fixed various errors

Author: rboucher

articles/azure-monitor/platform/private-link-security.md

@@ -10,15 +10,15 @@ ms.subservice:
 
 # Use Azure Private Link to securely connect networks to Azure Monitor
 
-[Azure Private Link](../../private-link/private-link-overview.md) allows you to securely link Azure PaaS services to your virtual network using private endpoints. For many services, you just set up an endpoint per resource. However, Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads. As a result, we have built a resource called an Azure Monitor Private Link Scope (AMPLS) that allows you to define the boundaries of your monitoring network and connect to your virtual network. This article will cover why to use and how to set up an Azure Monitor Private Link Scope.
+[Azure Private Link](../../private-link/private-link-overview.md) allows you to securely link Azure PaaS services to your virtual network using private endpoints. For many services, you just set up an endpoint per resource. However, Azure Monitor is a constellation of different interconnected services that work together to monitor your workloads. As a result, we have built a resource called an Azure Monitor Private Link Scope (AMPLS) that allows you to define the boundaries of your monitoring network and connect to your virtual network. This article covers when to use and how to set up an Azure Monitor Private Link Scope.
 
 ## Advantages of Private Link with Azure Monitor
 
 With Private Link you can:
 
 - Connect privately to Azure Monitor without opening up any public network access
 - Ensure your monitoring data is only accessed through authorized private networks
-- Prevent data exfiltration from your private networks by defining specific Azure Monitor resources connect thru your private endpoint
+- Prevent data exfiltration from your private networks by defining specific Azure Monitor resources connect through your private endpoint
 - Securely connect your private on-premises network to Azure Monitor using ExpressRoute and Private Link
 - Keep all traffic inside the Microsoft Azure backbone network
 
@@ -35,11 +35,11 @@ Azure Monitor Private Link Scope is a grouping resource to connect one or more p
 
 ## Planning AMPLS based on your network needs
 
-Before setting up your AMPLS resources, consider your network isolation requirements, by evaluating your virtual networks' access to public internet, and access restrictions of each of your Azure Monitor resources (that is, Application Insights components and Log Analytics workspaces).
+Before setting up your AMPLS resources, consider your network isolation requirements. Evaluate your virtual networks' access to public internet, and the access restrictions of each of your Azure Monitor resources (that is, Application Insights components and Log Analytics workspaces).
 
 ### Evaluate which Virtual Networks should connect to a Private Link
 
-Start by evaluating which of your virtual networks (VNets) have restricted access to the internet. VNets that have free internet may not require a Private Link to access your Azure Monitor resources. The monitoring resources your VNets connect to may restrict incoming traffic and require a Private Link connection (either for log ingestion or query). In such cases, even a VNet that has access to the public internet will need connect to these resources over a Private Link, and through an AMPLS.
+Start by evaluating which of your virtual networks (VNets) have restricted access to the internet. VNets that have free internet may not require a Private Link to access your Azure Monitor resources. The monitoring resources your VNets connect to may restrict incoming traffic and require a Private Link connection (either for log ingestion or query). In such cases, even a VNet that has access to the public internet needs connect to these resources over a Private Link, and through an AMPLS.
 
 ### Evaluate which Azure Monitor resources should have a Private Link
 
@@ -53,7 +53,7 @@ Remember – you can connect the same workspaces or application to multiple AMPL
 
 ### Group together Monitoring resources by network accessibility
 
-Since each VNet can connect to only one AMPLS resource, you must group together monitoring resources that should be accessible to the same networks. The simplest way to manage this is to create one AMPLS per VNet, and select the resources to connect to that network. However, to reduce resources and improve manageability, you may want to reuse an AMPLS across network. 
+Since each VNet can connect to only one AMPLS resource, you must group together monitoring resources that should be accessible to the same networks. The simplest way to manage this grouping is to create one AMPLS per VNet, and select the resources to connect to that network. However, to reduce resources and improve manageability, you may want to reuse an AMPLS across networks.
 
 For example, if your internal virtual networks VNet1 and VNet2 should connect to workspaces Workspace1 and Workspace2 and Application Insights component Application Insights 3, associate all three resources to the same AMPLS. If VNet3 should only access Workspace1, create another AMPLS resource, associate Workspace1 to it, and connect VNet3 as shown in the following diagrams:
 
@@ -74,21 +74,22 @@ Let's start by creating an Azure Monitor Private Link Scope resource.
 
