PR feedback.

Author: shsha-msft

articles/security/fundamentals/service-fabric-best-practices.md

@@ -32,7 +32,7 @@ We recommend the following Azure Service Fabric security best practices:
 -	Use network isolation and security with Azure Service Fabric.
 -	Configure Azure Key Vault for security.
 -	Assign users to roles.
--	Isolate the cluster and its trusted applications from untrusted applications.
+-	Things to consider if hosting untrusted applications in a Service Fabric cluster.
 
 
 ## Best practices for securing your clusters
@@ -175,8 +175,8 @@ After you've created the applications to represent your cluster, assign your use
 
 Azure Service Fabric supports two access control types for clients that are connected to a [Service Fabric cluster](../../service-fabric/service-fabric-cluster-creation-via-arm.md): administrator and user. The cluster administrator can use access control to limit access to certain cluster operations for different groups of users. Access control makes the cluster more secure.
 
-## Isolate the cluster and its trusted applications from untrusted applications
-By design, the applications hosted in a Service Fabric cluster are considered **trusted** and are granted access to the Service Fabric runtime. If you are considering hosting **untrusted applications**, additional steps must taken to [isolate the cluster and its trusted applications from untrusted applications](../../service-fabric/service-fabric-best-practices-security.md#isolate-the-cluster-and-its-trusted-applications-from-untrusted-applications).
+## Things to consider if hosting untrusted applications in a Service Fabric cluster
+Please see [Hosting untrusted applications in a Service Fabric cluster](../../service-fabric/service-fabric-best-practices-security.md#hosting-untrusted-applications-in-a-service-fabric-cluster).
 
 ## Next steps
 

articles/service-fabric/service-fabric-application-and-service-manifests.md

@@ -158,7 +158,7 @@ Within the ServiceManifestImport, you override configuration values in Settings.
 **Policies** (not set in the preceding example) describes the log collection, [default run-as](service-fabric-application-runas-security.md), [health](service-fabric-health-introduction.md#health-policies), and [security access](service-fabric-application-runas-security.md) policies to set at the application level, including whether the service(s) have access to the Service Fabric runtime.
 
 > [!NOTE]
-> By design, the applications hosted in a Service Fabric cluster are considered **trusted** and are granted access to the Service Fabric runtime. If you are considering hosting **untrusted applications**, such applications' [access to Service Fabric runtime](service-fabric-service-model-schema-complex-types.md#servicefabricruntimeaccesspolicytype-complextype) must be disabled by specifying [**RemoveServiceFabricRuntimeAccess** as **true**](service-fabric-best-practices-security.md#removeservicefabricruntimeaccess) in the Policies section of the ApplicationManifest.xml. Additional steps must also be taken to [isolate the cluster and its trusted applications from untrusted applications](service-fabric-best-practices-security.md#isolate-the-cluster-and-its-trusted-applications-from-untrusted-applications).
+> A Service Fabric cluster is single tenant by design and hosted applications are considered **trusted**. If you are considering hosting **untrusted applications**, please see [Hosting untrusted applications in a Service Fabric cluster](service-fabric-best-practices-security.md#hosting-untrusted-applications-in-a-service-fabric-cluster).
 >
 
 **Principals** (not set in the preceding example) describe the security principals (users or groups) required to [run services and secure service resources](service-fabric-application-runas-security.md).  Principals are referenced in the **Policies** sections.

articles/service-fabric/service-fabric-best-practices-security.md

@@ -254,10 +254,10 @@ By default, Windows Defender antivirus is installed on Windows Server 2016. For
 > Refer to your Antimalware documentation for configuration rules if you are not using Windows Defender. 
 > Windows Defender isn't supported on Linux.
 
-## Isolate the cluster and its trusted applications from untrusted applications
-By design, the applications hosted in a Service Fabric cluster are considered **trusted** and are granted access to the Service Fabric runtime, which manifests in different forms, some of which are: [environment variables](service-fabric-environment-variables-reference.md) pointing to file paths on the host corresponding to application and Fabric files, host paths mounted with write access onto container workloads, an inter-process communication endpoint which accepts application-specific requests, and the client certificate which Fabric expects the application to use to authenticate itself.
+## Hosting untrusted applications in a Service Fabric cluster
+A Service Fabric cluster is single tenant by design and hosted applications are considered **trusted**. Applications are, therefore, granted access to the Service Fabric runtime, which manifests in different forms, some of which are: [environment variables](service-fabric-environment-variables-reference.md) pointing to file paths on the host corresponding to application and Fabric files, host paths mounted with write access onto container workloads, an inter-process communication endpoint which accepts application-specific requests, and the client certificate which Fabric expects the application to use to authenticate itself.
 
-If you are considering hosting **untrusted applications**, additional steps must be taken to isolate the cluster and its trusted applications from untrusted applications. These include, but are not limited to:
+If you are considering hosting **untrusted applications**, you must take additional steps to define and own the hostile multi-tenant experience for your Service Fabric cluster. This will require you to consider multiple aspects, in the context of your scenario, including, but not limited to, the following:
 * A thorough security review of the untrusted applications' interactions with other applications, the cluster itself, and the underlying compute infrastructure.
 * Use of the strongest sandboxing technology applicable (e.g., appropriate [isolation modes](/virtualization/windowscontainers/manage-containers/hyperv-container.md) for container workloads).
 * Risk assessment of the untrusted applications escaping the sandboxing technology, as the next trust and security boundary is the cluster itself.

articles/service-fabric/service-fabric-containers-overview.md

@@ -75,7 +75,7 @@ Service Fabric supports the deployment of Docker containers on Linux, and Window
 > Containers are not supported on local single node Service Fabric clusters (neither Linux clusters on OneBox, nor Windows clusters on local Service Fabric installations).
 
