Skip to content

Commit

Permalink
Merge pull request #661 from MicrosoftDocs/main
Browse files Browse the repository at this point in the history
10/24/2024 PM Publish
  • Loading branch information
Taojunshen authored Oct 24, 2024
2 parents 9a55474 + e46a88b commit 6e788f0
Show file tree
Hide file tree
Showing 91 changed files with 349 additions and 714 deletions.
20 changes: 20 additions & 0 deletions articles/cosmos-db/.openpublishing.redirection.cosmos-db.json
Original file line number Diff line number Diff line change
Expand Up @@ -5929,6 +5929,26 @@
"source_path_from_root": "/articles/cosmos-db/attachments.md",
"redirect_url": "/previous-versions/azure/cosmos-db/nosql/attachments",
"redirect_document_id": false
},
{
"source_path_from_root": "/articles/cosmos-db/mongodb/security/how-to-disable-key-based-authentication.md",
"redirect_url": "/previous-versions/azure/cosmos-db/nosql/security/how-to-disable-key-based-authentication",
"redirect_document_id": false
},
{
"source_path_from_root": "/articles/cosmos-db/gremlin/security/how-to-disable-key-based-authentication.md",
"redirect_url": "/previous-versions/azure/cosmos-db/nosql/security/how-to-disable-key-based-authentication",
"redirect_document_id": false
},
{
"source_path_from_root": "/articles/cosmos-db/cassandra/security/how-to-disable-key-based-authentication.md",
"redirect_url": "/previous-versions/azure/cosmos-db/nosql/security/how-to-disable-key-based-authentication",
"redirect_document_id": false
},
{
"source_path_from_root": "/articles/cosmos-db/table/security/reference-data-actions.md ",
"redirect_url": "/previous-versions/azure/cosmos-db/table/security/reference-data-plane-actions",
"redirect_document_id": false
}
]
}
3 changes: 0 additions & 3 deletions articles/cosmos-db/cassandra/TOC.yml
Original file line number Diff line number Diff line change
Expand Up @@ -373,9 +373,6 @@
href: ../how-to-setup-cross-tenant-customer-managed-keys.md
- name: Use managed identities with Azure services
href: ../how-to-setup-managed-identity.md
- name: Disable key-based authentication
displayName: key, ropc, connection string
href: security/how-to-disable-key-based-authentication.md?context=/azure/cosmos-db/context/context
- name: Monitor
items:
- name: Monitor
Expand Down

This file was deleted.

5 changes: 0 additions & 5 deletions articles/cosmos-db/cassandra/security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,3 @@ ai-usage: ai-assisted
When working with Azure Cosmos DB for Cassandra, it's important to ensure that authorized users and applications have access to data while preventing unintentional or unauthorized access.

[!INCLUDE[Security overview](../../includes/security-overview.md)]

## Next step

> [!div class="nextstepaction"]
> [Disable key-based authentication with Azure Cosmos DB for Apache Cassandra](how-to-disable-key-based-authentication.md)
3 changes: 0 additions & 3 deletions articles/cosmos-db/gremlin/TOC.yml
Original file line number Diff line number Diff line change
Expand Up @@ -332,9 +332,6 @@
href: ../how-to-setup-cross-tenant-customer-managed-keys.md
- name: Use managed identities with Azure services
href: ../how-to-setup-managed-identity.md
- name: Disable key-based authentication
displayName: key, ropc, connection string
href: security/how-to-disable-key-based-authentication.md?context=/azure/cosmos-db/context/context
- name: Manage Azure Cosmos DB resources
items:
- name: Manage an Azure Cosmos DB account
Expand Down

This file was deleted.

5 changes: 0 additions & 5 deletions articles/cosmos-db/gremlin/security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,3 @@ ai-usage: ai-assisted
When working with Azure Cosmos DB for Gremlin, it's important to ensure that authorized users and applications have access to data while preventing unintentional or unauthorized access.

