Merge pull request #36338 from sravanisaluru/patch-2

Update auditing overview with storage account details

Author: v-shils

azure-sql/database/auditing-overview.md

@@ -77,11 +77,11 @@ For environments with many databases running heavy OLTP workloads, using server
 ## Remarks
 
 - **Premium storage** with **BlockBlobStorage** is supported. Standard storage is supported. However, for audit to write to a storage account behind a virtual network or firewall, you must have a **general-purpose v2 storage account**. If you have a general-purpose v1 or Blob Storage account, [upgrade to a general-purpose v2 storage account](/azure/storage/common/storage-account-upgrade). For specific instructions see, [Write audit to a storage account behind VNet and firewall](audit-write-storage-account-behind-vnet-firewall.md). For more information, see [Types of storage accounts](/azure/storage/common/storage-account-overview#types-of-storage-accounts).
+- When customers enable SQL auditing and also configure **outbound networking** restrictions, they must allow list the fully qualified domain names of their auditing storage account to ensure audit events can successfully reach the destination. If the storage endpoint is not allowlisted, audit traffic is blocked, resulting in audit event loss. After adding the required storage account FQDNs to the allow list, customers must **re‑save** their auditing configuration to resume normal audit event flow.
 - **Hierarchical namespace** for all types of **standard storage account** and **premium storage account with BlockBlobStorage** is supported.
 - Audit logs are written to **Append Blobs** in an Azure Blob Storage on your Azure subscription
 - Audit logs are in .xel format and can be opened with [SQL Server Management Studio (SSMS)](/ssms/sql-server-management-studio-ssms).
 - To configure an immutable log store for the server or database-level audit events, follow the [instructions provided by Azure Storage](/azure/storage/blobs/immutable-time-based-retention-policy-overview#allow-protected-append-blobs-writes). When configuring immutable blob storage for auditing, ensure that **Allow protected append writes** is set to either **Append blobs** or **Block and append blobs**. The **None** option isn't supported. For time-based retention policies, the storage account's retention interval must be shorter than the SQL Auditing retention setting. Configurations where the storage policy is set, but SQL Auditing retention is `0`, aren't supported.
-
 - You can write audit logs to an Azure Storage account behind a virtual network or firewall.
 - For details about the log format, hierarchy of the storage folder, and naming conventions, see the article, [SQL Database audit log format](audit-log-format.md).
 - Auditing on [Use read-only replicas to offload read-only query workloads](read-scale-out.md) is automatically enabled. For more information about the hierarchy of the storage folders, naming conventions, and log format, see the article, [SQL Database audit log format](audit-log-format.md).