Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr

AbbyMSFT · AbbyMSFT · commit f21338488bd0 · 2023-02-16T15:59:50.000+02:00
diff --git a/articles/app-service/networking/private-endpoint.md b/articles/app-service/networking/private-endpoint.md
@@ -27,7 +27,7 @@ A private endpoint is a special network interface (NIC) for your App Service app
 When you create a private endpoint for your app, it provides secure connectivity between clients on your private network and your app. The private endpoint is assigned an IP Address from the IP address range of your virtual network.
 The connection between the private endpoint and the app uses a secure [Private Link](../../private-link/private-link-overview.md). Private endpoint is only used for incoming traffic to your app. Outgoing traffic won't use this private endpoint. You can inject outgoing traffic to your network in a different subnet through the [virtual network integration feature](../overview-vnet-integration.md).
 
-Each slot of an app is configured separately. You can plug up to 100 private endpoints per slot. You can't share a private endpoint between slots. The sub-resource name of a slot will be `sites-<slot-name>`.
+Each slot of an app is configured separately. You can plug up to 100 private endpoints per slot. You can't share a private endpoint between slots. The sub-resource name of a slot is `sites-<slot-name>`.
 
 The subnet where you plug the private endpoint can have other resources in it, you don't need a dedicated empty subnet.
 You can also deploy the private endpoint in a different region than your app. 
@@ -43,7 +43,7 @@ From a security perspective:
 - The access restrictions rules of your app aren't evaluated for traffic through the private endpoint.
 - You can eliminate the data exfiltration risk from the virtual network by removing all NSG rules where destination is tag Internet or Azure services.
 
-In the Web HTTP logs of your app, you'll find the client source IP. This feature is implemented using the TCP Proxy protocol, forwarding the client IP property up to the app. For more information, see [Getting connection Information using TCP Proxy v2](../../private-link/private-link-service-overview.md#getting-connection-information-using-tcp-proxy-v2).
+In the Web HTTP logs of your app, you find the client source IP. This feature is implemented using the TCP Proxy protocol, forwarding the client IP property up to the app. For more information, see [Getting connection Information using TCP Proxy v2](../../private-link/private-link-service-overview.md#getting-connection-information-using-tcp-proxy-v2).
 
 
   > [!div class="mx-imgBorder"]
@@ -55,7 +55,7 @@ In the Web HTTP logs of your app, you'll find the client source IP. This feature
 When you use private endpoint for App Service apps, the requested URL must match the name of your app. By default mywebappname.azurewebsites.net.
 
 By default, without private endpoint, the public name of your web app is a canonical name to the cluster.
-For example, the name resolution will be:
+For example, the name resolution is:
 
 |Name |Type |Value |
 |-----|-----|------|
@@ -65,18 +65,18 @@ For example, the name resolution will be:
 
 
 When you deploy a private endpoint, we update the DNS entry to point to the canonical name mywebapp.privatelink.azurewebsites.net.
-For example, the name resolution will be:
+For example, the name resolution is:
 
 |Name |Type |Value |Remark |
 |-----|-----|------|-------|
 |mywebapp.azurewebsites.net|CNAME|mywebapp.privatelink.azurewebsites.net|
 |mywebapp.privatelink.azurewebsites.net|CNAME|clustername.azurewebsites.windows.net|
 |clustername.azurewebsites.windows.net|CNAME|cloudservicename.cloudapp.net|
-|cloudservicename.cloudapp.net|A|40.122.110.154|<--This public IP isn't your private endpoint, you'll receive a 403 error|
+|cloudservicename.cloudapp.net|A|40.122.110.154|<--This public IP isn't your private endpoint, you receive a 403 error|
 
 You must set up a private DNS server or an Azure DNS private zone. For tests, you can modify the host entry of your test machine.
 The DNS zone that you need to create is: **privatelink.azurewebsites.net**. Register the record for your app with a A record and the private endpoint IP.
-For example, the name resolution will be:
+For example, the name resolution is:
 
 |Name |Type |Value |Remark |
 |-----|-----|------|-------|
@@ -86,8 +86,7 @@ For example, the name resolution will be:
 After this DNS configuration, you can reach your app privately with the default name mywebappname.azurewebsites.net. You must use this name, because the default certificate is issued for *.azurewebsites.net.
 
