CSS doc ask #15996126

AbhishekMallick01 · AbhishekMallick01 · commit fff45ac39762 · 2023-04-05T21:00:02.000+05:30
diff --git a/articles/backup/backup-azure-private-endpoints-concept.md b/articles/backup/backup-azure-private-endpoints-concept.md
@@ -3,7 +3,7 @@ title: Private endpoints for Azure Backup - Overview
 description: This article explains about the concept of private endpoints for Azure Backup that helps to perform backups while maintaining the security of your resources.
 ms.topic: conceptual
 ms.service: backup
-ms.date: 03/08/2023
+ms.date: 04/06/2023
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -148,8 +148,6 @@ The workload extension running on Azure VM requires connection to at least two s
 For a private endpoint enabled vault, the Azure Backup service creates private endpoint for these storage accounts. This prevents any network traffic related to Azure Backup (control plane traffic to service and backup data to storage blob) from leaving the virtual network.
 In addition to the Azure Backup cloud services, the workload extension and agent require connectivity to the Azure Storage accounts and Azure Active Directory (Azure AD).
 
-As a pre-requisite, Recovery Services vault requires permissions for creating additional private endpoints in the same Resource Group. We also recommend providing the Recovery Services vault the permissions to create DNS entries in the private DNS zones (`privatelink.blob.core.windows.net`, `privatelink.queue.core.windows.net`). Recovery Services vault searches for private DNS zones in the resource groups where VNet and private endpoint are created. If it has the permissions to add DNS entries in these zones, they’ll be created by the vault; otherwise, you must create them manually.
-
 The following diagram shows how the name resolution works for storage accounts using a private DNS zone.
 
 :::image type="content" source="./media/private-endpoints-overview/name-resolution-works-for-storage-accounts-using-private-dns-zone-inline.png" alt-text="Diagram showing how the name resolution works for storage accounts using a private DNS zone." lightbox="./media/private-endpoints-overview/name-resolution-works-for-storage-accounts-using-private-dns-zone-expanded.png":::
diff --git a/articles/backup/backup-azure-private-endpoints-configure-manage.md b/articles/backup/backup-azure-private-endpoints-configure-manage.md
@@ -3,7 +3,7 @@ title: How to create and manage private endpoints (with v2 experience) for Azure
 description: This article explains how to configure and manage private endpoints for Azure Backup.
 ms.topic: how-to
 ms.service: backup
-ms.date: 03/08/2023
+ms.date: 04/06/2023
 author: jyothisuri
 ms.author: jsuri
 ---
@@ -108,9 +108,10 @@ You'll see an entry for the virtual network for which you've created the private
 
   |Zone |Service |
   |--- |--- |
-  |`privatelink.<geo>.backup.windowsazure.com` |Backup  |
-  |`privatelink.blob.core.windows.net`         |Blob    |
-  |`privatelink.queue.core.windows.net`        |Queue   |
+  |`*.privatelink.<geo>.backup.windowsazure.com` |Backup  |
+  |`*.blob.core.windows.net`                     |Blob    |
+  |`*.queue.core.windows.net`                    |Queue   |
+  |`*.storage.azure.net`                         |Blob    |
 
   >[!NOTE]
   > In the above text, `<geo>` refers to the region code (for example *eus* and *ne* for East US and North Europe respectively). Refer to the following lists for regions codes:
diff --git a/articles/backup/private-endpoints.md b/articles/backup/private-endpoints.md
@@ -2,7 +2,7 @@
 title: Create and use private endpoints for Azure Backup
 description: Understand the process to creating private endpoints for Azure Backup where using private endpoints helps maintain the security of your resources.
 ms.topic: how-to
-ms.date: 02/20/2023
+ms.date: 04/06/2023
 ms.custom: devx-track-azurepowershell
 ms.service: backup
 author: jyothisuri
@@ -165,67 +165,6 @@ For **each private DNS** zone listed above (for Backup, Blobs and Queues), do th
 
     ![Add virtual network link](./media/private-endpoints/add-virtual-network-link.png)
 
-### When using custom DNS server or host files
-
-If you're using your custom DNS servers, you'll need to add the DNS records needed by the private endpoints to your DNS servers. You can also use conditional forwarders and redirect the DNS request for the FQDN to Azure DNS. Azure DNS redirects the DNS requests to private DNS zone and resolve them.
-
-#### For the Backup service
-
-1. In your DNS server, create a DNS zone for Backup according to the following naming convention:
-
-    |Zone |Service |
-    |---------|---------|
-    |`privatelink.<geo>.backup.windowsazure.com`   |  Backup        |
-
-    >[!NOTE]
-    > In the above text, `<geo>` refers to the region code (for example *eus* and *ne* for East US and North Europe respectively). Refer to the following lists for regions codes:
-    >
-    > - [All public clouds](https://download.microsoft.com/download/1/2/6/126a410b-0e06-45ed-b2df-84f353034fa1/AzureRegionCodesList.docx)
-    > - [China](/azure/china/resources-developer-guide#check-endpoints-in-azure)
-    > - [Germany](../germany/germany-developer-guide.md#endpoint-mapping)
-    > - [US Gov](../azure-government/documentation-government-developer-guide.md)
-    > - [Geo-code list - sample XML](scripts/geo-code-list.md)
-
-1. Next, we need to add the required DNS records. To view the records that need to be added to the Backup DNS zone, navigate to the private endpoint you created above, and go to the **DNS configuration** option under the left navigation bar.
-
-    ![DNS configuration for custom DNS server](./media/private-endpoints/custom-dns-configuration.png)
-
-1. Add one entry for each FQDN and IP displayed as A type records in your DNS zone for Backup. If you're using a host file for name resolution, make corresponding entries in the host file for each IP and FQDN according to the following format:
-
-    `<private ip><space><backup service privatelink FQDN>`
-
->[!NOTE]
->As shown in the screenshot above, the FQDNs depict `xxxxxxxx.<geo>.backup.windowsazure.com` and not `xxxxxxxx.privatelink.<geo>.backup.windowsazure.com`. In such cases, ensure you include (and if required, add) the `.privatelink.` according to the stated format.
-
-#### For Blob and Queue services
-
-For blobs and queues, you can either use conditional forwarders or create DNS zones in your DNS server.
-
-##### If using conditional forwarders
-
-If you're using conditional forwarders, add forwarders for blob and queue FQDNs as follows:
-
-|FQDN  |IP  |
-|---------|---------|
-|`privatelink.blob.core.windows.net`     |  168.63.129.16       |
-|`privatelink.queue.core.windows.net`     | 168.63.129.16       |
-
-##### If using private DNS zones
-
-If you're using DNS zones for blobs and queues, you'll need to first create these DNS zones and later add the required A records.
-
-|Zone |Service  |
-|---------|---------|
-|`privatelink.blob.core.windows.net`     |  Blob     |
-|`privatelink.queue.core.windows.net`     | Queue        |
-
-At this moment, we'll only create the zones for blobs and queues when using custom DNS servers. Adding DNS records will be done later in two steps:
-
-1. When you register the first backup instance, that is, when you configure backup for the first time
-1. When you run the first backup
-
-We'll perform these steps in the following sections.
-
 ## When using custom DNS server or host files
 
 - If you're using a custom DNS server, you can use conditional forwarder for backup service, blob, and queue FQDNs to redirect the DNS requests to Azure DNS (168.63.129.16). Azure DNS redirects it to Azure Private DNS zone. In such setup, ensure that a virtual network link for Azure Private DNS zone exists as mentioned in [this section](#when-using-custom-dns-server-or-host-files).
