started review

MashaMSFT · MashaMSFT · commit 38933db6583b · 2023-06-09T10:50:19.000-07:00
diff --git a/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity-create-server.md b/azure-sql/database/authentication-azure-ad-user-assigned-managed-identity-create-server.md
@@ -8,20 +8,21 @@ ms.reviewer: vanto
 ms.date: 06/30/2022
 ms.service: sql-database
 ms.subservice: security
-ms.topic: conceptual
+ms.topic: how-to
 ---
 
 # Create an Azure SQL Database server with a user-assigned managed identity
 
 [!INCLUDE[appliesto-sqldb](../includes/appliesto-sqldb.md)]
 
+> [!div class="op_single_selector"]
+> * [Azure SQL Database](authentication-azure-ad-user-assigned-managed-identity-create-server.md)
+> * [Azure SQL Managed Instance](../managed-instance/authentication-azure-ad-user-assigned-managed-identity-create-managed-instance.md)
+
 This how-to guide outlines the steps to create a [logical server](logical-servers.md) for Azure SQL Database with a [user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types). For more information on the benefits of using a user-assigned managed identity for the server identity in Azure SQL Database, see [User-assigned managed identity in Azure AD for Azure SQL](authentication-azure-ad-user-assigned-managed-identity.md).
 
 To retrieve the system-assigned managed identity (SMI) or user-assigned managed identity or identities (UMI) of an Azure SQL Database, see [Get or set a managed identity for a logical server or managed instance](authentication-azure-ad-user-assigned-managed-identity.md#get-or-set-a-managed-identity-for-a-logical-server-or-managed-instance).
 
-> [!NOTE]
-> If you're looking for a guide on Azure SQL Managed Instance, see [Create an Azure SQL Managed Instance with a user-assigned managed identity](../managed-instance/authentication-azure-ad-user-assigned-managed-identity-create-managed-instance.md).
-
 
 ## Prerequisites
 
diff --git a/azure-sql/managed-instance/authentication-azure-ad-user-assigned-managed-identity-create-managed-instance.md b/azure-sql/managed-instance/authentication-azure-ad-user-assigned-managed-identity-create-managed-instance.md
@@ -1,4 +1,4 @@
-x---
+---
 title: Create an Azure SQL Managed Instance using a user-assigned managed identity
 titleSuffix: Azure SQL Managed Instance
 description: This article guides you through creating an Azure SQL Managed Instance using a user-assigned managed identity
@@ -8,15 +8,16 @@ ms.reviewer: vanto
 ms.date: 06/30/2022
 ms.service: sql-managed-instance
 ms.subservice: security
-ms.topic: conceptual
+ms.topic: how-to
 ---
 
 # Create an Azure SQL Managed Instance with a user-assigned managed identity
 
 [!INCLUDE[appliesto-sqlmi](../includes/appliesto-sqlmi.md)]
 
-> [!NOTE]
-> If you are looking for a guide on Azure SQL Database, see [Create an Azure SQL logical server using a user-assigned managed identity](../database/authentication-azure-ad-user-assigned-managed-identity-create-server.md)
+> [!div class="op_single_selector"]
+> * [Azure SQL Database](../database/authentication-azure-ad-user-assigned-managed-identity-create-server.md)
+> * [Azure SQL Managed Instance](authentication-azure-ad-user-assigned-managed-identity-create-managed-instance.md)
 
 This how-to guide outlines the steps to create an [Azure SQL Managed Instance](sql-managed-instance-paas-overview.md) with a [user-assigned managed identity](/azure/active-directory/managed-identities-azure-resources/overview#managed-identity-types). For more information on the benefits of using a user-assigned managed identity for the server identity in Azure SQL Database, see [User-assigned managed identity in Azure AD for Azure SQL](../database/authentication-azure-ad-user-assigned-managed-identity.md).
 
