Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into topic-ddos

Author: halkazwini

articles/automation/delete-account.md

@@ -4,13 +4,13 @@ description: This article tells how to delete and your Automation account across
 services: automation
 ms.service: azure-automation
 ms.subservice: process-automation
-ms.date: 10/10/2024
+ms.date: 12/28/2024
 ms.topic: how-to 
 ---
 
 # Manage your Azure Automation account
 
-After you enable an Azure Automation account to help automate IT or business process, or enable its other features to support operations management of your Azure and non-Azure machines such as Update Management, you may decide to stop using the Automation account. If you have enabled features that depend on integration with an Azure Monitor Log Analytics workspace, there are more steps required to complete this action.
+After you enable an Azure Automation account to help automate IT or business process, or enable its other features to support operations management of your Azure and non-Azure machines, you may decide to stop using the Automation account. If you have enabled features that depend on integration with an Azure Monitor Log Analytics workspace, there are more steps required to complete this action.
 
 This article tells you how to completely remove your Automation account through the Azure portal, using Azure PowerShell, the Azure CLI, or the REST API and restore your deleted Azure Automation account.
 

articles/azure-resource-manager/bicep/frequently-asked-questions.yml

@@ -3,6 +3,7 @@ metadata:
   title: Bicep frequently asked questions
   description: Answers to common questions about using Bicep to deploy resources to Azure.
   ms.topic: faq
+  ms.date: 01/21/2022
 
 title: Frequently asked questions for Bicep
 summary: |

articles/azure-resource-manager/templates/create-visual-studio-deployment-project.md

@@ -11,7 +11,7 @@ ms.date: 10/24/2024
 > The Azure Resource Group project is now in extended support, meaning we will continue to support existing features and capabilities but won't prioritize adding new features.
 
 > [!NOTE]
-> For the best and most secure experience, we strongly recommend updating your Visual Studio installation to the [latest Long-Term Support (LTS) version](/visualstudio/install/update-visual-studio). Upgrading will improve both the reliability and overall performance of your Visual Studio environment. If you choose not to upgrade, you may encounter the issues documented in [Issues when creating and deploying Azure resource groups through Visual Studio](https://learn.microsoft.com/troubleshoot/developer/visualstudio/ide/troubleshoot-create-deploy-resource-group).
+> For the best and most secure experience, we strongly recommend updating your Visual Studio installation to the [latest Long-Term Support (LTS) version](/visualstudio/install/update-visual-studio). Upgrading will improve both the reliability and overall performance of your Visual Studio environment. If you choose not to upgrade, you may encounter the issues documented in [Issues when creating and deploying Azure resource groups through Visual Studio](/troubleshoot/developer/visualstudio/ide/troubleshoot-create-deploy-resource-group).
 
 With Visual Studio, you can create a project that deploys your infrastructure and code to Azure. For example, you can deploy the web host, website, and code for the website. Visual Studio provides many different starter templates for deploying common scenarios. In this article, you deploy a web app.
 

articles/azure-resource-manager/templates/update-visual-studio-deployment-script.md

@@ -11,7 +11,7 @@ ms.date: 10/24/2024
 > The Azure Resource Group project is now in extended support, meaning we will continue to support existing features and capabilities but won't prioritize adding new features.
 
 > [!NOTE]
-> For the best and most secure experience, we strongly recommend updating your Visual Studio installation to the [latest Long-Term Support (LTS) version](/visualstudio/install/update-visual-studio). Upgrading will improve both the reliability and overall performance of your Visual Studio environment. If you choose not to upgrade, you may encounter the issues documented in [Issues when creating and deploying Azure resource groups through Visual Studio](https://learn.microsoft.com/troubleshoot/developer/visualstudio/ide/troubleshoot-create-deploy-resource-group).
+> For the best and most secure experience, we strongly recommend updating your Visual Studio installation to the [latest Long-Term Support (LTS) version](/visualstudio/install/update-visual-studio). Upgrading will improve both the reliability and overall performance of your Visual Studio environment. If you choose not to upgrade, you may encounter the issues documented in [Issues when creating and deploying Azure resource groups through Visual Studio](/troubleshoot/developer/visualstudio/ide/troubleshoot-create-deploy-resource-group).
 