 > [!NOTE]
-> By design, the applications hosted in a Service Fabric cluster are considered **trusted** and are granted access to the Service Fabric runtime. If you are considering hosting **untrusted applications**, such applications' [access to Service Fabric runtime](service-fabric-service-model-schema-complex-types.md#servicefabricruntimeaccesspolicytype-complextype) must be disabled by specifying [**RemoveServiceFabricRuntimeAccess** as **true**](service-fabric-best-practices-security.md#removeservicefabricruntimeaccess) in the Policies section of the ApplicationManifest.xml. Additional steps must also be taken to [isolate the cluster and its trusted applications from untrusted applications](service-fabric-best-practices-security.md#isolate-the-cluster-and-its-trusted-applications-from-untrusted-applications).
+> A Service Fabric cluster is single tenant by design and hosted applications are considered **trusted**. If you are considering hosting **untrusted applications**, please see [Hosting untrusted applications in a Service Fabric cluster](service-fabric-best-practices-security.md#hosting-untrusted-applications-in-a-service-fabric-cluster).
 
 Service Fabric provides an [application model](service-fabric-application-model.md) in which a container represents an application host in which multiple service replicas are placed. Service Fabric also supports a [guest executable scenario](service-fabric-guest-executables-introduction.md) in which you don't use the built-in Service Fabric programming models but instead package an existing application, written using any language or framework, inside a container. This scenario is the common use-case for containers.
 

articles/service-fabric/service-fabric-guest-executables-introduction.md

@@ -11,7 +11,7 @@ You can run any type of code, such as Node.js, Java, or C++ in Azure Service Fab
 Guest executables are treated by Service Fabric like stateless services. As a result, they are placed on nodes in a cluster, based on availability and other metrics. This article describes how to package and deploy a guest executable to a Service Fabric cluster, by using Visual Studio or a command-line utility.
 
 > [!NOTE]
-> By design, the applications hosted in a Service Fabric cluster are considered **trusted** and are granted access to the Service Fabric runtime. If you are considering hosting **untrusted applications**, such applications' [access to Service Fabric runtime](service-fabric-service-model-schema-complex-types.md#servicefabricruntimeaccesspolicytype-complextype) must be disabled by specifying [**RemoveServiceFabricRuntimeAccess** as **true**](service-fabric-best-practices-security.md#removeservicefabricruntimeaccess) in the Policies section of the ApplicationManifest.xml. Additional steps must also be taken to [isolate the cluster and its trusted applications from untrusted applications](service-fabric-best-practices-security.md#isolate-the-cluster-and-its-trusted-applications-from-untrusted-applications).
+> A Service Fabric cluster is single tenant by design and hosted applications are considered **trusted**. If you are considering hosting **untrusted applications**, please see [Hosting untrusted applications in a Service Fabric cluster](service-fabric-best-practices-security.md#hosting-untrusted-applications-in-a-service-fabric-cluster).
 
 ## Benefits of running a guest executable in Service Fabric
 There are several advantages to running a guest executable in a Service Fabric cluster:

articles/service-fabric/service-fabric-services-inside-containers.md

@@ -106,7 +106,7 @@ This document provides guidance to get your service running inside a Windows con
    ```
 
 > [!NOTE]
-> By design, the applications hosted in a Service Fabric cluster are considered **trusted** and are granted access to the Service Fabric runtime. Service Fabric runtime access is also **required** to run Service Fabric reliable services inside containers. If you are considering hosting **untrusted container applications**, consider deploying them as [guest containers](service-fabric-containers-overview.md#service-fabric-support-for-containers) with their [access to Service Fabric runtime](service-fabric-service-model-schema-complex-types.md#servicefabricruntimeaccesspolicytype-complextype) disabled by specifying [**RemoveServiceFabricRuntimeAccess** as **true**](service-fabric-best-practices-security.md#removeservicefabricruntimeaccess) in the Policies section of the ApplicationManifest.xml. Additional steps must also be taken to [isolate the cluster and its trusted applications from untrusted applications](service-fabric-best-practices-security.md#isolate-the-cluster-and-its-trusted-applications-from-untrusted-applications).
+> A Service Fabric cluster is single tenant by design and hosted applications are considered **trusted**. If you are considering hosting **untrusted container applications**, consider deploying them as [guest containers](service-fabric-containers-overview.md#service-fabric-support-for-containers) and please see [Hosting untrusted applications in a Service Fabric cluster](service-fabric-best-practices-security.md#hosting-untrusted-applications-in-a-service-fabric-cluster).
 >
 
 10. To test this application, you need to deploy it to a cluster that is running version 5.7 or higher. For runtime versions 6.1 or lower, you need to edit and update the cluster settings to enable this preview feature. Follow the steps in this [article](service-fabric-cluster-fabric-settings.md) to add the setting shown next.