation pane.
 
-1. Locate the storage account on the portal and navigate to the **Firewalls and virtual networks** tab.
+1. In the **Firewall and virtual networks** tab, choose **Selected networks**.
 
-   ![Firewall and virtual networks](media\search-indexer-howto-secure-access\storage-firewall.png "Firewall and virtual networks")
+   :::image type="content" source="media\search-indexer-howto-secure-access\storage-firewall.png" alt-text="Screenshot of Azure Storage Firewall and virtual networks page" border="true":::
 
-1. Add the three IP addresses obtained previously (one for the search service IP, two for the `AzureCognitiveSearch` service tag) in the address range and select **Save**.
+1. Add the IP addresses obtained previously (one for the search service IP, plus all of the IP ranges for the "AzureCognitiveSearch" service tag) in the address range and select **Save**.
 
-   ![Firewall IP rules](media\search-indexer-howto-secure-access\storage-firewall-ip.png "Firewall IP rules")
+   :::image type="content" source="media\search-indexer-howto-secure-access\storage-firewall-ip.png" alt-text="Screenshot of the IP address section of the page." border="true":::
 
 It can take five to ten minutes for the firewall rules to be updated, after which indexers should be able to access the data in the storage account.
 

articles/search/media/search-indexer-howto-secure-access/service-tag.png

@@ -1,13 +1,13 @@
 ---
-title: Indexer connections through a private endpoint
+title: Connect through a private endpoint
 titleSuffix: Azure Cognitive Search
 description: Configure indexer connections to access content from other Azure resources that are protected through a private endpoint.
 
 manager: nitinme
 author: arv100kri
 ms.author: arjagann
 ms.service: cognitive-search
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 08/13/2021
 ---
 

articles/search/media/search-indexer-howto-secure-access/storage-firewall-ip.png

@@ -1,17 +1,17 @@
 ---
-title: Indexer access to Azure Storage using trusted service exception
+title: Connect as trusted service
 titleSuffix: Azure Cognitive Search
 description: Enable data access by an indexer in Azure Cognitive Search to data stored securely in Azure Storage.
 
 manager: nitinme
 author: arv100kri
 ms.author: arjagann
 ms.service: cognitive-search
-ms.topic: conceptual
+ms.topic: how-to
 ms.date: 05/11/2021
 ---
 
-# Indexer access to Azure Storage using the trusted service exception (Azure Cognitive Search)
+# Make indexer connections to Azure Storage as a trusted service
 
 Indexers in an Azure Cognitive Search service that access data in Azure Storage accounts can make use of the [trusted service exception](../storage/common/storage-network-security.md#exceptions) capability to securely access data. This mechanism offers customers who are unable to grant [indexer access using IP firewall rules](search-indexer-howto-access-ip-restricted.md) a simple, secure, and free alternative for accessing data in storage accounts.
 

articles/search/media/search-indexer-howto-secure-access/storage-firewall.png

@@ -73,9 +73,9 @@ For any given indexer run, Azure Cognitive Search determines the best environmen
 
 ## Granting access to indexer IP ranges
 
-If the resource that your indexer pulls data from exists behind a firewall, make sure that the IP ranges in inbound rules include all of the IPs from which an indexer request can originate. As stated above, there are two possible environments in which indexers run and from which access requests can originate. You will need to add the IP addresses of **both** environments for indexer access to work.
+If the resource that your indexer pulls data from exists behind a firewall, you'll need [inbound rules that admit indexer connections](search-indexer-howto-access-ip-restricted.md). Make sure that the IP ranges in inbound rules include all of the IPs from which an indexer request can originate. As stated above, there are two possible environments in which indexers run and from which access requests can originate. You will need to add the IP addresses of **both** environments for indexer access to work.
 
-- To obtain the IP address of the search service specific private environment, use `nslookup` (or `ping`) the fully qualified domain name (FQDN) of your search service. For example, the FQDN of a search service in the public cloud would be `<service-name>.search.windows.net`. This information is available on the Azure portal.
+- To obtain the IP address of the search service private environment, use `nslookup` (or `ping`) the fully qualified domain name (FQDN) of your search service. The FQDN of a search service in the public cloud would be `<service-name>.search.windows.net`.
 
 - To obtain the IP addresses of the multi-tenant environments within which an indexer might run, use the `AzureCognitiveSearch` service tag. [Azure service tags](../virtual-network/service-tags-overview.md) have a published range of IP addresses for each service. You can find these IPs using the [discovery API](../virtual-network/service-tags-overview.md#use-the-service-tag-discovery-api) or a [downloadable JSON file](../virtual-network/service-tags-overview.md#discover-service-tags-by-using-downloadable-json-files). In either case, IP ranges are broken down by region. You should specify only those IP ranges assigned to the region in which your search service is provisioned.
 
@@ -85,8 +85,6 @@ For certain data sources, the service tag itself can be used directly instead of
 
 - [SQL Managed Instances](./search-howto-connecting-azure-sql-mi-to-azure-search-using-indexers.md#verify-nsg-rules)
 
-For more information about this connectivity option, see [Indexer connections through an IP firewall](search-indexer-howto-access-ip-restricted.md).
-
 ## Granting access via private endpoints
 
 Indexers can use [private endpoints](../private-link/private-endpoint-overview.md) on connections to resources that are locked down (running on a protected virtual network, or just not available over a public connection).
@@ -97,7 +95,7 @@ This functionality is only available in billable search services (Basic and abov
 
 Customers should call the search management operation, [CreateOrUpdate API](/rest/api/searchmanagement/2021-04-01-preview/shared-private-link-resources/create-or-update) on a **shared private link resource**,  in order to create a private endpoint connection to their secure resource (for example, a storage account). Traffic that goes over this (outbound) private endpoint connection will originate only from the virtual network that's in the search service specific "private" indexer execution environment.
 
-Azure Cognitive Search will validate that callers of this API have Azure RBAC permissions to approve private endpoint connection requests to the secure resource. For example, if you request a private endpoint connection to a storage account with read-only permissions, this call will be rejected.
+Azure Cognitive Search will validate that callers of this API have Azure RBAC role permissions to approve private endpoint connection requests to the secure resource. For example, if you request a private endpoint connection to a storage account with read-only permissions, this call will be rejected.
 
 ### Step 2: Approve the private endpoint connection