 Visual Studio 16.4 supports using the Az PowerShell module in the template deployment script. However, Visual Studio doesn't automatically install that module. To use the Az module, you need to take four steps:
 

articles/azure-signalr/howto-network-access-control.md

@@ -12,35 +12,95 @@ ms.author: lianwei
 
 # Configure network access control
 
-Azure SignalR Service enables you to secure and control the level of access to your service endpoint based on the request type and subset of networks. When network rules are configured, only applications requesting data over the specified set of networks can access your SignalR Service.
+Azure SignalR Service allows you to secure and manage access to your service endpoint based on request types and network subsets. When you configure network access control rules, only applications making requests from the specified networks can access your SignalR Service.
 
-SignalR Service has a public endpoint that is accessible through the internet. You can also create [private endpoints for your Azure SignalR Service](howto-private-endpoints.md). A private endpoint assigns a private IP address from your VNet to the SignalR Service, and secures all traffic between your VNet and the SignalR Service over a private link. The SignalR Service network access control provides access control for both public and private endpoints.
+   :::image type="content" alt-text="Screenshot showing network access control decision flow chart." source="media\howto-network-access-control\network-acl-decision-flow-chart.png" :::
 
-Optionally, you can choose to allow or deny certain types of requests for the public endpoint and each private endpoint. For example, you can block all [Server Connections](signalr-concept-internals.md#application-server-connections) from public endpoint and make sure they only originate from a specific VNet.
+> [!IMPORTANT]
+> An application that accesses a SignalR Service when network access control rules are in effect still requires proper authorization for the request.
 
-An application that accesses a SignalR Service when network access control rules are in effect still requires proper authorization for the request.
 
-## Scenario A - No public traffic
+## Public Network Access
 
-To completely deny all public traffic, first configure the public network rule to allow no request type. Then, you can configure rules that grant access to traffic from specific VNets. This configuration enables you to build a secure network boundary for your applications.
+We offer a single, unified switch to simplify the configuration of public network access. The switch has following options:
 
-## Scenario B - Only client connections from public network
+* Disabled: Completely blocks public network access. All other network access control rules are ignored for public networks.
+* Enabled: Allows public network access, which is further regulated by additional network access control rules.
 
-In this scenario, you can configure the public network rule to only allow [Client Connections](signalr-concept-internals.md#client-connections) from the public network. You can then configure private network rules to allow other types of requests originating from a specific VNet. This configuration hides your app servers from the public network and establishes secure connections between your app servers and SignalR Service.
+### [Configure Public Network Access via Portal](#tab/azure-portal)
 
-## Managing network access control
+1. Go to the SignalR Service instance you want to secure.
+1. Select **Networking** from the left side menu. Select **Public access** tab:
+
+   :::image type="content" alt-text="Screenshot showing how to configure public network access." source="media\howto-network-access-control\portal-public-network-access.png" :::
+
+1. Select **Disabled** or **Enabled**.
+
+1. Select **Save** to apply your changes.
+
+### [Configure Public Network Access via Bicep](#tab/bicep)
+
+The following template disables public network access:
+
+```bicep
+resource signalr 'Microsoft.SignalRService/SignalR@2024-08-01-preview' = {
+  name: 'foobar'
+  location: 'eastus'
+  properties: {
+    publicNetworkAccess: 'Disabled'
+  }
+}
+```
+
+-----
+
+
+## Default Action
+
+The default action is applied when no other rule matches.
 
-You can manage network access control for SignalR Service through the Azure portal.
+### [Configure Default Action via Portal](#tab/azure-portal)
 
 1. Go to the SignalR Service instance you want to secure.
 1. Select **Network access control** from the left side menu.
 
-    ![Network ACL on portal](media/howto-network-access-control/portal.png)
+    ![Default action on portal](media/howto-network-access-control/portal-default-action.png)
+
+1. To edit the default action, toggle the **Allow/Deny** button.
+1. Select **Save** to apply your changes.
+
+### [Configure Default Action via Bicep](#tab/bicep)
+
+The following template sets the default action to `Deny`.
+
+```bicep
+resource signalr 'Microsoft.SignalRService/SignalR@2024-08-01-preview' = {
+  name: 'foobar'
+  location: 'eastus'
+  properties: {
+    networkACLs: {
+        defaultAction: 'Deny'
+    }
+}
+```
+
+-----
 
-1. To edit default action, toggle the **Allow/Deny** button.
 
