MicrosoftDocs
diff --git a/‎azure-sql/includes/sql-vm-iaas-extension-permissions.md‎
Lines changed: 1 addition & 1 deletion b/‎azure-sql/includes/sql-vm-iaas-extension-permissions.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎azure-sql/managed-instance/instance-pools-overview.md‎
Lines changed: 37 additions & 36 deletions b/‎azure-sql/managed-instance/instance-pools-overview.md‎
Lines changed: 37 additions & 36 deletions
diff --git a/‎azure-sql/managed-instance/managed-instance-link-configure-how-to-ssms.md‎
Lines changed: 31 additions & 31 deletions b/‎azure-sql/managed-instance/managed-instance-link-configure-how-to-ssms.md‎
Lines changed: 31 additions & 31 deletions
diff --git a/‎…te-migrate/backup-onprem-certificate.png‎ ‎…grate/backup-on-premises-certificate.png‎azure-sql/managed-instance/media/tde-certificate-migrate/backup-onprem-certificate.png renamed to azure-sql/managed-instance/media/tde-certificate-migrate/backup-on-premises-certificate.png b/‎…te-migrate/backup-onprem-certificate.png‎ ‎…grate/backup-on-premises-certificate.png‎azure-sql/managed-instance/media/tde-certificate-migrate/backup-onprem-certificate.png renamed to azure-sql/managed-instance/media/tde-certificate-migrate/backup-on-premises-certificate.png
diff --git a/‎…cate-migrate/onprem-certificate-list.png‎ ‎…migrate/on-premises-certificate-list.png‎azure-sql/managed-instance/media/tde-certificate-migrate/onprem-certificate-list.png renamed to azure-sql/managed-instance/media/tde-certificate-migrate/on-premises-certificate-list.png b/‎…cate-migrate/onprem-certificate-list.png‎ ‎…migrate/on-premises-certificate-list.png‎azure-sql/managed-instance/media/tde-certificate-migrate/onprem-certificate-list.png renamed to azure-sql/managed-instance/media/tde-certificate-migrate/on-premises-certificate-list.png
diff --git a/‎azure-sql/managed-instance/service-endpoint-policies-configure.md‎
Lines changed: 35 additions & 35 deletions b/‎azure-sql/managed-instance/service-endpoint-policies-configure.md‎
Lines changed: 35 additions & 35 deletions
@@ -7,5 +7,5 @@ ms.topic: include
 ---
 
 > [!NOTE]
-> SQL Server VMs deployed via the Azure marketplace after October 2022 have the [least privileged model](../virtual-machines/windows/sql-server-iaas-agent-extension-automate-management.md#permissions-models) enabled by default. 
+> SQL Server VMs deployed via the Azure marketplace after October 2022 have the [least privileged model](../virtual-machines/windows/sql-server-iaas-agent-extension-automate-management.md#permission-models) enabled by default. 
 > [Management modes](../virtual-machines/windows/sql-server-iaas-agent-extension-automate-management.md#management-modes) for the SQL IaaS Agent extension were removed in March 2023. 
@@ -4,7 +4,7 @@ description: Configure Azure Storage service endpoint policies to protect Azure
 author: zoran-rilak-msft
 ms.author: zoranrilak
 ms.reviewer: mathoma
-ms.date: 11/02/2021
+ms.date: 03/31/2026
 ms.service: azure-sql-managed-instance
 ms.subservice: security
 ms.topic: how-to
@@ -15,63 +15,63 @@ ms.custom:
 # Configure service endpoint policies for Azure SQL Managed Instance
 [!INCLUDE[appliesto-sqlmi](../includes/appliesto-sqlmi.md)]
 
-Virtual Network (VNet) Azure Storage [service endpoint policies](/azure/virtual-network/virtual-network-service-endpoint-policies-overview) allow you to filter egress virtual network traffic to Azure Storage, restricting data transfers to specific storage accounts.
+By using [service endpoint policies](/azure/virtual-network/virtual-network-service-endpoint-policies-overview) for Azure Storage service endpoints on a virtual network (VNet) subnet, you can filter egress virtual network traffic to Azure Storage and restrict data transfers to specific storage accounts.
 
