update

Author: msmbaldwin

articles/security/fundamentals/azure-domains.md

@@ -9,7 +9,7 @@ ms.author: mbaldwin
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 04/11/2025
+ms.date: 01/06/2026
 ---
 # Reference list of Azure domains (not comprehensive)
 
@@ -31,7 +31,8 @@ This page is a partial list of the Azure domains in use. Some of them are REST A
 |[Azure Cosmos DB](/azure/cosmos-db/)|*.cosmos.azure.com|
 |[Azure Cosmos DB](/azure/cosmos-db/)|*.documents.azure.com|
 |[Azure Files](../../storage/files/storage-files-introduction.md)|*.file.core.windows.net|
-|[Azure Front Door](https://azure.microsoft.com/services/frontdoor/)|*.azurefd.net|
+|[Azure Front Door](/azure/frontdoor/) (classic)|*.azurefd.net|
+|[Azure Front Door](/azure/frontdoor/) Standard/Premium|*.z01.azurefd.net|
 |[Azure Key Vault](/azure/key-vault/general/overview)| *.vault.azure.net|
 |[Azure Kubernetes Service](/azure/aks/)|*.azmk8s.io|
 |Azure Management Services|*.management.core.windows.net|
@@ -40,7 +41,7 @@ This page is a partial list of the Azure domains in use. Some of them are REST A
 |[Azure Queue Storage](https://azure.microsoft.com/services/storage/queues/)|*.queue.core.windows.net|
 |[Azure Service Bus](../../service-bus-messaging/service-bus-messaging-overview.md)|*.servicebus.windows.net|
 |[Azure SQL Database](https://azure.microsoft.com/services/sql-database/)|*.database.windows.net|
-|[Azure Stack Edge](https://azure.microsoft.com/products/azure-stack/edge/) and [Azure IoT Edge](https://azure.microsoft.com/services/iot-edge/)|*.azureedge.net|
+|[Azure CDN](/azure/cdn/) (migrated to [Azure Front Door](/azure/frontdoor/))|*.azureedge.net|
 |[Azure Table Storage](../../storage/tables/table-storage-overview.md)|*.table.core.windows.net|
 |[Azure Traffic Manager](../../traffic-manager/traffic-manager-overview.md)|*.trafficmanager.net|
 |Azure Websites|*.azurewebsites.net|

articles/security/fundamentals/isolation-choices.md

@@ -6,7 +6,7 @@ author: msmbaldwin
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 12/03/2025
+ms.date: 01/06/2026
 ms.author: mbaldwin
 
 ---
@@ -305,10 +305,10 @@ Azure deployment has multiple layers of network isolation. The following diagram
 
 **Traffic isolation:** A [virtual network](../../virtual-network/virtual-networks-overview.md) is the traffic isolation boundary on the Azure platform. Virtual machines (VMs) in one virtual network cannot communicate directly to VMs in a different virtual network, even if both virtual networks are created by the same customer. Isolation is a critical property that ensures customer VMs and communication remains private within a virtual network.
 
-[Subnet](../../virtual-network/virtual-networks-overview.md) offers an additional layer of isolation with in virtual network based on IP range. IP addresses in the virtual network, you can divide a virtual network into multiple subnets for organization and security. VMs and PaaS role instances deployed to subnets (same or different) within a VNet can communicate with each other without any extra configuration. You can also configure [network security group (NSGs)](../../virtual-network/virtual-networks-overview.md) to allow or deny network traffic to a VM instance based on rules configured in access control list (ACL) of NSG. NSGs can be associated with either subnets or individual VM instances within that subnet. When an NSG is associated with a subnet, the ACL rules apply to all the VM instances in that subnet.
+[Subnet](../../virtual-network/virtual-networks-overview.md) offers an additional layer of isolation with in virtual network based on IP range. IP addresses in the virtual network, you can divide a virtual network into multiple subnets for organization and security. VMs and PaaS role instances deployed to subnets (same or different) within a VNet can communicate with each other without any extra configuration. You can also configure [network security groups (NSGs)](../../virtual-network/network-security-groups-overview.md) to allow or deny network traffic to a VM instance based on security rules. NSGs can be associated with either subnets or individual network interfaces attached to VMs. When an NSG is associated with a subnet, the security rules apply to all the VM instances in that subnet.
 
 ## Next Steps
 
-- Learn about [Network Isolation Options for Machines in Windows Azure Virtual Networks](https://azure.microsoft.com/blog/network-isolation-options-for-machines-in-windows-azure-virtual-networks/). This includes the classic front-end and back-end scenario where machines in a particular back-end network or subnetwork may only allow certain clients or other computers to connect to a particular endpoint based on an allowlist of IP addresses.
+- Learn about [network security groups](/azure/virtual-network/network-security-groups-overview). Network security groups filter network traffic between Azure resources in a virtual network, allowing you to restrict traffic to subnets or virtual machines based on source, destination, port, and protocol using security rules.
 
 - Learn about [virtual machine isolation in Azure](/azure/virtual-machines/isolation). Azure Compute offers virtual machine sizes that are isolated to a specific hardware type and dedicated to a single customer.

articles/security/fundamentals/pen-testing.md

@@ -7,7 +7,7 @@ ms.assetid: 695d918c-a9ac-4eba-8692-af4526734ccc
 ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
-ms.date: 04/23/2025
+ms.date: 01/06/2026
 ms.author: mbaldwin
 ---
 
@@ -23,21 +23,36 @@ As of June 15, 2017, Microsoft no longer requires pre-approval to conduct a pene
 > [!IMPORTANT]
 > While notifying Microsoft of pen testing activities is no longer required customers must still comply with the [Microsoft Cloud Unified Penetration Testing Rules of Engagement](https://www.microsoft.com/msrc/pentest-rules-of-engagement).
 