-    > [!TIP]
-    > The default action is the action the service takes when no access control rule matches a request. For example, if the default action is **Deny**, then the request types that are not explicitly approved will be denied.
+## Request Type Rules
+
+You can configure rules to allow or deny specified request types for both the public network and each [private endpoint](howto-private-endpoints.md).
+
+For example, [Server Connections](signalr-concept-internals.md#application-server-connections) are typically high-privileged. To enhance security, you may want to restrict their origin. You can configure rules to block all Server Connections from public network, and only allow they originate from a specifiec virtual network.
+
+If no rule matches, the default action is applied.
+
+### [Configure Request Type Rules via Portal](#tab/azure-portal)
+
+1. Go to the SignalR Service instance you want to secure.
+1. Select **Network access control** from the left side menu.
+
+    ![Request type rules on portal](media/howto-network-access-control/portal-request-type-rules.png)
 
 1. To edit public network rule, select allowed types of requests under **Public network**.
 
@@ -52,6 +112,97 @@ You can manage network access control for SignalR Service through the Azure port
 
 1. Select **Save** to apply your changes.
 
+### [Configure Request Type Rules via Bicep](#tab/bicep)
+
+The following template denies all requests from the public network except client connections. Additionally, it allows only Server Connections, REST API calls, and Trace calls from a specific private endpoint.
+
+The name of the private endpoint connection can be inspected in the `privateEndpointConnections` sub-resource. It's automatically generated by the system.
+
+```bicep
+resource signalr 'Microsoft.SignalRService/SignalR@2024-08-01-preview' = {
+  name: 'foobar'
+  location: 'eastus'
+  properties: {
+    networkACLs: {
+        defaultAction: 'Deny'
+        publicNetwork: {
+            allow: ['ClientConnection']
+        }
+        privateEndpoints: [
+            {
+                name: 'foo.8e4d6671-8d62-4bb7-8c41-827dde9c1a05'
+                allow: ['ServerConnection', 'ClientConnection', 'RESTAPI', 'Trace']
+            }
+        ]
+    }
+}
+```
+
+-----
+
+
+## IP Rules
+
+IP rules allow you to grant or deny access to specific public internet IP address ranges. These rules can be used to permit access for certain internet-based services and on-premises networks or to block general internet traffic.
+
+The following restrictions apply:
+
+* You can configure up to 30 rules.
+* Address ranges must be specified using [CIDR notation](https://tools.ietf.org/html/rfc4632), such as `16.17.18.0/24`. Both IPv4 and IPv6 addresses are supported.
+* IP rules are evaluated in the order they are defined. If no rule matches, the default action is applied.
+* IP rules apply only to public traffic and cannot block traffic from private endpoints.
+
+### [Configure IP Rules via Portal](#tab/azure-portal)
+
+1. Go to the SignalR Service instance you want to secure.
+1. Select **Networking** from the left side menu. Select **Access control rules** tab:
+
+   :::image type="content" alt-text="Screenshot showing how to configure IP rules." source="media\howto-network-access-control\portal-ip-rules.png" :::
+
+1. Edit the list under **IP rules** section.
+
+1. Select **Save** to apply your changes.
+
+### [Configure IP Rules via Bicep](#tab/bicep)
+
+The following template has these effects:
+
+* Requests from `123.0.0.0/8` and `2603::/8` are allowed.
+* Requests from all other IP ranges are denied.
+
+```bicep
+resource signalr 'Microsoft.SignalRService/SignalR@2024-08-01-preview' = {
+  name: 'foobar'
+  location: 'eastus'
+  properties: {
+    networkACLs: {
+      defaultAction: 'Deny'
+      ipRules: [
+        {
+          value: '123.0.0.0/8'
+          action: 'Allow'
+        }
+        {
+          value: '2603::/8'
+          action: 'Allow'
+        }
+        {
+          value: '0.0.0.0/0'
+          action: 'Deny'
+        }
+        {
+          value: '::/0'
+          action: 'Deny'
+        }
+      ]
+    }
+  }
+}
+```
+
+-----
+
+
 ## Next steps
 
 Learn more about [Azure Private Link](../private-link/private-link-overview.md).

articles/azure-signalr/howto-private-endpoints.md

@@ -37,7 +37,7 @@ When you create a private endpoint for an Azure SignalR Service in your VNet, a
 Azure SignalR Service owners can manage consent requests and the private endpoints, through the '*Private endpoints*' tab for the Azure SignalR Service in the [Azure portal](https://portal.azure.com).
 
 > [!TIP]
-> If you want to restrict access to your Azure SignalR Service through the private endpoint only, [configure the Network Access Control](howto-network-access-control.md#managing-network-access-control) to deny or control access through the public endpoint.
+> If you want to restrict access to your Azure SignalR Service through the private endpoint only, [configure the Network Access Control](howto-network-access-control.md) to deny or control access through the public endpoint.
 
 ### Connecting to private endpoints