 ## Key benefits
 
-Configuring Virtual network Azure Storage service endpoint policies for your Azure SQL Managed Instance provides the following benefits:
+Configuring Virtual Network Azure Storage service endpoint policies for your Azure SQL Managed Instance provides the following benefits:
 
-- __Improved security for your Azure SQL Managed Instance traffic to Azure Storage__: Endpoint policies establish a security control that prevents erroneous or malicious exfiltration of business-critical data. Traffic can be limited to only those storage accounts that are compliant with your data governance requirements.
+- __Improved security for your Azure SQL Managed Instance traffic to Azure Storage__: Endpoint policies establish a security control that prevents erroneous or malicious exfiltration of business-critical data. You can limit traffic to only those storage accounts that are compliant with your data governance requirements.
 
 - __Granular control over which storage accounts can be accessed__: Service endpoint policies can permit traffic to storage accounts at a subscription, resource group, and individual storage account level. Administrators can use service endpoint policies to enforce adherence to the organization's data security architecture in Azure.
 
-- __System traffic remains unaffected__: Service endpoint policies never obstruct access to storage that is required for Azure SQL Managed Instance to function. This includes the storage of backups, data files, transaction log files, and other assets.
+- __System traffic remains unaffected__: Service endpoint policies never obstruct access to storage that is required for Azure SQL Managed Instance to function. This storage includes backups, data files, transaction log files, and other assets.
 
-Service endpoint policies only control traffic that originates from the SQL Managed Instance subnet and terminates in Azure Storage. They do not affect other means of data egress; for example, exporting the database to an on-premises BACPAC file, Azure Data Factory integration, data exfiltration to other cloud providers, or other mechanisms of data extraction that do not directly target Azure Storage. Those pathways can be protected with other means of traffic control, like user-defined routes, network security groups, and Azure Firewall.
+Service endpoint policies only control traffic that originates from the SQL Managed Instance subnet and terminates in Azure Storage. They don't affect other means of data egress. For example, they don't affect exporting the database to an on-premises BACPAC file, Azure Data Factory integration, data exfiltration to other cloud providers, or other mechanisms of data extraction that don't directly target Azure Storage. You can protect those pathways by using other means of traffic control, such as user-defined routes, network security groups, and Azure Firewall.
 
 ## Limitations
 
-Enabling service endpoint policies for your Azure SQL Managed Instance has the following limitations:
+Service endpoint policies for Azure SQL Managed Instance have the following limitations:
 
 - Service endpoint policies for Azure Storage in managed instance subnets are available in all Azure regions where SQL Managed Instance is supported except those listed in [Service endpoint policy regional availability](region-availability.md#service-endpoint-policy). 
-- The feature is available only to virtual networks deployed through the Azure Resource Manager deployment model.
-- The feature is available only in subnets that have [service endpoints](/azure/virtual-network/virtual-network-service-endpoints-overview) for Azure Storage enabled.
-- Assigning a service endpoint policy to a service endpoint upgrades the endpoint from regional to global scope. In other words, all traffic to Azure Storage will go through the service endpoint regardless of the region in which the storage account resides.
-- Allowing a storage account will automatically allow access to its RA-GRS secondary if it exists.
+- You can use this feature only with virtual networks deployed through the Azure Resource Manager deployment model.
+- You can use this feature only in subnets that have [service endpoints](/azure/virtual-network/virtual-network-service-endpoints-overview) for Azure Storage enabled.
+- Assigning a service endpoint policy to a service endpoint upgrades the endpoint from regional to global scope. In other words, all traffic to Azure Storage goes through the service endpoint regardless of the region in which the storage account resides.
+- Allowing a storage account automatically allows access to its RA-GRS secondary, if it exists.
 
 ## Prepare storage inventory
 
-Before you begin configuring service endpoint policies on a subnet, compose a list of storage accounts that the managed instance should have access to in that subnet.
+Before you configure service endpoint policies on a subnet, create a list of storage accounts the managed instance needs access to in that subnet.
 
