Refresh articles 3 (#34570)

* Refresh articles 3

* add image

Author: VanMSFT

azure-sql/database/media/network-access-controls-overview/manage-server-firewall.png

@@ -4,19 +4,19 @@ titleSuffix: Azure SQL Database & Azure Synapse Analytics
 description: Overview of how to manage and control network access for Azure SQL Database and Azure Synapse Analytics.
 author: VanMSFT
 ms.author: vanto
-ms.reviewer: wiassaf, vanto, mathoma
-ms.date: 05/01/2024
+ms.reviewer: wiassaf, mathoma
+ms.date: 06/30/2025
 ms.service: azure-sql-database
 ms.subservice: security
-ms.topic: concept-article 
+ms.topic: concept-article
 ms.custom: sqldbrb=3
 ---
 
 # Azure SQL Database and Azure Synapse Analytics network access controls
 
-[!INCLUDE[appliesto-sqldb-asa](../includes/appliesto-sqldb-asa-formerly-sqldw.md)]
+[!INCLUDE [appliesto-sqldb-asa](../includes/appliesto-sqldb-asa-formerly-sqldw.md)]
 
-When you create a logical server from the [Azure portal](single-database-create-quickstart.md) for Azure SQL Database and Azure Synapse Analytics, the result is a public endpoint in the format: `yourservername.database.windows.net`.
+When you create a logical server from the [Quickstart: Create a single database - Azure SQL Database](single-database-create-quickstart.md) for Azure SQL Database and Azure Synapse Analytics, the result is a public endpoint in the format: `yourservername.database.windows.net`.
 
 By default, the logical server denies all connections to ensure security. You can use one or more of the following network access controls to selectively allow access to a database via the **public endpoint**
 
@@ -30,12 +30,12 @@ You can also allow **private access** to the database from [virtual networks](/a
 
 - **Private Link**: Use this feature to create a private endpoint for the [logical server in Azure](logical-servers.md) within a specific virtual network.
 
-> [!IMPORTANT]
+> [!IMPORTANT]  
 > This article does *not* apply to **SQL Managed Instance**. For more information about the networking configuration, see [connecting to Azure SQL Managed Instance](../managed-instance/connect-application-instance.md) .
 
 ## IP firewall rules
 
-IP based firewall rules is a feature of the logical server in Azure that prevents all access to your server until you explicitly [add IP addresses](firewall-create-server-level-portal-quickstart.md) of the client machines.
+IP based firewall rules are a feature of the logical server in Azure that prevents all access to your server until you explicitly [add IP addresses](firewall-create-server-level-portal-quickstart.md) of the client machines.
 
 There are two types of firewall rules:
 - **Server-level firewall rules**: These rules apply to all databases on the server. They can be configured through the Azure portal, PowerShell, or T-SQL commands like [sp_set_firewall_rule](/sql/relational-databases/system-stored-procedures/sp-set-firewall-rule-azure-sql-database).
@@ -46,31 +46,30 @@ The following are constraints for naming firewall rules:
 - The firewall rule name can't be empty.
 - It can't contain the following characters: `<, >, *, %, &, :, \\, /, ?.`
 - It can't end with a period (.).
-- The firewall rule name cannot exceed 128 characters.
-
-Any attempts to create firewall rules that do not meet these constraints fails with an error message. Any modifications made to existing IP based firewall rules can take up to 5 minutes to take effect.
+- The firewall rule name can't exceed 128 characters.
 
+Any attempts to create firewall rules that don't meet these constraints fails with an error message. Any modifications made to existing IP based firewall rules can take up to 5 minutes to take effect.
 
 ## Allow Azure services
 
 By default, during creation of a new logical server [from the Azure portal](single-database-create-quickstart.md), **Allow Azure services and resources to access this server** is unchecked and not enabled. This setting appears when connectivity is allowed via public endpoint.
 
 You can also change this setting via the **Networking** setting after the logical server is created as follows:
-  
-![Screenshot of manage server firewall][2]
+
+:::image type="content" source="./media/network-access-controls-overview/manage-server-firewall.png" alt-text="Screenshot of manage server firewall settings page.":::
 
 When **Allow Azure services and resources to access this server** is enabled, your server allows communications from all resources inside the Azure boundary, **regardless of whether they are part of your subscription**. Behind the scenes, a special server-level firewall rule is added that starts and ends with IP address of `0.0.0.0`.
 
