Repo sync for protected branch

data-explorer/.openpublishing.redirection.json

@@ -459,8 +459,7 @@
       "source_path": "query-exported-azure-monitor-data.md",
       "redirect_url": "/azure/data-explorer/query-monitor-data",
       "redirect_document_id": false
-    },
-    {
+    },    {
       "source_path": "using-metrics.md",
       "redirect_url": "/azure/data-explorer/monitor-data-explorer",
       "redirect_document_id": true
@@ -469,6 +468,26 @@
       "source_path": "using-diagnostic-logs.md",
       "redirect_url": "/azure/data-explorer/monitor-data-explorer",
       "redirect_document_id": false
+    },
+    {
+      "source_path": "vnet-create-cluster-portal.md",
+      "redirect_url": "/azure/data-explorer/security-network-private-endpoint-create",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "vnet-deploy-troubleshoot.md",
+      "redirect_url": "/azure/data-explorer/security-network-private-endpoint-troubleshoot",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "vnet-deployment.md",
+      "redirect_url": "/azure/data-explorer/security-network-overview",
+      "redirect_document_id": false
+    },
+    {
+      "source_path": "vnet-endpoint-storage-event-hub.md",
+      "redirect_url": "/azure/data-explorer/security-network-managed-private-endpoint-create",
+      "redirect_document_id": false
     }
   ]
 }

data-explorer/azure-advisor.md

@@ -138,7 +138,6 @@ Reliability recommendations include the following:
 
 * [Cluster uses subnet without delegation](#cluster-uses-subnet-without-delegation)
 * [Cluster uses subnet with invalid IP configuration](#cluster-uses-subnet-with-invalid-ip-configuration)
-* [Cluster failed to install or resume due to virtual network issues](#cluster-failed-to-install-or-resume-due-to-virtual-network-issues)
 
 #### Cluster uses subnet without delegation
 
@@ -148,10 +147,6 @@ The strong recommendation is given to a virtual network cluster that uses a subn
 
 The recommendation is given to a virtual network cluster where the subnet is also used by other services. The recommendation is to remove all other services from the subnet and only use it for your cluster.
 
-#### Cluster failed to install or resume due to virtual network issues
-
-The recommendation is given to a cluster that failed to install or resume due to virtual network issues. The recommendation is to use the [virtual network troubleshooting guide](vnet-deploy-troubleshoot.md) to resolve the issue.
-
 ## Related content
 
 * [Manage cluster horizontal scaling (scale out) in Azure Data Explorer to accommodate changing demand](manage-cluster-horizontal-scaling.md)

data-explorer/policy-reference.md

@@ -22,7 +22,6 @@ the link in the **Version** column to view the source on the
 |[Azure Data Explorer encryption at rest should use a customer-managed key](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F81e74cea-30fd-40d5-802f-d72103c2aaaa) |Enabling encryption at rest using a customer-managed key on your Azure Data Explorer cluster provides additional control over the key being used by the encryption at rest. This feature is oftentimes applicable to customers with special compliance requirements and requires a Key Vault to managing the keys. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_CMK.json) |
 |[Disk encryption should be enabled on Azure Data Explorer](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff4b53539-8df9-40e4-86c6-6b607703bd4e) |Enabling disk encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_disk_encrypted.json) |
 |[Double encryption should be enabled on Azure Data Explorer](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fec068d99-e9c7-401f-8cef-5bdde4e6ccf1) |Enabling double encryption helps protect and safeguard your data to meet your organizational security and compliance commitments. When double encryption has been enabled, data in the storage account is encrypted twice, once at the service level and once at the infrastructure level, using two different encryption algorithms and two different keys. |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_doubleEncryption.json) |
-|[Virtual network injection should be enabled for Azure Data Explorer](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9ad2fd1f-b25f-47a2-aa01-1a5a779e6413) |Secure your network perimeter with virtual network injection which allows you to enforce network security group rules, connect on-premises and secure your data connection sources with service endpoints. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_VNET_configured.json) |
 |[Azure Data Explorer should use a SKU that supports private link](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1fec9658-933f-4b3e-bc95-913ed22d012b) |With supported SKUs, Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The Private Link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to apps, you can reduce data leakage risks. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_PrivateEndpoint_NonPeSku_Deny.json) |
 |[Public network access should be disabled on Azure Data Explorer](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F43bc7be6-5e69-4b0d-a2bb-e815557ca673) |Disabling the public network access property improves security by ensuring Azure Data Explorer can only be accessed from a private endpoint. This configuration denies the creation of Azure Data Explorer clusters with public network access enabled. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_PublicAccess_Deny.json) |
 |[Configure Azure Data Explorer to disable public network access](https://ms.portal.azure.com/#view/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7b32f193-cb28-4e15-9a98-b9556db0bafa) |Disabling the public network access property shuts down public connectivity such that Azure Data Explorer can only be accessed from a private endpoint. This configuration disables the public network access for all Azure Data Explorer clusters. |Modify, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Azure%20Data%20Explorer/ADX_DisablePublicAccess_Modify.json) |

