Apply suggestions from code review

Co-authored-by: Glenn Gailey <[email protected]>

Author: im-samz

articles/azure-functions/configure-networking-how-to.md

@@ -12,26 +12,26 @@ This article shows you how to connect your function app to a secured storage acc
 
 ## Restrict your storage account to a virtual network 
 
-When you create a function app, you either create a new storage account or link to an existing one. Currently, only the Azure Portal, [ARM template deployments, and Bicep deployments](functions-infrastructure-as-code.md#secured-deployments) support function app creation with an existing secured storage account. 
+When you create a function app, you either create a new storage account or link to an existing one. Currently, only the Azure portal, [ARM template deployments](functions-infrastructure-as-code.md?tabs=json&pivots=premium-plan#secured-deployments), and [Bicep deployments](functions-infrastructure-as-code.md?tabs=bicep&pivots=premium-plan#secured-deployments) support function app creation with an existing secured storage account. 
 
 > [!NOTE]  
 > Securing your storage account is supported for all tiers of the [Dedicated (App Service) plan](./dedicated-plan.md) and the [Elastic Premium plan](./functions-premium-plan.md), as well as in the [Flex Consumption plan](./flex-consumption-plan.md).  
-> The Consumption plan doesn't support virtual networks.
+> The [Consumption plan](consumption-plan.md) doesn't support virtual networks.
 
 For a list of all restrictions on storage accounts, see [Storage account requirements](storage-considerations.md#storage-account-requirements).
 
 [!INCLUDE [functions-flex-preview-note](../../includes/functions-flex-preview-note.md)]
 
 ## Secure storage during function app creation 
 
-You can create a function app along with a new storage account that is secured behind a virtual network. The following links show you how to create these resources by using either the Azure Portal or by using deployment templates:  
+You can create a function app along with a new storage account that is secured behind a virtual network. The following links show you how to create these resources by using either the Azure portal or by using deployment templates:  
 
 ### [Azure portal](#tab/portal)
 
-Complete the following tutorial section to create a new function app that connects to storage over private endpoints: [Use private endpoints to integrate Azure Functions with a virtual network](functions-create-vnet.md#create-a-function-app-in-a-premium-plan).
+Complete the steps in [Create a function app in a Premium plan](functions-create-vnet.md#create-a-function-app-in-a-premium-plan). This section of the virtual networking tutorial shows you how to create a function app that connects to storage over private endpoints.
 
 > [!NOTE] 
-> The Azure Portal also allows you to select an existing secured storage account in the **Storage tab**. However, it is up to you to configure the appropriate networking on the function app so that it can connect through the virtual network the storage account is configured to accept traffic from. If you do not have permissions to configure networking, you may select **Configure networking after creation** in the **Networking tab**.
+> When you create your function app in the Azure portal, you can also choose an existing secured storage account in the **Storage** tab. However, you must configure the appropriate networking on the function app so that it can connect through the virtual network used to secure the storage account. If you don't have permissions to configure networking or you haven't fully prepared your network, select **Configure networking after creation** in the **Networking** tab. You can configure networking for your new function app in the portal under **Settings** > **Networking**.
 
 ### [Deployment templates](#tab/templates)
 
@@ -41,9 +41,9 @@ Use Bicep files or Azure Resource Manager (ARM) templates to create a secured fu
 
 ## Secure storage for an existing function app
 
-When you have an existing function app, you can directly configure networking on the storage account being used by the app. Doing so will result in your app being down while you configure the appropriate corresponding networking on the app and while it restarts after changes have been made.
+When you have an existing function app, you can directly configure networking on the storage account being used by the app. This process results in your app being down while you configure networking and while your app restarts.
 
-If you'd like to minimize downtime, you can instead swap-out an existing storage account for a new, secured storage account.
+To minimize downtime, you can instead swap-out an existing storage account for a new, secured storage account.
 