 
-If you need to use a custom DNS name, you must add the custom name in your app. 
-The custom name must be validated like any custom name, using public DNS resolution. 
+If you need to use a custom DNS name, you must add the custom name in your app and you must validate the custom name like any custom name, using public DNS resolution. 
 For more information, see [custom DNS validation](../app-service-web-tutorial-custom-domain.md).
 
 For the Kudu console, or Kudu REST API (deployment with Azure DevOps self-hosted agents for example), you must create two records pointing to the private endpoint IP in your Azure DNS private zone or your custom DNS server. The first is for your app, the second is for the SCM of your app.
@@ -109,7 +108,7 @@ az appservice ase update --name myasename --allow-new-private-endpoint-connectio
 
 ## Specific requirements
 
-If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider), but it will also automatically be registered when creating the first web app in a subscription.
+If the virtual network is in a different subscription than the app, you must ensure that the subscription with the virtual network is registered for the `Microsoft.Web` resource provider. You can explicitly register the provider [by following this documentation](../../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider), but you also automatically register the provider when you create the first web app in a subscription.
 
 ## Pricing
 
@@ -118,11 +117,12 @@ For pricing details, see [Azure Private Link pricing](https://azure.microsoft.co
 
 ## Limitations
 
-* When you use Azure Function in Elastic Premium plan with private endpoint, to run or execute the function in Azure portal, you must have direct network access or you'll receive an HTTP 403 error. In other words, your browser must be able to reach the private endpoint to execute the function from the Azure portal. 
+* When you use Azure Function in Elastic Premium plan with private endpoint, to run or execute the function in Azure portal, you must have direct network access or you receive an HTTP 403 error. In other words, your browser must be able to reach the private endpoint to execute the function from the Azure portal. 
 * You can connect up to 100 private endpoints to a particular app.
 * Remote Debugging functionality isn't available through the private endpoint. The recommendation is to deploy the code to a slot and remote debug it there.
 * FTP access is provided through the inbound public IP address. Private endpoint doesn't support FTP access to the app.
 * IP-Based SSL isn't supported with private endpoints.
+* Apps that you configure with private endpoints are only accessible through private endpoint from clients in subnets that are configured with the `Microsoft.Web` service endpoint.
 
 We're improving Azure Private Link feature and private endpoint regularly, check [this article](../../private-link/private-endpoint-overview.md#limitations) for up-to-date information about limitations.
 
diff --git a/articles/app-service/overview-access-restrictions.md b/articles/app-service/overview-access-restrictions.md
@@ -9,19 +9,19 @@ ms.author: madsd
 
 # Azure App Service access restrictions
 
-Access restrictions in App Service are equivalent to a firewall allowing you to block and filter traffic. Access restrictions apply to **inbound** access only. Most App Service pricing tiers also have the ability to add private endpoints to the app, which is an additional entry point to the app. Access restrictions don't apply to traffic entering through a private endpoint. For all apps hosted on App Service, the default entry point is publicly available. The only exception is apps hosted in ILB App Service Environment where the default entry point is internal to the virtual network.
+Access restrictions in App Service are equivalent to a firewall allowing you to block and filter traffic. Access restrictions apply to **inbound** access only. Most App Service pricing tiers also have the ability to add private endpoints to the app, which is another entry point to the app. Access restrictions don't apply to traffic entering through a private endpoint. For all apps hosted on App Service, the default entry point is publicly available. The only exception is apps hosted in ILB App Service Environment where the default entry point is internal to the virtual network.
 