data-explorer/security-network-migrate-vnet-to-private-endpoint.md

@@ -8,7 +8,10 @@ ms.date: 10/07/2024
 
 # Migrate a Virtual Network injected cluster to private endpoints
 
-This article describes the migration of a Microsoft Azure Virtual Network injected Azure Data Explorer cluster to an Azure Private Endpoints network security model. For a detailed comparison, see [Private endpoint vs. virtual network injection](security-network-overview.md#private-endpoint-vs-virtual-network-injection).
+> [!WARNING]
+> Virtual Network Injection was retired for Azure Data Explorer by 1 February 2025.
+
+This article describes the migration of a Microsoft Azure Virtual Network injected Azure Data Explorer cluster to an Azure Private Endpoints network security model.
 
 The process of the migration takes several minutes. The migration creates a new cluster for the engine and data management services, which reside in a virtual network managed by Microsoft. The connection is switched to the newly created services for you. This process results in a minimal downtime for querying the cluster.
 

data-explorer/security-network-overview.md

@@ -3,19 +3,16 @@ title: Network security for Azure Data Explorer cluster
 description: 'Learn about the different options to secure your Azure Data Explorer cluster applying network security measures.'
 ms.reviewer: basaba
 ms.topic: reference
-ms.date: 07/23/2024
+ms.date: 06/02/2025
 ---
 
 # Network security for Azure Data Explorer
 
-Azure Data Explorer clusters are designed to be accessible using public URLs. Anyone with valid identity on a cluster can access it from any location. As an organization, securing data may be one your highest priority tasks. As such, you may want to limit and secure access to your cluster, or even only allow access to your cluster through your private virtual network. You can use one of the following options to achieve this goal:
+Azure Data Explorer clusters are designed to be accessible using public URLs. Anyone with valid identity on a cluster can access it from any location. As an organization, securing data may be one your highest priority tasks. As such, you may want to limit and secure access to your cluster, or even only allow access to your cluster through your private virtual network. To achieve this goal, use:
 
-* [Private endpoint](#private-endpoint) (recommended)
-* [Virtual network (VNet) injection](#virtual-network-injection)
+* [Private endpoint](#private-endpoint)
 
-We highly recommended using *private endpoints* to secure network access to your cluster. This option has many advantages over *virtual network injection* that results in lower maintenance overhead, including a simpler deployment process and being more robust to virtual network changes.
-
-The following section explains how to secure your cluster using private endpoints and virtual network injection.
+The following section explains how to secure your cluster using private endpoints.
 
 ## Private endpoint
 
@@ -25,38 +22,16 @@ A private endpoint is a network interface that uses private IP addresses from yo
 
 To successfully deploy your cluster into a private endpoint, you only require a set of private IP addresses.
 
-> [!NOTE]
-> Private endpoints aren't supported for a cluster that's injected into a virtual network.
-
-## Virtual network injection
-
-> [!WARNING]
-> Virtual Network Injection will be retired for Azure Data Explorer by 1 February 2025. For more information on the deprecation, see [Deprecation of Virtual Network Injection for Azure Data Explorer](https://aka.ms/adx.security.vnet.deprecation).
-
-Virtual network injection allows you to directly deploy your cluster into a virtual network. The cluster can be privately accessed from within the virtual network and over a VPN gateway, or Azure ExpressRoute from on-premises networks. Injecting a cluster into a virtual network enables you to manage all of its traffic. This includes the traffic to access the cluster and all of its data ingestion or exports. Additionally, you're responsible to allow Microsoft to access the cluster for management and health monitoring.
-
-:::image type="content" source="media/vnet-deployment/vnet-diagram.png" alt-text="Diagram showing the schema of the virtual network injection architecture.":::
-
-To successfully inject your cluster into a virtual network, you must configure your virtual network to meet the following requirements:
-
-* You must delegate the subnet to *Microsoft.Kusto/clusters* to enable the service and to define its preconditions for deployment in the form of *network intent policies*
-* The subnet needs to be well scaled to support future growth of the cluster's usage
-* Two public IP addresses are required to manage the cluster and ensure that it's healthy
-* Optionally, if you're using an additional firewall appliance to secure your network, you must allow your cluster to connect to a set of Fully Qualified Domain Names (FQDNs) for outgoing traffic
-
-## Private endpoint vs. virtual network injection
-
-Virtual network injection can lead to a high maintenance overhead, as a result of implementation details such as maintaining FQDN lists in firewalls or deploying public IP addresses in a restricted environment. Therefore, we recommend using a private endpoint to connect to your cluster.
+## Network security features with private endpoints
 
-The following table shows how network security related features could be implemented based on a cluster injected into a virtual network or secured using a private endpoint.
+The following table shows how network security related features can be implemented using a private endpoint:
 