 ### 1. Enable virtual network integration
 
@@ -76,7 +76,7 @@ Now you're ready to configure your function app to communicate with the newly se
 ### 3. Enable application and configuration routing
 
 > [!NOTE]
-> This step and the following step are only required for the [Elastic Premium](./functions-premium-plan.md) and [Dedicated (App Service)](./dedicated-plan.md) hosting plans.
+> These configuration steps are only required for the [Elastic Premium](./functions-premium-plan.md) and [Dedicated (App Service)](./dedicated-plan.md) hosting plans.
 > The [Flex Consumption plan](./flex-consumption-plan.md) doesn't require site settings to configure networking.
 
 You should now route your function app's traffic to go through the virtual network.

articles/azure-functions/functions-app-settings.md

@@ -826,17 +826,17 @@ When running locally, you instead use the [`FUNCTIONS_WORKER_RUNTIME_VERSION`](f
 
 ### vnetContentShareEnabled
 
-The Functions Premium plan relies on a file share to store app content. The name of this content share is stored in the [WEBSITE\_CONTENTSHARE](#website_contentshare) app setting and its connection string is stored in [WEBSITE\_CONTENTAZUREFILECONNECTIONSTRING](#website_contentazurefileconnectionstring). To route traffic between your function app and content share through a virtual network, you'll need to set vnetContentShareEnabled to `true`. Enabling this site property is a requirement when [restricting your storage account to a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) in the Elastic Premium and Dedicated hosting plans.
+Apps running in a Premium plan use a file share to store content. The name of this content share is stored in the [`WEBSITE_CONTENTSHARE`](#website_contentshare) app setting and its connection string is stored in [`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`](#website_contentazurefileconnectionstring). To route traffic between your function app and content share through a virtual network, you must also set `vnetContentShareEnabled` to `true`. Enabling this site property is a requirement when [restricting your storage account to a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) in the Elastic Premium and Dedicated hosting plans.
 
-This site property replaces the legacy [WEBSITE\_CONTENTOVERVNET](#website_contentovervnet) setting.
+This site property replaces the legacy [`WEBSITE_CONTENTOVERVNET`](#website_contentovervnet) setting.
 
 ### vnetImagePullEnabled
 
-Azure Functions [supports function apps running in Linux containers](functions-how-to-custom-container.md). To connect and pull from a container registry inside a virtual network, you'll need to set vnetImagePullEnabled to `true`. This site property is supported in the Elastic Premium and Dedicated hosting plans. The Flex Consumption plan does not rely on site properties or app settings to configure Networking, see [Flex Consumption plan deprecations](#flex-consumption-plan-deprecations).
+Functions [supports function apps running in Linux containers](functions-how-to-custom-container.md). To connect and pull from a container registry inside a virtual network, you must set `vnetImagePullEnabled` to `true`. This site property is supported in the Elastic Premium and Dedicated hosting plans. The Flex Consumption plan doesn't rely on site properties or app settings to configure Networking. For more information, see [Flex Consumption plan deprecations](#flex-consumption-plan-deprecations).
 
 ### vnetRouteAllEnabled
 
-Indicates whether all outbound traffic from the app is routed through the virtual network. A setting value of `true` indicates that all application traffic is routed through the virtual network. You'll need this setting when configuring [Regional virtual network integration](functions-networking-options.md#regional-virtual-network-integration) in the Elastic Premium and Dedicated hosting plans. It's also used when a [virtual network NAT gateway is used to define a static outbound IP address](functions-how-to-use-nat-gateway.md). For more information, see [Configure application routing](../app-service/configure-vnet-integration-routing.md#configure-application-routing).
+Indicates whether all outbound traffic from the app is routed through the virtual network. A setting value of `true` indicates that all application traffic is routed through the virtual network. Use this setting when configuring [Regional virtual network integration](functions-networking-options.md#regional-virtual-network-integration) in the Elastic Premium and Dedicated plans. It's also used when a [virtual network NAT gateway is used to define a static outbound IP address](functions-how-to-use-nat-gateway.md). For more information, see [Configure application routing](../app-service/configure-vnet-integration-routing.md#configure-application-routing).
 