 ## How it works
 
-When traffic reaches App Service, it will first evaluate if the traffic originates from a private endpoint or is coming through the default endpoint. If the traffic is sent through a private endpoint, it will be sent directly to the site without any restrictions. Restrictions to private endpoints are configured using network security groups.
+When traffic reaches App Service, it first evaluates if the traffic originates from a private endpoint or is coming through the default endpoint. If the traffic is sent through a private endpoint, it will be sent directly to the site without any restrictions. Restrictions to private endpoints are configured using network security groups.
 
-If the traffic is sent through the default endpoint (often a public endpoint), the traffic is first evaluated at the site access level. Here you can either enable or disable access. If site access is enabled, the traffic will be evaluated at the app access level. For any app, you'll have both the main site and the advanced tools site (also known as scm or kudu site). You have the option of configuring a set of access restriction rules for each site. You can also specify the behavior if no rules are matched. The following sections will go into details. 
+If you send traffic through the default endpoint (often a public endpoint), the traffic is first evaluated at the site access level. Here you can either enable or disable access. If you enable site access, the traffic will be evaluated at the app access level. For any app, you have both the main site and the advanced tools site (also known as scm or kudu site). You have the option of configuring a set of access restriction rules for each site. You can also specify the behavior if no rules are matched. The following sections go into details. 
 
 :::image type="content" source="media/overview-access-restrictions/access-restriction-diagram.png" alt-text="Diagram of access restrictions high-level flow.":::
 
 ## App access
 
-App access allows you to configure if access is available through the default (public) endpoint. If the setting has never been configured, the default behavior is to enable access unless a private endpoint exists after which it will be implicitly disabled. You have the ability to explicitly configure this behavior to either enabled or disabled even if private endpoints exist.
+App access allows you to configure if access is available through the default (public) endpoint. If you've never configured the setting, the default behavior is to enable access unless a private endpoint exists after which it will be implicitly disabled. You have the ability to explicitly configure this behavior to either enabled or disabled even if private endpoints exist.
 
 :::image type="content" source="media/overview-access-restrictions/app-access-portal.png" alt-text="Screenshot of app access option in Azure portal.":::
 
@@ -35,7 +35,7 @@ Site access restriction has several types of rules that you can apply:
 
 ### Unmatched rule
 
-You can configure the behavior when no rules are matched (the default action). It's a special rule that will always appear as the last rule of the rules collection. If the setting has never been configured, the unmatched rule behavior is to allow all access unless one or more rules exists after which it will be implicitly changed to deny all access. You can explicitly configure this behavior to either allow or deny access regardless of defined rules.
+You can configure the behavior when no rules are matched (the default action). It's a special rule that always appears as the last rule of the rules collection. If the setting has never been configured, the unmatched rule behavior is to allow all access unless one or more rules exists after which it will be implicitly changed to deny all access. You can explicitly configure this behavior to either allow or deny access regardless of defined rules.
 
 ### IP-based access restriction rules
 
@@ -54,7 +54,7 @@ To learn how to enable this feature, see [Configuring access restrictions](./app
 Service endpoints allow you to lock down *inbound* access to your app so that the source address must come from a set of subnets that you select. This feature works together with IP access restrictions. Service endpoints aren't compatible with remote debugging. If you want to use remote debugging with your app, your client can't be in a subnet that has service endpoints enabled. The process for setting service endpoints is similar to the process for setting IP access restrictions. You can build an allow/deny list of access rules that includes public addresses and subnets in your virtual networks.
 
 > [!NOTE]
-> Access restriction rules based on service endpoints are not supported on apps that use IP-based SSL ([App-assigned address](./networking-features.md#app-assigned-address)).
+> Access restriction rules based on service endpoints are not supported on apps that have private endpoint configured or apps that use IP-based SSL ([App-assigned address](./networking-features.md#app-assigned-address)).
 
 To learn more about configuring service endpoints with your app, see [Azure App Service access restrictions](../virtual-network/virtual-network-service-endpoints-overview.md).
 
