Merge pull request #31087 from MicrosoftDocs/main

7/10/2024 PM Publish

Author: Albertyang0

.openpublishing.redirection.azure-sql.json

@@ -110,6 +110,11 @@
       "redirect_url": "/azure/azure-sql/managed-instance/high-availability-sla-local-zone-redundancy",
       "redirect_document_id": true
     },
+    {
+      "source_path_from_root": "/azure-sql/managed-instance/november-2022-feature-wave-enroll.md",
+      "redirect_url": "/azure/azure-sql/managed-instance/doc-changes-updates-release-notes-whats-new#november-2022-feature-wave",
+      "redirect_document_id": false
+    },    
     {
       "source_path_from_root": "/azure-sql/managed-instance/azure-app-sync-network-configuration.md",
       "redirect_url": "/azure/azure-sql/managed-instance/",

azure-sql/database/sql-database-vulnerability-assessment-storage.md

@@ -5,7 +5,7 @@ description: Provides instructions on how to store Vulnerability Assessment (VA)
 author: cesanu
 ms.author: cesanu
 ms.reviewer: wiassaf, vanto, mathoma
-ms.date: 01/16/2023
+ms.date: 07/10/2024
 ms.service: sql-db-mi
 ms.subservice: security
 ms.topic: how-to
@@ -61,13 +61,10 @@ To find out which storage account is being used, do the following steps:
 
 Since Azure SQL Managed Instance isn't a trusted Microsoft Service and has a different VNet from the storage account, executing a VA scan will result in an error.
 
-> [!NOTE]
-> It is highly recommended to make sure your Azure SQL Managed Instances are enrolled to the [November 2022 feature wave](/azure/azure-sql/managed-instance/november-2022-feature-wave-enroll) which will allow much simpler configuration of SQL Vulnerability Assessment when the storage account is behind a firewall or VNET.
+To support VA scans on SQL managed instances, follow these steps:
 
-To support VA scans on Azure SQL Managed Instances that **have the November 2022 feature wave installed**, follow the below steps:
+1. On the **Overview** pane for the SQL managed instance resource in the Azure portal, note the value under **Virtual network / subnet**.
 
-1. Under the Azure SQL Managed Instance's **Overview** page, note the value under **Virtual network / subnet**.
-   
 1. Head to the **Networking** page in the storage account where SQL VA is configured to store the scan results.
 
 1. Under the **Firewalls and virtual networks** tab, under **Public network access** select **Enabled from selected virtual networks and IP addresses**.
@@ -76,60 +73,6 @@ To support VA scans on Azure SQL Managed Instances that **have the November 2022
 
    :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-networking-post-nov-22-wave.png" alt-text="Screenshot of storage account networking settings for Nov22 feature wave (and up)." lightbox="media/sql-database-vulnerability-assessment-storage/storage-networking-post-nov-22-wave.png":::
 
-To support VA scans on Azure SQL Managed Instances that **do not have the November 2022 feature wave installed**, follow the below steps:
-
-1. In the **SQL managed instance** pane, under the **Overview** heading, click the **Virtual network/subnet** link. This takes you to the **Virtual network** pane.
-
-   :::image type="content" source="../managed-instance/media/public-endpoint-configure/mi-overview.png" alt-text="Screenshot of the SQL managed instance overview section.":::
-
-1. Under **Settings**, select **Subnets**. Click **+ Subnet** in the new pane to add a subnet. For more information, see [Manage subnets](/azure/virtual-network/virtual-network-manage-subnet).
-
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-add-subnet.png" alt-text="Screenshot shows a list of subnets and the add subnet option." lightbox="media/sql-database-vulnerability-assessment-storage/mi-add-subnet.png" :::
-
-1. Traffic from the instance in the default managed instance subnet to Azure Resource Manager must be routed through the internet. Therefore, a route with the next hop being the internet and the destination tag being the appropriate UDR tag for the Azure Resource Manager address range must be assigned to the subnet where the managed instance is located.
-This route will be added automatically in new deployments, but needs to be added again if it was removed.
-   
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/managed-instance-post-nov-22-required-routing-settings.png" alt-text="Screenshot that shows the required route for the November 22 feature wave and later." lightbox="media/sql-database-vulnerability-assessment-storage/managed-instance-post-nov-22-required-routing-settings.png":::
-
-1. The new subnet should have the following configurations:
-
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/mi-add-subnet-details.png" alt-text="Screenshot shows a subnet called VA and its settings.":::
-
-   - NAT gateway: **None**
-   - Network security group: **None**
-   - Route table: **None**
-   - SERVICE ENDPOINTS - services: **None selected**
-   - SUBNET DELEGATION - Delegate subnet to a service: **None**
-   - NETWORK POLICY FOR PRIVATE ENDPOINTS - Private endpoint network policy: **None selected**
-
-1. Head to the storage account where SQL VA is configured to store the scan results and click the **Private endpoint connections** tab, then click **+ Private endpoint**
-
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-networking-firewalls-and-networking.png" alt-text="Screenshot shows Firewalls and virtual networks settings.":::
-
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-networking-private-endpoint-connections.png" alt-text="Screenshot shows add private endpoint button.":::
-
-1.	Choose the details for your private endpoint (it's suggested to put it in the same RG and the same region).
-
-      :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-create-private-endpoint-basics.png" alt-text="Screenshot shows private endpoint creation Basics tab.":::
-
-1. Choose **blob** for the **Target sub-resource**
-
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-create-private-endpoint-resource.png" alt-text="Screenshot shows private endpoint creation Resource tab.":::
-
-1. Select the virtual network of the SQL MI (from step 1) and choose the subnet you created (step 3):
-
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-create-private-endpoint-virtual-network.png" alt-text="Screenshot shows private endpoint creation Virtual Network tab.":::
-
-1. Select **Integrate with private DNS zone** (should be default) and choose the other default values
-
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-create-private-endpoint-dns.png" alt-text="Screenshot shows private endpoint creation DNS tab.":::
-
-1. Continue to the **Review + Create** tab and click **Create**. Once the deployment is done you should see this in the **Private endpoint connections** tab under the Network section of the Storage account:
-
-   :::image type="content" source="media/sql-database-vulnerability-assessment-storage/storage-networking-post-config.png" alt-text="Screenshot shows storage Networking Private endpoint connections post configuration." lightbox="media/sql-database-vulnerability-assessment-storage/storage-networking-post-config.png":::
-
-You should now be able to store your VA scans for Azure SQL Managed Instances in your storage account.
-
 ## Troubleshoot vulnerability assessment scan-related issues
 
 Troubleshoot common issues related to vulnerability assessment scans.