 This site setting replaces the legacy [WEBSITE\_VNET\_ROUTE\_ALL](#website_vnet_route_all) setting.
 

articles/azure-functions/functions-networking-options.md

@@ -304,13 +304,13 @@ When testing functions in a function app with private endpoints, you must do you
 * `https://functions.azure.com`
 * `https://portal.azure.com`
 
-If you've restricted access to your Function app with private endpoints or any other access restriction, you'll need to allow-list the service tag `AzureCloud`. To do this, complete the following steps:
+If you've restricted access to your function app with private endpoints or any other access restriction, you also must add the service tag `AzureCloud` to the allow-list. To update the allow-list:
 
-1. Navigate to the **Networking blade** of your Function app and select **Public network access** under Inbound access configuration. 
+1. Navigate to your function app and select **Settings** > **Networking** and then select **Inbound access configuration** > **Public network access**. 
 
-1. Ensure that Public network access is set to **Enabled from select virtual networks and IP addresses**. 
+1. Make sure that **Public network access** is set to **Enabled from select virtual networks and IP addresses**. 
 
-1. **Add a rule** under Site access and rules. 
+1. **Add a rule** under Site access and rules: 
 
     1. Select `Service Tag` as the Source settings **Type** and `AzureCloud` as the **Service Tag**. 
 

articles/azure-functions/run-functions-from-deployment-package.md

@@ -85,7 +85,7 @@ This section provides information about how to run your function app from a pack
 
 <a name="troubleshooting"></a>
 
-+ Function apps running on Windows will experience a slight increase in cold starts when the application package is deployed to a URL endpoint via `WEBSITE_RUN_FROM_PACKAGE = <URL>`.
++ Function apps running on Windows experience a slight increase in [cold start time](event-driven-scaling.md#cold-start) when the application package is deployed to a URL endpoint via `WEBSITE_RUN_FROM_PACKAGE = <URL>`.
 + When you specify a URL, you must also [manually sync triggers](functions-deployment-technologies.md#trigger-syncing) after you publish an updated package.
 + The Functions runtime must have permissions to access the package URL.
 + You shouldn't deploy your package to Azure Blob Storage as a public blob. Instead, use a private container with a [Shared Access Signature (SAS)](../storage/common/storage-sas-overview.md) or [use a managed identity](#fetch-a-package-from-azure-blob-storage-using-a-managed-identity) to enable the Functions runtime to access the package.

articles/azure-functions/storage-considerations.md

@@ -38,13 +38,13 @@ Storage accounts created as part of the function app create flow in the Azure po
 
 + The account type must support Blob, Queue, and Table storage. Some storage accounts don't support queues and tables. These accounts include blob-only storage accounts and Azure Premium Storage. To learn more about storage account types, see [Storage account overview](../storage/common/storage-account-overview.md).
 
-+ You can't use network secured storage accounts with function apps hosted in the [Consumption plan](consumption-plan.md).
++ You can't use a network-secured storage account when your function app is hosted in the [Consumption plan](consumption-plan.md).
 
 + When creating your function app in the portal, you're only allowed to choose an existing storage account in the same region as the function app you're creating. This is a performance optimization and not a strict limitation. To learn more, see [Storage account location](#storage-account-location).
 
 + When creating your function app on a plan with [availability zone support](../reliability/reliability-functions.md#availability-zone-support) enabled, only [zone-redundant storage accounts](../storage/common/storage-redundancy.md#zone-redundant-storage) are supported.
 
