final updates

Author: mbender-ms

articles/private-link/network-security-perimeter-concepts.md

@@ -18,10 +18,10 @@ For access patterns involving traffic from virtual networks to PaaS resources, s
 
 Features of Network Security Perimeter include:
 
-- Service to service communication within perimeter members, preventing data exfiltration to non-authorized destinations.
-- Public network access control for PaaS resources.
-- Access logs for audit and compliance.
+- Resource to resource access communication within perimeter members, preventing data exfiltration to non-authorized destinations.
 - Manage external public access with explicit rules for PaaS resources associated with the perimeter.
+- Access logs for audit and compliance.
+- Unified experience across PaaS resources.
 
 
 
@@ -80,11 +80,11 @@ Network security perimeter provides a secure perimeter for communication of PaaS
 
 ## How does Network Security Perimeter work?
 
-When a network security perimeter is created and the PaaS resources are associated with the  perimeter, all public traffic is denied by default. Thus preventing data exfiltration outside the perimeter.
+When a network security perimeter is created and the PaaS resources are associated with the perimeter in enforced mode, all public traffic is denied by default thus preventing data exfiltration outside the perimeter.  
 
-Access rules can be used to approve public inbound and outbound traffic outside the perimeter. Public inbound access can be approved using network and identity attributes of the client such as source IP addresses and subscriptions. Public outbound access can be approved using FQDNs (Fully Qualified Domain Names) of the external destinations.
+Access rules can be used to approve public inbound and outbound traffic outside the perimeter. Public inbound access can be approved using Network and Identity attributes of the client such as source IP addresses, subscriptions. Public outbound access can be approved using FQDNs (Fully Qualified Domain Names) of the external destinations. 
 
-For example, when creating a network security perimeter and associating a set of PaaS resources, like Azure Key Vault and SQL DB, with the perimeter, all incoming and outgoing public traffic is denied to these PaaS resources by default. To allow any access outside the perimeter, necessary access rules can be created. Within the same perimeter, profiles can also be created to group PaaS resources with similar set of inbound and outbound access requirements.
+For example, upon creating a network security perimeter and associating a set of PaaS resources like Azure Key Vault and SQL DB in enforced mode, with the perimeter, all incoming and outgoing public traffic is denied to these PaaS resources by default. To allow any access outside the perimeter, necessary access rules can be created. Within the same perimeter, profiles may also be created to group PaaS resources with similar set of inbound and outbound access requirements.
 
 ## Onboarded private link resources
 A network security perimeter-aware private link resource is a PaaS resource that can be associated with a network security perimeter. Currently the list of onboarded private link resources are as follows:
@@ -98,16 +98,16 @@ A network security perimeter-aware private link resource is a PaaS resource that
 | Key Vault                 | Microsoft.KeyVault/vaults | - |
 | SQL DB                    | Microsoft.Sql/servers | - |
 | [Storage](/azure/storage/common/storage-network-security)               | Microsoft.Storage/storageAccounts | - |
-| Event Grid | Microsoft.EventGrid/topics</br>Microsoft.EventGrid/domains |	- |
 
+> [!NOTE]
+> 
 ## Limitations of network security perimeter
 
 ### Regional limitations
 
-Network security perimeter is currently available in all Azure public cloud regions. However, while enabling access logs for network security perimeter, consider the region availability of Azure monitor.
+Network security perimeter is currently available in all Azure public cloud regions. However, while enabling access logs for network security perimeter, the Log Analytics workspace to be associated with the network security perimeter needs to be located in one of the Azure Monitor supported regions. Currently, those regions are **East US**, **East US 2**, **North Central US**, **South Central US**, **West US**, and **West US 2**.
 
 > [!NOTE]
-> Though the network security perimeter can be created in any region, the Log analytics workspace to be associated with the network security perimeter needs to be located in one of the Azure Monitor supported regions.
 > For PaaS resource logs, use **Storage and Event Hub** as the log destination for any region associated to the same perimeter.
 