-In many cases, enabling the setting is more permissive than what most customers want. You might want to uncheck this setting and replace it with more restrictive IP firewall rules or use one the options for private access. 
+In many cases, enabling the setting is more permissive than what most customers want. You might want to uncheck this setting and replace it with more restrictive IP firewall rules or use one the options for private access.
 
-> [!IMPORTANT]
+> [!IMPORTANT]  
 > Checking *Allow Azure services and resources to access this server* adds an IP based firewall rule with start and end IP address of 0.0.0.0
 
 However, doing so affects the following features that run on virtual machines in Azure that aren't part of your virtual network and hence connect to the database via an Azure IP address:
 
 ### Import Export Service
 
-Import Export Service doesn't work when **Allow Azure services and resources to access this server** isn't enabled. However you can work around the problem [by manually running SqlPackage from an Azure VM or performing the export](./database-import-export-azure-services-off.md) directly in your code by using the DACFx API.
+Import Export Service doesn't work when **Allow Azure services and resources to access this server** isn't enabled. However you can work around the problem [by manually running SqlPackage from an Azure VM or performing the export](database-import-export-azure-services-off.md) directly in your code by using the DACFx API.
 
 ### Data Sync
 
@@ -92,7 +91,7 @@ PS C:\> $sql.Properties.AddressPrefixes
 13.86.217.192/27
 ```
 
-> [!TIP]
+> [!TIP]  
 > Get-AzNetworkServiceTag returns the global range for SQL Service Tag despite specifying the Location parameter. Be sure to filter it to the region that hosts the Hub database used by your sync group
 
 The output of the PowerShell script is in Classless Inter-Domain Routing (CIDR) notation. This needs to be converted to a format of Start and End IP address using [Get-IPrangeStartEnd.ps1](https://www.sqltechnet.com/2020/12/powershell-set-azure-sql-firewall-for.html) like this:
@@ -119,46 +118,37 @@ You can now add these as distinct firewall rules and then disable the setting **
 
 ## Sql Service Tag
 
-[Service tags](/azure/virtual-network/service-tags-overview) can be used in security rules and routes from clients to SQL Database. Service tags can be used in network security groups, Azure Firewall, and user-defined routes by specifying them in the source or destination field of a security rule. 
+[Service tags](/azure/virtual-network/service-tags-overview) can be used in security rules and routes from clients to SQL Database. Service tags can be used in network security groups, Azure Firewall, and user-defined routes by specifying them in the source or destination field of a security rule.  
 The **Sql** service tag consists of all IP addresses that are being used by SQL Database. The tag is further segmented by regions. For example **Sql.WestUS** lists all the IP addresses used by SQL Database in West US.
 
 The **Sql** service tag consists of IP addresses that are required to establish connectivity to SQL Database as documented in [Gateway IP addresses](connectivity-architecture.md#gateway-ip-addresses). Additionally, a service tag will also be associated with any outbound traffic from SQL Database used in features such as:
 
-- [Auditing](auditing-overview.md)
+- [Auditing for Azure SQL Database and Azure Synapse Analytics](auditing-overview.md)
 - [Vulnerability assessment](/azure/defender-for-cloud/sql-azure-vulnerability-assessment-overview)
-- [Import/Export service](database-import-export-azure-services-off.md)
+- [Import or export an Azure SQL Database without allowing Azure services to access the server](database-import-export-azure-services-off.md)
 - [OPENROWSET](/sql/t-sql/functions/openrowset-transact-sql)
 - [Bulk Insert](/sql/t-sql/statements/bulk-insert-transact-sql)
 - [sp_invoke_external_rest_endpoint](/sql/relational-databases/system-stored-procedures/sp-invoke-external-rest-endpoint-transact-sql)
-- [Ledger](/sql/relational-databases/security/ledger/ledger-digest-management) 
-- [Azure SQL transparent data encryption with customer-managed key](transparent-data-encryption-byok-configure.md)
+- [Ledger](/sql/relational-databases/security/ledger/ledger-digest-management)
+- [PowerShell and Azure CLI: Enable Transparent Data Encryption with customer-managed key from Azure Key Vault](transparent-data-encryption-byok-configure.md)
 