[!INCLUDE[Security overview](../../includes/security-overview.md)]

## Next step

> [!div class="nextstepaction"]
> [Disable key-based authentication with Azure Cosmos DB for Apache Gremlin](how-to-disable-key-based-authentication.md)
14 changes: 7 additions & 7 deletions articles/cosmos-db/how-to-configure-firewall.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ author: iriaosara
ms.author: iriaosara
ms.service: azure-cosmos-db
ms.topic: how-to
ms.date: 09/26/2024
ms.date: 10/24/2024
ms.custom: devx-track-azurecli, devx-track-azurepowershell
---

Expand Down Expand Up @@ -33,7 +33,7 @@ You can secure the data stored in your Azure Cosmos DB account by using IP firew

To set the IP access control policy in the Azure portal, go to the Azure Cosmos DB account page and select **Networking** on the navigation menu. Change the **Allow access from** value to **Selected networks**, and then select **Save**. If you are not adding any IP addresses yet, you will also have to **check the box to acknowledge that all VNets and IPs will be blocked**. If you change the public access network settings, either by disabling it or allowing it for all networks, you lose the firewall IP that you might have set up before.

![networking-firewall](media/how-to-configure-firewall/networking-firewall.png)
![Screenshot of the Azure Cosmos DB networking firewall settings in the Azure portal.](media/how-to-configure-firewall/networking-firewall.png)

When IP access control is turned on, the Azure portal provides the ability to specify IP addresses, IP address ranges, and switches. Switches enable access to other Azure services and the Azure portal. The following sections give details about these switches.

Expand All @@ -55,13 +55,13 @@ Portal scenarios that require this option to be enabled include:

You can enable requests to access the Azure portal by selecting the **Add Azure Portal Middleware IPs** option, as shown in the following screenshot:

![networking-add-middleware](media/how-to-configure-firewall/networking-add-middleware1.png)
![Screenshot of the options to add middleware IP addresses to networking in the Azure portal.](media/how-to-configure-firewall/networking-add-middleware1.png)



The Azure Portal Middleware IP addresses will be added to a separate list, as shown in the following screenshot. Click on **Save** to add these addresses to your database account. More details on the Middleware IP addresses can be found further below in this article.

![networking-middleware-list](media/how-to-configure-firewall/networking-middleware-list.png)
![Screenshot of the list of middleware IP addresses for networking in the Azure portal.](media/how-to-configure-firewall/networking-middleware-list.png)

The Azure Portal Middleware IP addresses can be removed by clicking on the **Remove Azure Portal Middleware IPs** option and then selecting **Save**.

Expand Down Expand Up @@ -103,7 +103,7 @@ For example:

The Cosmos DB portal services recently transitioned to new infrastructure that required new Middleware IP addresses. With the completion of that transition, the legacy IP addresses used by the old infrastructure can now be safely removed. If your account has legacy Middleware IP addresses present in the firewall rules, the **Remove Azure Portal Legacy Middleware IPs** option will be displayed. Select that option and then Save to remove the legacy IP addresses.

![networking-remove-legacy](media/how-to-configure-firewall/networking-remove-legacy.png)
![Screenshot of the option to remove legacy middleware IPs for networking in the Azure portal.](media/how-to-configure-firewall/networking-remove-legacy.png)

The legacy IP addresses are dependent on cloud environment:

Expand All @@ -120,7 +120,7 @@ The legacy IP addresses are dependent on cloud environment:

If you access your Azure Cosmos DB account from services that don’t provide a static IP (for example, Azure Stream Analytics and Azure Functions), you can still use the IP firewall to limit access. You can enable access from other sources within the Azure by selecting the **Accept connections from within Azure datacenters** option, as shown in the following screenshot:

![networking-add-azure-datacenters](media/how-to-configure-firewall/networking-add-azure-datacenters.png)
![Screenshot of the option to accept connections from within public Azure datacenters in the Azure portal.](media/how-to-configure-firewall/networking-add-azure-datacenters.png)

When you enable this option, the IP address `0.0.0.0` is added to the list of allowed IP addresses. The `0.0.0.0` IP address restricts requests to your Azure Cosmos DB account from Azure datacenter IP range. This setting doesn't allow access for any other IP ranges to your Azure Cosmos DB account.

Expand All @@ -138,7 +138,7 @@ The portal automatically detects the client IP address. It might be the client I

To add your current IP to the list of IPs, select **Add your current IP**. Then select **Save**.