-The following is a list of workflows that may contact Azure Storage:
+The following workflows might contact Azure Storage:
 
 - [Auditing](auditing-configure.md) to Azure Storage.
 - Performing a [copy-only backup](/sql/relational-databases/backup-restore/copy-only-backups-sql-server) to Azure Storage.
 - [Restoring](restore-sample-database-quickstart.md) a database from Azure Storage.
-- Importing data with [BULK INSERT or OPENROWSET(BULK ...)](/sql/relational-databases/import-export/import-bulk-data-by-using-bulk-insert-or-openrowset-bulk-sql-server).
+- Importing data by using [BULK INSERT or OPENROWSET(BULK ...)](/sql/relational-databases/import-export/import-bulk-data-by-using-bulk-insert-or-openrowset-bulk-sql-server).
 - Logging [extended events](../database/xevent-db-diff-from-svr.md) to an Event File target on Azure Storage.
 - [Azure DMS offline migration](/azure/dms/tutorial-sql-server-to-managed-instance) to Azure SQL Managed Instance.
 - [Log Replay Service migration](log-replay-service-migrate.md) to Azure SQL Managed Instance.
-- Synchronizing tables using [transactional replication](replication-transactional-overview.md).
+- Synchronizing tables by using [transactional replication](replication-transactional-overview.md).
 
-Note the account name, resource group, and subscription for any storage account that participates in these, or any other, workflows that access storage. 
+Note the account name, resource group, and subscription for any storage account that participates in these or any other workflows that access storage.
 
 ## Configure policies
 
-You'll first need to create your service endpoint policy, and then associate the policy with the SQL Managed Instance subnet. Modify the workflow in this section to suit your business needs.
+First, create your service endpoint policy, and then associate it with the SQL Managed Instance subnet. Modify the workflow in this section to suit your business needs.
 
 > [!NOTE]
-> - SQL Managed Instance subnets require policies to contain the /Services/Azure/ManagedInstance service alias (See step 5). 
+> - SQL Managed Instance subnets require policies to contain the /Services/Azure/ManagedInstance service alias (see step 5). 
 
 ### Create a service endpoint policy
 
 To create a service endpoint policy, follow these steps:
 
-1. Sign into the [Azure portal](https://portal.azure.com). 
+1. Sign in to the [Azure portal](https://portal.azure.com). 
 1. Select **+ Create a resource**. 
-1. In the search pane, enter _service endpoint policy_, select **Service endpoint policy**, and then select **Create**.
+1. In the search pane, enter *service endpoint policy*, select **Service endpoint policy**, and then select **Create**.
 
-   ![Create service endpoint policy](media/service-endpoint-policies-configure/create-sep-add-resource.png)
+   :::image type="content" source="./media/service-endpoint-policies-configure/create-sep-add-resource.png" alt-text="Screenshot that shows creating a service endpoint policy." lightbox="./media/service-endpoint-policies-configure/create-sep-add-resource.png":::
 
 1. Fill in the following values on the **Basics** page:
 
@@ -80,32 +80,32 @@ To create a service endpoint policy, follow these steps:
    - Name: Provide a name for your policy, such as **mySEP**.
    - Location: Select the region of the virtual network hosting the managed instance. 
 
-   ![Create service endpoint policy basics](media/service-endpoint-policies-configure/create-sep-basics.png)
+   :::image type="content" source="./media/service-endpoint-policies-configure/create-sep-basics.png" alt-text="Screenshot that shows the Basics page for creating a service endpoint policy." lightbox="./media/service-endpoint-policies-configure/create-sep-basics.png":::
 
 1. In **Policy definitions**, select **Add an alias** and enter the following information on the **Add an alias** pane:
    - Service Alias: Select /Services/Azure/ManagedInstance.
    - Select **Add** to finish adding the service alias.
 