+## Permitted testing
+
+You can perform penetration testing on your own Azure-hosted applications and services without prior approval. This includes testing:
+
+* Your endpoints hosted on Azure Virtual Machines
+* Azure App Service applications (Web Apps, API Apps, Mobile Apps)
+* Azure Functions and API endpoints
+* Azure Websites
+* Any other Azure services where you own or have explicit authorization to test the deployed resources
+
 Standard tests you can perform include:
 
 * Tests on your endpoints to uncover the [Open Web Application Security Project (OWASP) top 10 vulnerabilities](https://owasp.org/www-project-top-ten/)
+* Dynamic Application Security Testing (DAST) of your web applications and APIs
 * [Fuzz testing](https://www.microsoft.com/research/blog/a-brief-introduction-to-fuzzing-and-why-its-an-important-tool-for-developers/) of your endpoints
 * [Port scanning](https://en.wikipedia.org/wiki/Port_scanner) of your endpoints
 
+## Prohibited testing
+
 One type of pen test that you can't perform is any kind of [Denial of Service (DoS)](https://en.wikipedia.org/wiki/Denial-of-service_attack) attack. This test includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate, or simulate any type of DoS attack.
 
-> [!Note]
-> You may only simulate attacks using Microsoft approved testing partners:
-> - [BreakingPoint Cloud](https://www.ixiacom.com/products/breakingpoint-cloud): A self-service traffic generator where your customers can generate traffic against DDoS Protection-enabled public endpoints for simulations.
-> - [Red Button](https://www.red-button.net/): Work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.
-> - [RedWolf](https://www.redwolfsecurity.com/services/#cloud-ddos) a self-service or guided DDoS testing provider with real-time control.
->
-> To learn more about these simulation partners, see [testing with simulation partners](../../ddos-protection/test-through-simulations.md).
+## DDoS simulation testing
+
+If you need to test your DDoS resilience, you can use Microsoft-approved simulation partners. These partners provide controlled DDoS simulation services that don't violate the penetration testing rules:
+
+- [BreakingPoint Cloud](https://www.ixiacom.com/products/breakingpoint-cloud): A self-service traffic generator where your customers can generate traffic against DDoS Protection-enabled public endpoints for simulations.
+- [Red Button](https://www.red-button.net/): Work with a dedicated team of experts to simulate real-world DDoS attack scenarios in a controlled environment.
+- [RedWolf](https://www.redwolfsecurity.com/services/#cloud-ddos): A self-service or guided DDoS testing provider with real-time control.
+
+To learn more about these simulation partners, see [testing with simulation partners](../../ddos-protection/test-through-simulations.md).
 
 ## Next steps
 

articles/security/fundamentals/ransomware-detect-respond.md

@@ -6,7 +6,7 @@ ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
 ms.author: mbaldwin
-ms.date: 04/16/2025
+ms.date: 01/06/2026
 
 ---
 
@@ -82,8 +82,6 @@ Our Rapid Ransomware Recovery services are treated as "Confidential" for the dur
 
 For comprehensive ransomware protection guidance across all Microsoft platforms and services, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
 
-See the white paper: [Azure defenses for ransomware attack whitepaper](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack).
-
 Other Azure ransomware articles:
 
 - [Ransomware protection in Azure](ransomware-protection.md)

articles/security/fundamentals/ransomware-features-resources.md

@@ -6,7 +6,7 @@ ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
 ms.author: mbaldwin
-ms.date: 04/16/2025
+ms.date: 01/06/2026
 ---
 
 # Azure features & resources that help you protect, detect, and respond to ransomware attacks
@@ -136,8 +136,6 @@ For detailed information on how Microsoft secures our cloud, visit the [service
 
 For comprehensive ransomware protection guidance across all Microsoft platforms and services, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
 
-See the white paper: [Azure defenses for ransomware attack whitepaper](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack).
-
 Other Azure ransomware articles:
 
 - [Ransomware protection in Azure](ransomware-protection.md)

articles/security/fundamentals/ransomware-prepare.md

@@ -6,7 +6,7 @@ ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
 ms.author: mbaldwin
-ms.date: 04/23/2025
+ms.date: 01/06/2026
 ---
 
 # Prepare for a ransomware attack
@@ -147,8 +147,6 @@ For detailed guidance, see [Backup and restore plan to protect against ransomwar
 
 For comprehensive ransomware protection guidance across all Microsoft platforms and services, see [Protect your organization against ransomware and extortion](/security/ransomware/protect-against-ransomware).
 
-See the white paper: [Azure defenses for ransomware attack whitepaper](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack).
-
 Other Azure ransomware articles:
 
 - [Ransomware protection in Azure](ransomware-protection.md)

articles/security/fundamentals/ransomware-protection.md

@@ -6,7 +6,7 @@ ms.service: security
 ms.subservice: security-fundamentals
 ms.topic: article
 ms.author: mbaldwin
-ms.date: 05/01/2025
+ms.date: 01/06/2026
 
 ---
 
@@ -73,7 +73,6 @@ Azure-specific ransomware protection articles:
 - [Improve your security defenses for ransomware attacks with Azure Firewall Premium](ransomware-protection-with-azure-firewall.md)
 
 Additional resources:
-- [Azure defenses for ransomware attack whitepaper](https://azure.microsoft.com/resources/azure-defenses-for-ransomware-attack)
 - [What is ransomware?](/security/ransomware/human-operated-ransomware)