 [!INCLUDE [network-security-perimeter-limits](../../includes/network-security-perimeter-limits.md)]

articles/private-link/network-security-perimeter-diagnostic-logs.md

@@ -6,6 +6,7 @@ ms.author: mbender
 ms.service: azure-private-link
 ms.topic: conceptual
 ms.date: 11/04/2024
+ms.custom: references_regions
 #CustomerIntent: As a network administrator, I want to enable diagnostic logging for Network Security Perimeter, so that I can monitor and analyze the network traffic to and from my resources.
 ---
 
@@ -25,8 +26,8 @@ Access logs categories for a network security perimeter are based on the results
 | **NspPublicInboundPerimeterRulesDenied** | Public inbound access denied by network security perimeter. | Enforced |
 | **NspPublicOutboundPerimeterRulesAllowed** | Outbound access is allowed based on network security perimeter access rules. | Learning/Enforced |
 | **NspPublicOutboundPerimeterRulesDenied** | Public outbound access denied by network security perimeter. | Enforced |
-| **nspOutboundAttempt** | Outbound attempt within network security perimeter. | Learning/Enforced |
-| **nspIntraPerimeterInboundAllowed** | Inbound access within perimeter is allowed. | Learning/Enforced |
+| **NspOutboundAttempt** | Outbound attempt within network security perimeter. | Learning/Enforced |
+| **NspIntraPerimeterInboundAllowed** | Inbound access within perimeter is allowed. | Learning/Enforced |
 | **NspPublicInboundResourceRulesAllowed** | When network security perimeter rules deny, inbound access is allowed based on PaaS resource rules. | Learning |
 | **NspPublicInboundResourceRulesDenied** | When network security perimeter rules deny, inbound access denied by PaaS resource rules. | Learning |
 | **NspPublicOutboundResourceRulesAllowed** | When network security perimeter rules deny, outbound access allowed based on PaaS resource rules. | Learning |
@@ -43,6 +44,9 @@ You can enable diagnostic logging for a network security perimeter by using the
 
 :::image type="content" source="media/network-security-perimeter-diagnostic-logs/network-security-perimeter-diagnostic-settings.png" alt-text="Screenshot of diagnostic settings options for a network security perimeter.":::
 
+> [!NOTE]
+> When using Azure Monitor with a network security perimeter, the Log Analytics workspace to be associated with the network security perimeter needs to be located in one of the Azure Monitor supported regions. For more information on available regions, see [Regional limits for Network Security Perimeter](./network-security-perimeter-concepts.md#regional-limitations).
+
 ## Next steps
 
 > [!div class="nextstepaction"]

includes/network-security-perimeter-limits.md

@@ -7,7 +7,7 @@
  ms.topic: include
  ms.date: 10/28/2024
  ms.author: mbender-ms
- ms.custom: include file
+ ms.custom: include file, regions_references
 ---
 
 ### Scale limitations
@@ -19,14 +19,16 @@ Network security perimeter functionality can be used to support deployments of P
 | **Number of network security perimeters**  | Supported up to 100 as recommended limit per subscription. |
 | **Profiles per network security perimeters** | Supported up to 200 as recommended limit. |
 | **Number of rule elements per profile** | Supported up to 200 as hard limit. |
-| **Number of PaaS resources associated with the same network security perimeter** | Supported up to 1000 as recommended limit. |
+| **Number of PaaS resources across subscriptions associated with the same network security perimeter** | Supported up to 1000 as recommended limit. |
 
 ### Other limitations
 
 Network security perimeter has other limitations as follows:
 
 | **Limitation/Issue** | **Description** |
 |-----------------|-------------|
+| **Resource group move operation cannot be performed if multiple network security perimeters are present** | If there are multiple network security perimeters present in the same resource group, then the network security perimeter cannot be moved across resource groups/subscriptions. |
+| **Associations must be removed before deleting network security perimeter** | Forced delete option is currently unavailable. Thus all associations must be removed before deleting a network security perimeter. Only remove associations after taking precautions for allowing access previously controlled by network security perimeter. |
 | **Resource names cannot be longer than 44 characters to support network security perimeter** | The network security perimeter resource association created from the Azure portal has the format `{resourceName}-{perimeter-guid}`. To align with the requirement name field can't have more than 80 characters, resources names would have to be limited to 44 characters. |
 | **Service endpoint traffic is not supported.** | It's recommended to use private endpoints for IaaS to PaaS communication. Currently, service endpoint traffic can be denied even when an inbound rule allows 0.0.0.0/0. |