-   ![Add an alias to a service endpoint policy](./media/service-endpoint-policies-configure/add-an-alias.png)
+   :::image type="content" source="./media/service-endpoint-policies-configure/add-an-alias.png" alt-text="Screenshot that shows adding an alias to a service endpoint policy." lightbox="./media/service-endpoint-policies-configure/add-an-alias.png":::
 
-1. In Policy definitions, select **+ Add** under **Resources** and enter or select the following information in the **Add a resource** pane:
+1. In **Policy definitions**, select **+ Add** under **Resources** and enter or select the following information in the **Add a resource** pane:
    - Service: Select **Microsoft.Storage**.
    - Scope: Select **All accounts in subscription**.
-   - Subscription: Select a subscription containing the storage account(s) to permit. Refer to your [inventory of Azure storage accounts](#prepare-storage-inventory) created earlier.
+   - Subscription: Select a subscription containing the storage accounts to permit. Refer to your [inventory of Azure storage accounts](#prepare-storage-inventory) created earlier.
    - Select **Add** to finish adding the resource.
    - Repeat this step to add any additional subscriptions. 
 
-   ![Add a resource to a service endpoint policy](./media/service-endpoint-policies-configure/add-a-resource.png)
+   :::image type="content" source="./media/service-endpoint-policies-configure/add-a-resource.png" alt-text="Screenshot that shows adding a resource to a service endpoint policy." lightbox="./media/service-endpoint-policies-configure/add-a-resource.png":::
 
-1. Optional: you may configure tags on the service endpoint policy under **Tags**.
+1. (Optional) Configure tags on the service endpoint policy under **Tags**.
 1.	Select **Review + Create**. Validate the information and select **Create**. To make further edits, select **Previous**.
 
    > [!TIP]
    > First, configure policies to allow access to entire subscriptions. Validate the configuration by ensuring that all workflows operate normally. Then, optionally, reconfigure policies to allow individual storage accounts, or accounts in a resource group. To do so, select **Single account** or **All accounts in resource group** in the _Scope:_ field instead and fill in the other fields accordingly.
 
 ### Associate policy with subnet
 
-After your service endpoint policy is created, associate the policy with your SQL Managed Instance subnet.
+After you create your service endpoint policy, associate the policy with your SQL Managed Instance subnet.
 
 To associate your policy, follow these steps:
 
@@ -115,18 +115,18 @@ To associate your policy, follow these steps:
     - Services: Select **Microsoft.Storage**. If this field is empty, you need to configure the service endpoint for Azure Storage on this subnet.
     - Service endpoint policies: Select any service endpoint policies you want to apply to the SQL Managed Instance subnet.
 
-   ![Associate a service endpoint policy with a subnet](./media/service-endpoint-policies-configure/associate-service-endpoint-policy.png)
+   :::image type="content" source="./media/service-endpoint-policies-configure/associate-service-endpoint-policy.png" alt-text="Screenshot that shows associating a service endpoint policy with a subnet." lightbox="./media/service-endpoint-policies-configure/associate-service-endpoint-policy.png":::
 
 1. Select **Save** to finish configuring the virtual network.
 
 > [!WARNING]
-> If the policies on this subnet do not have the `/Services/Azure/ManagedInstance` alias, you may see the following error: 
+> If the policies on this subnet don't have the `/Services/Azure/ManagedInstance` alias, you might see the following error: 
 > ` Failed to save subnet 'subnet'. Error: 'Found conflicts with NetworkIntentPolicy.`
 > `Details: Service endpoint policies on subnet are missing definitions`
-> To resolve this, update all the policies on the subnet to include the `/Services/Azure/ManagedInstance` alias.
+> To resolve this error, update all the policies on the subnet to include the `/Services/Azure/ManagedInstance` alias.
 
-## Next steps
+## Related content
 
-- Learn more on [securing your Azure Storage accounts](/azure/storage/common/storage-network-security).
-- Read about [SQL Managed Instance's security capabilities](../database/security-overview.md).
-- Explore the [connectivity architecture](connectivity-architecture-overview.md) of SQL Managed Instance.
+- [Secure your Azure Storage accounts](/azure/storage/common/storage-network-security)
+- [SQL Managed Instance security capabilities](../database/security-overview.md)
+- [Connectivity architecture for Azure SQL Managed Instance](connectivity-architecture-overview.md)