 ## Connecting Azure Monitor resources
 
-You can connect your AMPLS first to private endpoints and then to Azure Monitor resources or vice versa, but the connection process will go faster if you start with your Azure Monitor resources. Here's how we connect Azure Monitor Log Analytics workspaces and Application Insights components to an AMPLS
+You can connect your AMPLS first to private endpoints and then to Azure Monitor resources or vice versa, but the connection process goes faster if you start with your Azure Monitor resources. Here's how we connect Azure Monitor Log Analytics workspaces and Application Insights components to an AMPLS
 
 1. In your Azure Monitor Private Link scope, click on **Azure Monitor Resources** in the left-hand menu. Click the **Add** button.
 2. Add the workspace or component. Clicking the Add button brings up a dialog where you can select Azure Monitor resources. You can browse through your subscriptions and resource groups, or you can type in their name to filter down to them. Select the workspace or component and click **Apply** to add them to your scope.
 
     ![Screenshot of select a scope UX](./media/private-link-security/2-ampls-select.png)
 
-Connecting to a Private Endpoint
+### Connecting to a Private Endpoint
+
 Now that we have resources connected to our AMPLS, let's create a private endpoint to connect our network. You can do this in the Private Link center [link to go here], or inside your Azure Monitor Private Link Scope, as done in this example. 
 
 1. In your scope resource, click on **Private Endpoint connections** in the left hand resource menu Click on **Private Endpoint** to start the endpoint create process. You can also approve connections that were started in the Private Link center here by selecting them and clicking **Approve**.
 
     ![Screenshot of Private Endpoint Connections UX](./media/private-link-security/3-ampls-select-pe-connect.png)
 
-2. Pick the subscription, resource group, and name of the endpoint, and the region it will live in. This needs to be the same region as the virtual network you will connect it to. 
+2. Pick the subscription, resource group, and name of the endpoint, and the region it should live in. This needs to be the same region as the virtual network you will connect it to.
 
 3. Click **Next : Resource**. 
 
@@ -164,9 +165,7 @@ Storage accounts are used in the ingestion process of several data types of logs
 - Service fabric
 - ASC Watson dump files
 
-**---------- TODO Internal link. ------------- ----**
-
-[To learn more, see Ingestion from customer storage – Bring your own storage (BYOS)](https://microsoft-my.sharepoint.com/:w:/p/noakuper/EaLomLpNFA9GrWFbTGN_Jm0Bgw779xCC-Ww03hN9T0V4fQ?e=HVj1hH)
+For more information on bringing your own storage account, see [Customer-owned storage accounts for log ingestion](private-storage.md)
 
 ## Restrictions and Limitations with Azure Monitor Private Link
 
@@ -176,21 +175,20 @@ Use Agent version >= 18.20.18038.0
 
 ### Log Analytics Linux Agent
 
-Use Agent version >= 1.12.25. 
-If they cannot, do below on the VM
+Use Agent version >= 1.12.25. If you cannot, run the following commands on your VM.
 
 ```cmd
 $ sudo /opt/microsoft/omsagent/bin/omsadmin.sh -X
 $ sudo /opt/microsoft/omsagent/bin/omsadmin.sh -w <workspace id> -s <workspace key>
 ```
 
-### ARM Queries
+### Azure Resource Manager queries
 
-Experience that query the ARM API will not work unless you add the Service Tag **AzureResourceManager** to your firewall
+Querying the Azure Resource Manager API does not work unless you add the Service Tag **AzureResourceManager** to your firewall. 
 
 ### AI SDK Downloads from CDN
 
-Customers should bundle the JavaScript code in their script, so that the browser does not reach out to CDN to download the code.
+You should bundle the JavaScript code in your script, so that the browser does not attempt to download code from a CDN.
 An example is provided on [GitHub](https://github.com/microsoft/ApplicationInsights-JS#npm-setup-ignore-if-using-snippet-setup)
 
 ### LA Solution download

articles/azure-monitor/platform/private-link-storage.md renamed to articles/azure-monitor/platform/private-storage.md

@@ -12,20 +12,22 @@ ms.date: 05/20/2020
 # Customer-owned storage accounts for log ingestion in Azure Monitor
 Storage accounts are used by Azure Monitor in the ingestion process of some data types such as [custom logs](data-sources-custom-logs.md) and some [Azure logs](azure-storage-iis-table.md). During the ingestion process, logs are first sent to a storage account and later ingested into Log Analytics or Application Insights. Customers that want control over their data during ingestion can use their own storage accounts instead of the service-managed storage. The use of customer storage account provides customers control over the access, content, encryption, and retention of the logs during ingestion. We refer to this as  Bring Your Own Storage, or BYOS. 
 