-When creating a function app with a network secured storage account in the Elastic Premium or Dedicated (App Service) plan using deployment automation, you must include specific networking configurations in your ARM template or Bicep file. When you don't include these settings and resources, your automated deployment might fail in validation. For more specific ARM and Bicep guidance, see [Secured deployments](functions-infrastructure-as-code.md#secured-deployments). For an overview on configuring storage accounts with networking, see [How to use a secured storage account with Azure Functions](configure-networking-how-to.md).
+When using deployment automation to create your function app with a network-secured storage account, you must include specific networking configurations in your ARM template or Bicep file. When you don't include these settings and resources, your automated deployment might fail in validation. For more specific ARM and Bicep guidance, see [Secured deployments](functions-infrastructure-as-code.md#secured-deployments). For an overview on configuring storage accounts with networking, see [How to use a secured storage account with Azure Functions](configure-networking-how-to.md).
 
 ## Storage account guidance
 
@@ -162,15 +162,20 @@ Creating your function app resources using methods other than the Azure CLI requ
 
 ## Create an app without Azure Files
 
-Azure Files is set up by default for the Elastic Premium plan and Consumption plans running on Windows. This section is only relevant to these hosting plans.
+The Azure Files service provides a shared file system that supports high-scale scenarios. When your function app runs on Windows in an Elastic Premium or Consumption plan, an Azure Files share is created by default in your storage account. That share is used by Functions to enable certain features, like log streaming. It is also used as a shared package deployment location, which guarantees the consistency of your deployed function code across all instances. 
 
-Azure Files serves as a shared file system in high-scale scenarios. The file system it provides is used by the platform for some features such as log streaming, but it primarily ensures consistency of the deployed app content across all instances. When using the default deployment method for the above plans, [zip deployment](./deployment-zip-push.md), your app content is stored here.
+By default, function apps hosted in Premium and Consumption plans use [zip deployment](./deployment-zip-push.md), with deployment packages stored in this Azure file share. This section is only relevant to these hosting plans.
 
-Because Azure Files requires the use of a connection string stored in the app setting `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`, removing your app's dependency on Azure Files is recommended for scenarios where storage keys must be disabled. This can be achieved by creating your app without Azure Files. 
+Using Azure Files requires the use of a connection string, which is stored in your app settings as [`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`](functions-app-settings.md#website_contentazurefileconnectionstring). Azure Files doesn't currently supported identity-based connections. If your scenario requires you to not store any secrets in app settings, you must remove your app's dependency on Azure Files. You can do this by creating your app without the default Azure Files dependency. 
 
-To run your app without Azure Files, you must meet the following requirements:
+>[!NOTE]
+>You should also consider running in your function app in the Flex Consumption plan, which is currently in preview. The Flex Consumption plan provides greater control over the deployment package, including the ability use managed identity connections. For more information, see [Configure deployment settings](flex-consumption-how-to#configure-deployment-settings) in the Flex Consumption article.
+
+To run your app without the Azure file share, you must meet the following requirements:
+
+* You must [deploy your package to a remote Azure Blob storage container](./run-functions-from-deployment-package.md) and then set the URL that provides access to that package as the [`WEBSITE_RUN_FROM_PACKAGE`](functions-app-settings.md#website_run_from_package) app setting. This option lets you store your app content in Blob storage instead of Azure Files, which does support [managed identities](./run-functions-from-deployment-package.md#fetch-a-package-from-azure-blob-storage-using-a-managed-identity). 
 
-* You must [deploy your package to a remote URL](./run-functions-from-deployment-package.md) using the app setting `WEBSITE_RUN_FROM_PACKAGE = <URL>`. This option stores your app content in Azure Blob storage instead of Azure Files, and it supports [managed identity](./run-functions-from-deployment-package.md#fetch-a-package-from-azure-blob-storage-using-a-managed-identity). 
+You are responsible for manually updating the deployment package and maintaining the deployment package URL, which likely contains a shared access signature (SAS).
 * Your app can't rely on a shared writeable file system.
 * The app can't use version 1.x of the Functions runtime.
 * Log streaming experiences in clients such as the Azure portal default to file system logs. You should instead rely on Application Insights logs.