diff --git a/azure-sql/managed-instance/connect-application-instance.md b/azure-sql/managed-instance/connect-application-instance.md
@@ -5,7 +5,7 @@ description: This article discusses how to connect your application to Azure SQL
 author: zoran-rilak-msft
 ms.author: zoranrilak
 ms.reviewer: mathoma, bonova, vanto
-ms.date: 08/20/2021
+ms.date: 06/09/2023
 ms.service: sql-managed-instance
 ms.subservice: connect
 ms.topic: conceptual
@@ -16,11 +16,9 @@ ms.custom: sqldbrb=1
 
 [!INCLUDE[appliesto-sqlmi](../includes/appliesto-sqlmi.md)]
 
-Today you have multiple choices when deciding how and where you host your application.
+This article describes how to connect your application to Azure SQL Managed Instance in a number of different application scenarios inside or between Azure virtual networks.
 
-You may choose to host an application in the cloud by using Azure App Service or some of Azure's virtual network integrated options, like Azure App Service Environment, Azure Virtual Machines, and Virtual Machine Scale Sets. You could also take the hybrid ("mixed") cloud approach and keep your applications on-premises.
-
-Whatever choice you make, your application can connect to Azure SQL Managed Instance. This article describes how to do so in a number of different application scenarios inside or between Azure virtual networks.
+Today you have multiple choices when deciding how and where you host your application. You may choose to host an application in the cloud by using Azure App Service or some of Azure's virtual network integrated options, like Azure App Service Environment, Azure Virtual Machines, and Virtual Machine Scale Sets. You could also take the hybrid ("mixed") cloud approach and keep your applications on-premises. Whatever choice you make, your application can connect to Azure SQL Managed Instance in a number of different application scenarios inside or between Azure virtual networks.
 
 You can also enable data access to your managed instance from outside a virtual network – for example, from multi-tenant Azure services like Power BI and Azure App Service, or from an on-premises network not connected to your virtual networks via VPN. To accomplish these and similar scenarios, please refer to [Configure public endpoint in Azure SQL Managed Instance](./public-endpoint-configure.md).
 
@@ -40,32 +38,39 @@ There are three options to connect to a SQL Managed Instance in a different virt
 - [Azure VNet peering](/azure/virtual-network/virtual-network-peering-overview)
 - VNet-to-VNet VPN gateway ([Azure portal](/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal), [PowerShell](/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-ps), [Azure CLI](/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-cli))
 
-Of the three, private endpoints are the most secure and resource-economical option because they expose only the SQL Managed Instance from its virtual network, allow for one-way connectivity only, and require just one IP address in the application's virtual network. If private endpoints can't fully meet the requirements of your scenario, consider virtual network peering. Peering uses Azure backbone network, so there is no noticeable latency penalty for communication across virtual network boundaries. Virtual network peering is supported between networks across all regions (global virtual network peering), while [instances hosted in subnets created before September 22, 2020](frequently-asked-questions-faq.yml#does-sql-managed-instance-support-global-vnet-peering) only support peering within their region.
+Of the three, private endpoints are the most secure and resource-economical option because they: 
+- only expose the SQL Managed Instance from its virtual network
+- only allow one-way connectivity only
+- require just one IP address in the application's virtual network. 
+
+If private endpoints can't fully meet the requirements of your scenario, consider virtual network peering instead. Peering uses the backbone Azure network, so there's no noticeable latency penalty for communication across virtual network boundaries. Virtual network peering is supported between networks across all regions (global virtual network peering), while [instances hosted in subnets created before September 22, 2020](frequently-asked-questions-faq.yml#does-sql-managed-instance-support-global-vnet-peering) only support peering within their region.
 
 ## Connect from on-premises
 
-You can connect your on-premises application to the [VNet-local endpoint](connectivity-architecture-overview.md#vnet-local-endpoint) of your SQL Managed Instance. In order to access it from on-premises, you need to make a site-to-site connection between the application and the SQL Managed Instance virtual network. If data-only access to your managed instance is sufiicient, you can connect to it from outside a virtual network via a public endpoint; see [Configure public endpoint in Azure SQL Managed Instance](./public-endpoint-configure.md).
+You can connect your on-premises application to the [VNet-local endpoint](connectivity-architecture-overview.md#vnet-local-endpoint) of your SQL Managed Instance. In order to access it from on-premises, you need to make a site-to-site connection between the application and the SQL Managed Instance virtual network. If data-only access to your managed instance is sufficient, you can connect to it from outside a virtual network via a public endpoint - review [Configure public endpoint in Azure SQL Managed Instance](./public-endpoint-configure.md) to learn more.
 