-One scenario that requires this feature is network isolation through Private Links. When using a VNet, network isolation is often a requirement, and access to the public internet is limited. In such cases, accessing Azure Monitor service storage for log ingestion is either completely blocked, or simply considered a bad practice. Logs should instead be ingested through a customer-owned storage account inside the VNet or easily accessible from it. 
+One scenario that requires this feature is network isolation through Private Links. When using a VNet, network isolation is often a requirement, and access to the public internet is limited. In such cases, accessing Azure Monitor service storage for log ingestion is either completely blocked, or considered a bad practice. Instead, Logs should be ingested through a customer-owned storage account inside the VNet or easily accessible from it. 
 
-Another scenario is the encryption of logs with Customer Managed Keys (CMK). Customers can encrypt logged data by using CMK on the clusters that store the logs. The same key can also be used to encrypt logs during the ingestion process. 
+Another scenario is the encryption of logs with Customer-Managed Keys (CMK). Customers can encrypt logged data by using CMK on the clusters that store the logs. The same key can also be used to encrypt logs during the ingestion process. 
 
 ## Data types supported
 Data types that are ingested from a storage account include the following. See [Collect data from Azure diagnostics extension to Azure Monitor Logs](azure-storage-iis-table.md) for more information about the ingestion of these types.
 
-- IIS logs (Blob: wad-iis-logfiles) 
-- Windows event logs (Table: WADWindowsEventLogsTable) 
-- Syslog (Table: LinuxsyslogVer2v0) 
-- Windows ETW logs (Table: WADETWEventTable) 
-- Service fabric (Table: WADServiceFabricSystemEventTable, WADServiceFabricReliableActorEventTable, WADServiceFabricReliableServiceEventTable) 
-- Custom logs 
-- Azure Security Center Watson dump files  
+| Type | Table information |
+|:-----|:------------------|
+| IIS logs | Blob: wad-iis-logfiles| 
+|Windows event logs | Table: WADWindowsEventLogsTable | 
+| Syslog | Table: LinuxsyslogVer2v0 | 
+| Windows ETW logs | Table: WADETWEventTable|
+| Service fabric | Table: WADServiceFabricSystemEventTable <br/> WADServiceFabricReliableActorEventTable<br/> WADServiceFabricReliableServicEventTable |
+| Custom logs | n/a | 
+| Azure Security Center Watson dump files | n/a|  
 
 ## Storage account requirements 
 The storage account must meet the following requirements:
@@ -210,7 +212,7 @@ Agent configuration will be refreshed after a few minutes, and they will switch
 ## Manage storage account
 
 ### Load
-Storage accounts can handle a certain load of read and write requests before they start throttling requests. Throttling affects the time it takes to ingest logs and may results in lost data. If your storage is overloaded, register additional storage accounts and spread the load between them. 
+Storage accounts can handle a certain load of read and write requests before they start throttling requests. Throttling affects the time it takes to ingest logs and may result in lost data. If your storage is overloaded, register additional storage accounts and spread the load between them. 
 
 ### Related charges
 Storage accounts are charged by the volume of stored data, types of storage, and type of redundancy. For details see [Block blob pricing](https://azure.microsoft.com/pricing/details/storage/blobs/) and [Table Storage pricing](https://azure.microsoft.com/pricing/details/storage/tables/).

articles/azure-monitor/toc.yml

@@ -100,6 +100,8 @@
       href: platform/customer-managed-keys.md
     - name: Private Link networking
       href: platform/private-link-security.md
+    - name: Private storage 
+      href: platform/private-stroage.md
     - name: Personal log data handling
       href: platform/personal-data-mgmt.md
     - name: Application data collection, retention, and storage