![networking-add-current-ip](media/how-to-configure-firewall/networking-add-current-ip.png)
![Screenshot of the option to add your current IP address to networking in the Azure portal.](media/how-to-configure-firewall/networking-add-current-ip.png)

### Requests from cloud services

Expand Down
3 changes: 0 additions & 3 deletions articles/cosmos-db/mongodb/TOC.yml
Original file line number Diff line number Diff line change
Expand Up @@ -513,9 +513,6 @@
href: ../how-to-setup-cross-tenant-customer-managed-keys.md
- name: Use managed identities with Azure services
href: ../how-to-setup-managed-identity.md
- name: Disable key-based authentication
displayName: key, ropc, connection string
href: security/how-to-disable-key-based-authentication.md?context=/azure/cosmos-db/context/context
- name: Monitor
items:
- name: Monitor
Expand Down

This file was deleted.

5 changes: 0 additions & 5 deletions articles/cosmos-db/mongodb/security/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,3 @@ ai-usage: ai-assisted
When working with Azure Cosmos DB for MongoDB, it's important to ensure that authorized users and applications have access to data while preventing unintentional or unauthorized access.

[!INCLUDE[Security overview](../../includes/security-overview.md)]

## Next step

> [!div class="nextstepaction"]
> [Disable key-based authentication with Azure Cosmos DB for MongoDB](how-to-disable-key-based-authentication.md)
10 changes: 7 additions & 3 deletions articles/cosmos-db/nosql/query/count.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ ms.service: azure-cosmos-db
ms.subservice: nosql
ms.topic: reference
ms.devlang: nosql
ms.date: 08/22/2024
ms.date: 10/24/2024
ms.custom: query-reference
---

Expand Down Expand Up @@ -48,9 +48,13 @@ This next example assumes that there's a container with two items with a `/name`

In this example, the function counts the number of times the specified scalar field occurs in the filtered data. Here, the function looks for the number of times the `/name` field occurs which is two out of three times.

:::code language="" source="~/cosmos-db-nosql-query-samples/scripts/count/query.sql" highlight="2":::
:::code language="nosql" source="~/cosmos-db-nosql-query-samples/scripts/count/query.sql" highlight="2":::

:::code language="" source="~/cosmos-db-nosql-query-samples/scripts/count/result.json":::
:::code language="json" source="~/cosmos-db-nosql-query-samples/scripts/count/result.json":::

In this final example, the function is used to count every item within a contianer.

:::code language="nosql" source="~/cosmos-db-nosql-query-samples/scripts/count-items/query.novalidate.sql" highlight="2":::

## Remarks

Expand Down
4 changes: 3 additions & 1 deletion articles/cosmos-db/reserved-capacity.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,14 +30,16 @@ After you buy a reservation, it's applied immediately to any existing Azure Cosm
When your reservation expires, your Azure Cosmos DB instances continue to run and are billed at the regular pay-as-you-go rates.
You can buy Azure Cosmos DB Reserved Capacity from the [Azure portal](https://portal.azure.com). Pay for the reservation [upfront or with monthly payments](/azure/cost-management-billing/reservations/prepare-buy-reservation).

## Unused Reserved Capacity
## Unused Reserved Capacity and reservations exchange

A reservation discount is *use-it-or-lose-it*. So, if you don't have matching resources for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.

When you shut down a resource, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are *lost*.

Stopped resources are billed and continue to use reservation hours. To use your available reservation hours with other workloads, deallocate or delete resources or scale-in other resources.

Customers can use a self-service process to exchange reservations, migrating existing ones for bigger or smaller options. There is no penalty for an exchanges, that are processed as a refund and a repurchase. Different transactions are created for the cancellation and the new reservation purchase. The prorated reservation amount is refunded for the reservations that's traded-in. You're charged fully for the new purchase. The prorated reservation amount is the daily prorated residual value of the reservation being returned. For more information about reservations exchanges, click [here](/azure/cost-management-billing/reservations/exchange-and-refund-azure-reservations).


## Required permissions

Expand Down
2 changes: 1 addition & 1 deletion articles/cosmos-db/scripts/cli/table/lock.md
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ ms.custom: kr2b-contr-experiment, devx-track-azurecli
The script in this article demonstrates performing resource lock operations for an API for Table table.