-There are two options for how to connect an on-premises application to an Azure virtual network:
+There are two options to connect an on-premises application to an Azure virtual network:
 
 - Site-to-site VPN connection ([Azure portal](/azure/vpn-gateway/tutorial-site-to-site-portal), [PowerShell](/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell), [Azure CLI](/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli))
 - [Azure ExpressRoute](/azure/expressroute/expressroute-introduction) connection  
 
-If you've established an on-premises to Azure connection successfully and you can't establish a connection to SQL Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as the 11000-11999 range of ports for redirection.
+If you've established an on-premises connection to Azure connection and you can't establish a connection to SQL Managed Instance, check if your firewall has an open outbound connection on SQL port 1433 as well as the 11000-11999 range of ports for redirection.
 
 ## Connect a developer box
 
-It is also possible to connect your developer box to SQL Managed Instance. In order to access it from your developer box via virtual network, you first need to make a connection between your developer box and the SQL Managed Instance virtual network. To do so, configure a point-to-site connection to a virtual network using native Azure certificate authentication. For more information, see [Configure a point-to-site connection to connect to Azure SQL Managed Instance from an on-premises computer](point-to-site-p2s-configure.md).
+It's also possible to connect your developer box to SQL Managed Instance. In order to access it from your developer box via the virtual network, you first need to make a connection between your developer box and the SQL Managed Instance virtual network. To do so, configure a point-to-site connection to a virtual network using native Azure certificate authentication. For more information, see [Configure a point-to-site connection to connect to Azure SQL Managed Instance from an on-premises computer](point-to-site-p2s-configure.md).
 
 For data access to your managed instance from outside a virtual network see [Configure public endpoint in Azure SQL Managed Instance](./public-endpoint-configure.md).
 
 ## Connect to a spoke network
 
-Another common scenario is where a VPN gateway is installed in a separate virtual network (and perhaps subscription) - _spoke network_ - from the one hosting SQL Managed Instance (_hub network_). Connectivity to SQL Managed Instance from the spoke network is configured via one of the options listed in [Connect from inside a different VNet](#connect-from-inside-a-different-vnet): private endpoints, VNet peering, or a VNet-to-VNet gateway. The following sample architecture diagram shows how this can be implemented.
+Another common scenario is where a VPN gateway is installed in a separate virtual network (and perhaps subscription) - _spoke network_ - from the one hosting SQL Managed Instance (_hub network_). Connectivity to SQL Managed Instance from the spoke network is configured via one of the options listed in [Connect from inside a different VNet](#connect-from-inside-a-different-vnet): private endpoints, VNet peering, or a VNet-to-VNet gateway. 
+
+The following sample architecture diagram shows VNet peering: 
 
-![Virtual network peering](./media/connect-application-instance/vnet-peering.png)
+![Diagram showing Virtual network peering.](./media/connect-application-instance/vnet-peering.png)
 
-Note that if you are peering hub and spoke networks, you'll also need to ensure that the VPN gateway sees the IP addresses from the hub network. To do so, make the following changes under the **Peering settings**:
+If you are peering hub and spoke networks, ensure the VPN gateway sees the IP addresses from the hub network. To do so, make the following changes under **Peering settings**:
 
 1. In the virtual network that hosts the VPN gateway (spoke network), go to **Peerings**, go to the peered virtual network connection for SQL Managed Instance, and select **Allow Gateway Transit**.
 2. In the virtual network that hosts SQL Managed Instance (hub network), go to **Peerings**, go to the peered virtual network connection for the VPN gateway, and select **Use remote gateways**.
@@ -74,35 +79,35 @@ Note that if you are peering hub and spoke networks, you'll also need to ensure
 
 You can also connect an application hosted by Azure App Service when it is [integrated with your virtual network](/azure/app-service/overview-vnet-integration.md). To do so, select one of the mechanisms listed in [Connect from inside a different VNet](#connect-from-inside-a-different-vnet). For data access to your managed instance from outside a virtual network, see [Configure public endpoint in Azure SQL Managed Instance](./public-endpoint-configure.md).
 