-|   Feature | Private endpoint   | Virtual network injection   |
-|--- |--- |--- |
-| Inbound IP address filtering | [Manage public access](security-network-restrict-public-access.md) | [Create an inbound Network Security Group rule](/azure/virtual-network/network-security-groups-overview) |
-| Transitive access to other services (Storage, Event Hubs, etc.) | [Create a managed private endpoint](security-network-managed-private-endpoint-create.md) | [Create a private endpoint to the resource](vnet-endpoint-storage-event-hub.md) |
-| Restricting outbound access | Use [Callout policies or the AllowedFQDNList](security-network-restrict-outbound-access.md) | Use a [virtual appliance](/azure/firewall/tutorial-firewall-deploy-portal) to the subnet's filter outgoing traffic |
+|   Feature | Private endpoint   |
+|--- |--- |
+| Inbound IP address filtering | [Manage public access](security-network-restrict-public-access.md) |
+| Transitive access to other services (Storage, Event Hubs, etc.) | [Create a managed private endpoint](security-network-managed-private-endpoint-create.md) |
+| Restricting outbound access | Use [Callout policies or the AllowedFQDNList](security-network-restrict-outbound-access.md) |
 
 ## Related content
 
-* [Private Endpoints for Azure Data Explorer](security-network-private-endpoint.md)
-* [Deploy Azure Data Explorer into your Virtual Network](vnet-deployment.md)
+* [Private Endpoints for Azure Data Explorer](security-network-private-endpoint.md)

data-explorer/security.md

@@ -14,12 +14,11 @@ For more resources regarding compliance for your business or organization, see t
 
 ## Network security
 
-Network security is a requirement shared by many of our security-conscious enterprise customers. The intent is to isolate the network traffic and limit the attack surface for Azure Data Explorer and corresponding communications. You can therefore block traffic originating from non-Azure Data Explorer network segments and assure that only traffic from known sources reach Azure Data Explorer end points. This includes traffic originating on-premises or outside of Azure, with an Azure destination and vice versa. Azure Data Explorer supports the following features to achieve this goal:
+Network security is a requirement shared by many of our security-conscious enterprise customers. The intent is to isolate the network traffic and limit the attack surface for Azure Data Explorer and corresponding communications. You can therefore block traffic originating from non-Azure Data Explorer network segments and assure that only traffic from known sources reach Azure Data Explorer end points. This includes traffic originating on-premises or outside of Azure, with an Azure destination and vice versa.
 
-* [Private endpoint](security-network-overview.md#private-endpoint) (recommended)
-* [Virtual network (VNet) injection](security-network-overview.md#virtual-network-injection)
+Azure Data Explorer supports private endpoints to achieve network isolation and security. Private endpoints provide a secure way to connect to your Azure Data Explorer cluster by using a private IP address from your virtual network, effectively bringing the service into your VNet. This ensures that traffic between your VNet and the service travels over the Microsoft backbone network, eliminating exposure from the public internet.
 
-We highly recommended using private endpoints to secure network access to your cluster. This option has many advantages over virtual network injection that results in lower maintenance overhead, including a simpler deployment process and being more robust to virtual network changes.
+For more information about configuring private endpoints for your cluster, see [Private endpoint](security-network-overview.md#private-endpoint).
 
 ## Identity and access control
 

data-explorer/toc.yml

@@ -79,7 +79,7 @@ items:
                 href: cross-tenant-query-and-commands.md
           - name: Isolated compute
             href: isolated-compute.md
-          - name: Network isolation (VNet)
+          - name: Network security
             items:
               - name: Network security overview
                 href: security-network-overview.md
@@ -96,19 +96,8 @@ items:
                     displayName: restrict, prevent, limit, IP addresses, allowlist, whitelist, VNET, private endpoint, virtual network
                   - name: Troubleshoot private endpoints
                     href: security-network-private-endpoint-troubleshoot.md
-              - name: Virtual network injection
-                items:
-                  - name: Migrate VNet injected cluster to private endpoints
-                    href: security-network-migrate-vnet-to-private-endpoint.md
-                  - name: Create a cluster in your VNet - Portal
-                    href: vnet-create-cluster-portal.md
-                  - name: Deploy your cluster to your VNet
-                    href: vnet-deployment.md
-                  - name: Create a private or service endpoint to resources used by data connections
-                    displayName: VNet, private endpoint, Azure Storage, event hub
-                    href: vnet-endpoint-storage-event-hub.md
-                  - name: Troubleshoot VNet cluster creation, connectivity, and operation
-                    href: vnet-deploy-troubleshoot.md
+              - name: Migrate VNet injected cluster to private endpoints
+                href: security-network-migrate-vnet-to-private-endpoint.md
               - name: Restrict outbound requests
                 href: security-network-restrict-outbound-access.md
           - name: Encryption