> [!IMPORTANT]
> To enable resource locking, the Azure Cosmos DB account must have the `disableKeyBasedMetadataWriteAccess` property enabled. This property prevents any changes to resources from clients that connect via account keys, such as the Azure Cosmos DB Table SDK, Azure Storage Table SDK, or Azure portal. For more information, see [Preventing changes from SDKs](../../../table/security/how-to-disable-key-based-authentication.md).
> To enable resource locking, the Azure Cosmos DB account must have the `disableKeyBasedMetadataWriteAccess` property enabled. This property prevents any changes to resources from clients that connect via account keys, such as the Azure Cosmos DB Table SDK, Azure Storage Table SDK, or Azure portal.
## Prerequisites

Expand Down
2 changes: 1 addition & 1 deletion articles/cosmos-db/scripts/powershell/table/lock.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ If you need to install, see [Install Azure PowerShell module](/powershell/azure/
Run [Connect-AzAccount](/powershell/module/az.accounts/connect-azaccount) to sign in to Azure.

> [!IMPORTANT]
> Resource locks do not work for changes made by users connecting using any Azure Cosmos DB SDK, any tools that connect via account keys, or the Azure Portal unless the Azure Cosmos DB account is first locked with the `disableKeyBasedMetadataWriteAccess` property enabled. To learn more about how to enable this property see, [Preventing changes from SDKs](../../../table/security/how-to-disable-key-based-authentication.md).
> Resource locks do not work for changes made by users connecting using any Azure Cosmos DB SDK, any tools that connect via account keys, or the Azure Portal unless the Azure Cosmos DB account is first locked with the `disableKeyBasedMetadataWriteAccess` property enabled.
## Sample script

Expand Down
18 changes: 4 additions & 14 deletions articles/cosmos-db/table/TOC.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,12 +10,12 @@
items:
- name: .NET
href: quickstart-dotnet.md
- name: Java
href: quickstart-java.md
- name: Node.js
href: quickstart-nodejs.md
- name: Python
href: quickstart-python.md
- name: Node.js
href: quickstart-nodejs.md
- name: Java
href: quickstart-java.md
- name: Tutorials
items:
- name: Query data
Expand Down Expand Up @@ -207,9 +207,6 @@
items:
- name: Security overview
href: ../security.yml
- name: Role-based access control guide
displayName: RBAC, Entra
href: security/index.md
- name: Considerations and guidance
href: ../security-considerations.md
- name: Well Architected Framework security guidance
Expand Down Expand Up @@ -339,13 +336,6 @@
href: ../how-to-setup-cross-tenant-customer-managed-keys.md
- name: Use managed identities with Azure services
href: ../how-to-setup-managed-identity.md
- name: Disable key-based authentication
displayName: key, ropc, connection string
href: security/how-to-disable-key-based-authentication.md?context=/azure/cosmos-db/context/context
- name: Grant role-based access control access for resources
href: security/how-to-grant-control-plane-role-based-access.md?context=/azure/cosmos-db/context/context
- name: Grant role-based access control access for data
href: security/how-to-grant-data-plane-role-based-access.md?context=/azure/cosmos-db/context/context
- name: Enterprise readiness
items:
- name: Access preview features
Expand Down
4 changes: 2 additions & 2 deletions articles/cosmos-db/table/faq.yml
Original file line number Diff line number Diff line change
Expand Up @@ -298,11 +298,11 @@ sections:
- question: |
What is role-based access control (RBAC)?
answer: |
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. In Azure Cosmos DB, RBAC is used to grant data-plane access to users and applications. For more information about various terms in role-based access control, see the [security glossary](security/glossary.md).
Role-based access control (RBAC) is a method of regulating access to computer or network resources based on the roles of individual users within an enterprise. In Azure Cosmos DB, RBAC is used to grant data-plane access to users and applications.
- question: |
How do I enable data-plane role-based access control for Azure Cosmos DB for Table?
answer: |
Use the Azure Cosmos DB native role-based access control (RBAC) feature to grant data-plane access to users and applications. For more information, see [Grant data-plane role-based access](security/how-to-grant-data-plane-role-based-access.md).
Use the Azure Cosmos DB native role-based access control (RBAC) feature to grant data-plane access to users and applications.
additionalContent: |
## Related content
Expand Down
Loading

0 comments on commit 6e788f0

Please sign in to comment.