Merge pull request #54141 from staleycyn/patch-3

Content drift changes for the private access module

Author: JamesJBarnett

learn-pr/wwl-azure/design-implement-private-access-to-azure-services/includes/2-explain-virtual-network-service-endpoints.md

@@ -19,14 +19,17 @@ By default, Azure services are all designed for direct internet access. All Azur
 
 :::image type="content" source="../media/service-endpoint-e15a99ae.png" alt-text="Diagram showing web server, database server, and Service Endpoint within a VNet.":::
 
-Service Endpoints can connect certain services directly to your private address space in Azure. Azure Service Endpoints are available for many services, such as:
+Service Endpoints can connect certain services directly to your private address space in Azure. Azure Service Endpoints are available for many services, including:
 
 - Azure Storage
 - Azure SQL Database
 - Azure Cosmos DB
 - Azure Key Vault
 - Azure Service Bus
-- Azure Data Lake
+- Azure Event Hubs
+- Azure App Service
+- Azure Container Registry
+
 
 ## Service Endpoint optimization and security features
 

learn-pr/wwl-azure/design-implement-private-access-to-azure-services/includes/3-define-private-link-service-private-endpoint.md

@@ -32,19 +32,28 @@ Private Link provides secure access to Azure services. Private Link achieves tha
 
 [Azure private endpoint](/azure/private-link/private-endpoint-overview) is the key technology behind private link. Private endpoint is a network interface that enables a private and secure connection between your virtual network and an Azure service. In other words, private endpoint is the network interface that replaces the resource's public endpoint.
 
+Private Link provides secure access to Azure services. Private Link achieves that security by replacing a resource's public endpoint with a private network interface. Private Endpoint uses the private IP address for services into the virtual network.
 
+:::image type="content" source="../media/private-link-71e02d03.png" alt-text="Diagram showing private endpoint and private link zone.":::
 
+[Network policies](/azure/private-link/disable-private-endpoint-network-policy/) are disabled by default for private endpoint subnets. You can selectively enable support for:
 
-Private Link provides secure access to Azure services. Private Link achieves that security by replacing a resource's public endpoint with a private network interface. Private Endpoint uses the private IP address for services into the virtual network.
+- **Network Security Groups (NSG)**: Control inbound traffic to the private endpoint from specific sources.
 
-:::image type="content" source="../media/private-link-71e02d03.png" alt-text="Diagram showing private endpoint and private link zone.":::
+- **User Defined Routes (UDR)**: Override the default /32 route to redirect traffic through an NVA or firewall.
+
+- **Application Security Groups (ASG)**: Group private endpoints for policy application.
 
 
 ## How is Azure Private Endpoint different from a service endpoint?
 
-Private Endpoints grant network access to specific resources behind a given service providing granular segmentation. Traffic can reach the service resource from on premises without using public endpoints.
 
-A service endpoint remains a publicly routable IP address. A private endpoint is a private IP in the address space of the virtual network where the private endpoint is configured.
+
+Azure Private Endpoint lets you connect to an Azure service using a private IP address from your own virtual network. This process ensures all traffic on Microsoft's network and means you don't need the public internet to access the service.
+
+In contrast, Service Endpoints secure access to an Azure service’s public endpoint by allowing traffic from specific VNets or subnets, but the service itself still uses a public IP.
+
+Private Endpoints offer full isolation and higher security, while Service Endpoints are easier to set up but provide less isolation.
 
 
 > [!NOTE]

learn-pr/wwl-azure/design-implement-private-access-to-azure-services/includes/4-integrate-private-link-dns.md

@@ -6,7 +6,7 @@ Private Link gives you private access from your Azure virtual network to PaaS se
 
 Yes, by using [Azure Private Link Service](/azure/private-link/private-link-service-overview). This service lets you offer Private Link connections to your custom Azure services. Consumers of your custom services can then access those services privately—that is, without using the internet—from their own Azure virtual networks.
 
-Azure Private Link service is the reference to your own service that is powered by Azure Private Link. Your service that is running behind Azure standard load balancer can be enabled for Private Link access so that consumers to your service can access it privately from their own VNets. Your customers can create a private endpoint inside their VNet and map it to this service. A Private Link service receives connections from multiple private endpoints. A private endpoint connects to one Private Link service.
+Azure Private Link service is the reference to your own service that's powered by Azure Private Link. Your service that's running behind Azure standard load balancer can be enabled for Private Link access so that consumers to your service can access it privately from their own VNets. Your customers can create a private endpoint inside their VNet and map it to this service. A Private Link service receives connections from multiple private endpoints. A private endpoint connects to one Private Link service.
 
 :::image type="content" source="../media/consumer-provider-endpoint.png" alt-text="Diagram of the private link service workflow." lightbox="../media/consumer-provider-endpoint.png":::
 
@@ -18,10 +18,16 @@ The following diagram shows a typical [high-level architecture](/azure/architect
 
 In the previous diagram, it's important to highlight: 
 
-1. All Azure virtual networks use the DNS private resolver that is hosted in the hub virtual network.
+1. All Azure virtual networks use the DNS private resolver that's hosted in the hub virtual network.
+ 
 1. On-premises DNS servers have conditional forwarders configured for each private endpoint public DNS zone, pointing to the DNS private resolver hosted in the hub virtual network.
-1. The DNS private resolver hosted in the hub virtual network uses the Azure-provided DNS (168.63.129.16) as a forwarder. IP address 168.63.129.16 is a virtual public IP address that facilitates a communication channel to Azure platform resources. 
-1. The hub virtual network must be linked to the Private DNS zone names for Azure services, such as privatelink.blob.core.windows.net, as shown in the diagram.
+ 
+1. The DNS private resolver hosted in the hub virtual network uses the Azure-provided DNS (168.63.129.16) as a forwarder. IP address 168.63.129.16 is a virtual public IP address that facilitates a communication channel to Azure platform resources.
+
+1. The hub virtual network must be linked to the Private DNS zone names for Azure services, such as privatelink.blob.core.windows.net.
+
+> [!Note]
+> A DNS zone group is automatically created when integrating a private endpoint with a private DNS zone. The group links the endpoint to DNS zones and manages DNS records automatically. This automation reduces manual work and prevents configuration drift.
 
 ### What is Azure DNS Private Resolver
 

learn-pr/wwl-azure/design-implement-private-access-to-azure-services/index.yml

@@ -13,7 +13,7 @@ metadata:
   ms.custom:
   - N/A
   ms.service: azure
-  ai-usage: human-only
+  ai-usage: ai-assisted
 title: Design and implement private access to Azure Services
 summary: You learn to design and implement private access to Azure Services with Azure Private Link, and virtual network service endpoints.
 abstract: |