-A special case of connecting Azure App Service to SQL Managed Instance is when you integrate Azure App Service to a network peered to a SQL Managed Instance virtual network. That case requires the following configuration to be set up:
+A special case for connecting Azure App Service to SQL Managed Instance is when you integrate Azure App Service to a network peered to a SQL Managed Instance virtual network. That case requires the following configuration to be set up:
 
 - SQL Managed Instance virtual network must NOT have a gateway  
 - SQL Managed Instance virtual network must have the `Use remote gateways` option set
 - Peered virtual network must have the `Allow gateway transit` option set
 
 This scenario is illustrated in the following diagram:
 
-![integrated app peering](./media/connect-application-instance/integrated-app-peering.png)
+![Diagram for integrated app peering.](./media/connect-application-instance/integrated-app-peering.png)
 
->[!NOTE]
->The virtual network integration feature does not integrate an app with a virtual network that has an ExpressRoute gateway. Even if the ExpressRoute gateway is configured in coexistence mode, virtual network integration does not work. If you need to access resources through an ExpressRoute connection, then you can use App Service Environment, which runs in your virtual network.
+> [!NOTE]
+> The virtual network integration feature does not integrate an app with a virtual network that has an ExpressRoute gateway. Even if the ExpressRoute gateway is configured in coexistence mode, virtual network integration does not work. If you need to access resources through an ExpressRoute connection, then you can use App Service Environment, which runs in your virtual network.
 
-For troubleshooting Azure App Service access via virtual network, see [Troubleshooting virtual networks and applications](/azure/app-service/overview-vnet-integration#troubleshooting).
+To troubleshoot Azure App Service access via virtual network, review [Troubleshooting virtual networks and applications](/azure/app-service/overview-vnet-integration#troubleshooting).
 
-## Troubleshooting connectivity issues
+## Troubleshoot connectivity issues
 
-For troubleshooting connectivity issues, review the following:
+To troubleshoot connectivity issues, review the following:
 
-- If you are unable to connect to SQL Managed Instance from an Azure virtual machine within the same virtual network but a different subnet, check if you have a Network Security Group set on VM subnet that might be blocking access. Additionally, open outbound connection on SQL port 1433 as well as ports in the range 11000-11999, since those are needed for connecting via redirection inside the Azure boundary.
+- If you are unable to connect to SQL Managed Instance from an Azure virtual machine within the same virtual network but a different subnet, check if you have a Network Security Group set up on VM subnet that might be blocking access. Additionally, open outbound connection on SQL port 1433 as well as ports in the range 11000-11999, since those are needed to connect via redirection inside the Azure boundary.
 - Ensure that BGP Propagation is set to **Enabled** for the route table associated with the virtual network.
 - If using point-to-site VPN, check the configuration in the Azure portal to see if you see **Ingress/Egress** numbers. Non-zero numbers indicate that Azure is routing traffic to/from on-premises.
 
-   ![ingress/egress numbers](./media/connect-application-instance/ingress-egress-numbers.png)
+   ![Screenshot showing ingress/egress numbers in the Azure portal.](./media/connect-application-instance/ingress-egress-numbers.png)
 
 - Check that the client machine (that is running the VPN client) has route entries for all the virtual networks that you need to access. The routes are stored in
 `%AppData%\Roaming\Microsoft\Network\Connections\Cm\<GUID>\routes.txt`.
 
-   ![route.txt](./media/connect-application-instance/route-txt.png)
+   ![Screenshot showing the route.txt.](./media/connect-application-instance/route-txt.png)
 
    As shown in this image, there are two entries for each virtual network involved and a third entry for the VPN endpoint that is configured in the portal.
 