 ## SqlManagement Service Tag
 
 SqlManagement service tag is used for control plane operations against SQL Database.
 
 ## Virtual network firewall rules
 
-[Virtual network firewall rules](vnet-service-endpoint-rule-overview.md) are easier alternatives to establish and manage access from a specific subnet that contains your VMs.
+[Use virtual network service endpoints and rules for servers in Azure SQL Database](vnet-service-endpoint-rule-overview.md) are easier alternatives to establish and manage access from a specific subnet that contains your VMs.
 
 ## Private Link
 
 Private Link allows you to connect to a server via a **private endpoint**. A [private endpoint](private-endpoint-overview.md) is a private IP address within a specific [virtual network](/azure/virtual-network/virtual-networks-overview) and subnet.
 
 ## Related content
 
-- For a quickstart on creating a server-level IP firewall rule, see [Create a database in SQL Database](single-database-create-quickstart.md).
-
-- For a quickstart on creating a server-level virtual network firewall rule, see [Virtual Network service endpoints and rules for Azure SQL Database](vnet-service-endpoint-rule-overview.md).
-
-- For help with connecting to a database in SQL Database from open source or partner applications, see [Client quickstart code samples to SQL Database](/previous-versions/azure/ee336282(v=azure.100)).
-
-- For information on other ports that you might need to open, see the **SQL Database: Outside vs inside** section of [Ports beyond 1433 for ADO.NET 4.5 and SQL Database](adonet-v12-develop-direct-route-ports.md)
-
-- For an overview of Azure SQL Database Connectivity, see [Azure SQL Connectivity Architecture](connectivity-architecture.md)
-
-- For an overview of Azure SQL Database security, see [Securing your database](security-overview.md)
-
-<!--Image references-->
-[1]: media/quickstart-create-single-database/new-server2.png
-[2]: media/quickstart-create-single-database/manage-server-firewall.png
+- [Quickstart: Create a single database - Azure SQL Database](single-database-create-quickstart.md)
+- [Use virtual network service endpoints and rules for servers in Azure SQL Database](vnet-service-endpoint-rule-overview.md)
+- [Client quickstart code samples to SQL Database](/previous-versions/azure/ee336282(v=azure.100))
+- [Ports beyond 1433 for ADO.NET 4.5](adonet-v12-develop-direct-route-ports.md)
+- [Connectivity architecture](connectivity-architecture.md)
+- [An overview of Azure SQL Database and SQL Managed Instance security capabilities](security-overview.md)

azure-sql/database/network-access-controls-overview.md

@@ -1,14 +1,14 @@
 ---
-title: Server roles
+title: Server Roles
 titleSuffix: Azure SQL Database
 description: This article provides an overview of server roles for the logical server of Azure SQL Database.
 author: VanMSFT
 ms.author: vanto
-ms.reviewer: wiassaf, vanto, mathoma, randolphwest
-ms.date: 05/09/2024
+ms.reviewer: wiassaf, mathoma, randolphwest
+ms.date: 06/30/2025
 ms.service: azure-sql-database
 ms.subservice: security
-ms.topic: concept-article 
+ms.topic: concept-article
 ---
 
 # Azure SQL Database server roles for permission management
@@ -34,7 +34,7 @@ Like SQL Server on-premises, server permissions are organized hierarchically. Th
 For example, the server-level role `##MS_ServerStateReader##` holds the permission `VIEW SERVER STATE`. If a login who is member of this role has a user account in the databases `master` and `WideWorldImporters`, this user has the permission `VIEW DATABASE STATE` in those two databases.
 
 > [!NOTE]  
-> Any permission can be denied within user databases, in effect, overriding the server-wide grant via role membership. However, in the system database *master*, permissions can't be granted or denied.
+> Any permission can be denied within user databases, in effect, overriding the server-wide grant via role membership. However, in the system database `master`, permissions can't be granted or denied.
 
 Azure SQL Database currently provides seven fixed server roles. The permissions that are granted to the fixed server roles can't be changed and these roles can't have other fixed roles as members. You can add server-level logins as members to server-level roles.
 
@@ -163,7 +163,7 @@ GO
 
 #### Part 2: Testing role membership
 
-Log in as login `Jiao` and connect to the user database used in the example.
+Sign in as login `Jiao` and connect to the user database used in the example.
 
 ```sql
 -- retrieve server-level permissions of currently logged on User