@@ -104,15 +104,15 @@ The advanced tools site, which is also known as scm or kudu, has an individual r
 
 ### Deploy through a private endpoint
 
-You might have a site that is publicly accessible, but your deployment system is in a virtual network. You can keep the deployment traffic private by adding a private endpoint. You then need to ensure that public app access is enabled. Finally you need to set the unmatched rule for the advanced tools site to deny, which will block all public traffic to that endpoint.
+You might have a site that is publicly accessible, but your deployment system is in a virtual network. You can keep the deployment traffic private by adding a private endpoint. You then need to ensure that public app access is enabled. Finally you need to set the unmatched rule for the advanced tools site to deny, which blocks all public traffic to that endpoint.
 
 ### Allow external partner access to private endpoint protected site
 
 In this scenario, you're accessing your site through a private endpoint and are deploying through a private endpoint. You may want to temporarily invite an external partner to test the site. You can do that by enabling public app access. Add a rule (IP-based) to identify the client of the partner. Configure unmatched rules action to deny for both main and advanced tools site. 
 
 ### Restrict access to a specific Azure Front Door instance
 
-Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the AzureFrontDoor.Backend service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you'll need to further filter the incoming requests based on the unique http header that Azure Front Door sends called X-Azure-FDID. You can find the Front Door ID in the portal.
+Traffic from Azure Front Door to your application originates from a well known set of IP ranges defined in the `AzureFrontDoor.Backend` service tag. Using a service tag restriction rule, you can restrict traffic to only originate from Azure Front Door. To ensure traffic only originates from your specific instance, you need to further filter the incoming requests based on the unique http header that Azure Front Door sends called X-Azure-FDID. You can find the Front Door ID in the portal.
 
 ## Next steps
 
diff --git a/articles/private-link/private-endpoint-dns.md b/articles/private-link/private-endpoint-dns.md
@@ -103,7 +103,7 @@ For Azure services, use the recommended zone names as described in the following
 | Microsoft PowerBI (Microsoft.PowerBI/privateLinkServicesForPowerBI) | privatelink.analysis.windows.net </br> privatelink.pbidedicated.windows.net </br> privatelink.tip1.powerquery.microsoft.com | analysis.windows.net </br> pbidedicated.windows.net </br> tip1.powerquery.microsoft.com |
 | Azure Bot Service (Microsoft.BotService/botServices) / Bot | privatelink.directline.botframework.com | directline.botframework.com </br> europe.directline.botframework.com |
 | Azure Bot Service (Microsoft.BotService/botServices) / Token | privatelink.token.botframework.com | token.botframework.com </br> europe.token.botframework.com |
-| Azure Data Health Data Services (Microsoft.HealthcareApis/workspaces) / healthcareworkspace | workspace.privatelink.azurehealthcareapis.com </br> fhir.privatelink.azurehealthcareapis.com </br> dicom.privatelink.azurehealthcareapis.com | workspace.azurehealthcareapis.com </br> fhir.azurehealthcareapis.com </br> dicom.azurehealthcareapis.com |
+| Azure Health Data Services (Microsoft.HealthcareApis/workspaces) / healthcareworkspace | privatelink.workspace.azurehealthcareapis.com </br> privatelink.fhir.azurehealthcareapis.com </br> privatelink.dicom.azurehealthcareapis.com | workspace.azurehealthcareapis.com </br> fhir.azurehealthcareapis.com </br> dicom.azurehealthcareapis.com |
 | Azure Databricks (Microsoft.Databricks/workspaces) / databricks_ui_api, browser_authentication | privatelink.azuredatabricks.net | azuredatabricks.net
 
 <sup>1</sup>To use with IoT Hub's built-in Event Hub compatible endpoint. To learn more, see [private link support for IoT Hub's built-in endpoint](../iot-hub/virtual-network-support.md#built-in-event-hubs-compatible-endpoint)
