add portal instructions for disble ingess and made other small fixes

Author: cebundy

articles/container-apps/client-certificate-authorization.md

@@ -5,28 +5,22 @@ services: container-apps
 author: craigshoemaker
 ms.service: container-apps
 ms.topic: how-to
-ms.date: 03/20/2023
+ms.date: 03/29/2023
 ms.author: cshoe
 ---
 
 # Configure client certificate authentication in Azure Container Apps
 
 Azure Container Apps supports client certificate authentication (also known as mutual TLS or mTLS) that allows access to your container app through two-way authentication. This article shows you how to configure client certificate authorization in Azure Container Apps.
 
-When client certificate are used, the TLS certificates are exchanged between the client and your container app to authenticate identity and encrypt traffic.  Client certificates are often used in "zero trust" security models to authorize client access within an organization.
+When client certificates are used, the TLS certificates are exchanged between the client and your container app to authenticate identity and encrypt traffic.  Client certificates are often used in "zero trust" security models to authorize client access within an organization.
 
 For example, you may want to require a client certificate for a container app that manages sensitive data.
 
 Container Apps accepts client certificates in the PKCS12 format are that issued by a trusted certificate authority (CA), or are self-signed.  
 
-<!--
-Anthony mentioned that the customer will be able to obtain a client certificate through Azure.  So this will need to be added to the doc.
--->
-
 >[!NOTE]
 > Client certificate authorization is only supported in Container Apps environments that use a [custom VNET](vnet-custom.md).
-> Question:  Are certificates available in the consumption tier?  Any other limitations?  
-> Should we include more use cases?
 
 ## Configure client certificate authorization
 
@@ -36,8 +30,7 @@ The client certificate mode property available as you enable [ingress](./ingress
 - `accept`: The client certificate is optional. If the client certificate isn't provided, the request is still accepted.
 - `ignore`: The client certificate is ignored. 
 
-When `require` or `accept` are set, ingress passes the client certificate to the container app.
-
+Ingress passes the client certificate to the container app if `require` or `accept` are set.
 
 The following ARM template example configures ingress to require a client certificate for all requests to the container app.
 

articles/container-apps/ingress-how-to.md

@@ -5,9 +5,10 @@ services: container-apps
 author: craigshoemaker
 ms.service: container-apps
 ms.topic: how-to
-ms.date: 02/12/2023
+ms.date: 03/28/2023
 ms.author: cshoe
 ms.custom: ignite-fall-2021, event-tier1-build-2022
+zone_pivot_groups: arm-azure-cli-portal
 ---
 
 #  Configure Ingress for your app in Azure Container Apps
@@ -16,127 +17,28 @@ This article shows you how to enable [ingress](ingress-overview.md) features for
 
 ## Ingress settings
 
-You can set the following ingress properties:
+You can set the following ingress template properties:
 
 | Property | Description | Values | Required |
 |---|---|---|---|
-| `allowInsecure` | Allows insecure traffic to your container app. | `false` (default), `true`<br><br>If set to `true`, HTTP requests to port 80 aren't automatically redirected to port 443 using HTTPS, allowing insecure connections.| No |
+| `allowInsecure` | Allows insecure traffic to your container app. When set to `true` HTTP requests to port 80 aren't automatically redirected to port 443 using HTTPS, allowing insecure connections.| `false` (default), `true` enables insecure connections| No |
 | `clientCertificateMode` | Client certificate mode for mTLS authentication. Ignore indicates server drops client certificate on forwarding. Accept indicates server forwards client certificate but doesn't require a client certificate. Require indicates server requires a client certificate. | `Required`, `Accept`, `Ignore` (default) | No |
-| `customDomains` | Custom domain bindings for Container Apps' hostnames. See [Custom domains and certificates](custom-domains-certificates.md) | Array of bindings | No |
-| `exposedPort` | (TCP ingress only) An port for TCP ingress. If `external` is `true`, the value must be unique in the Container Apps environment if ingress is external. | A port number from `1` to `65535`. (can't be `80` or `443`) | No |
+| `customDomains` | Custom domain bindings for Container Apps' hostnames. See [Custom domains and certificates](custom-domains-certificates.md) | An array of bindings | No |
+| `exposedPort` | (TCP ingress only) The port TCP listens on. If `external` is `true`, the value must be unique in the Container Apps environment. | A port number from `1` to `65535`. (can't be `80` or `443`) | No |
 | `external` | Allow ingress to your app from outside its Container Apps environment. |`true` or `false`(default) | Yes |
-| `ipSecurityRestrictions` | IP ingress restrictions. See [Set up IP ingress restrictions](ip-restrictions.md) | array of rules | No |
+| `ipSecurityRestrictions` | IP ingress restrictions. See [Set up IP ingress restrictions](ip-restrictions.md) | An array of rules | No |
 | `stickySessions.affinity` | Enables [session affinity](sticky-sessions.md). | `none` (default), `sticky` | No |
 | `targetPort` | The port your container listens to for incoming requests. | Set this value to the port number that your container uses. For HTTP ingress, your application ingress endpoint is always exposed on port `443`. | Yes |
-| `traffic` | Traffic weights based on revision name or labels. See [Traffic splitting](traffic-splitting.md) | array of rules | No |
-| `transport` | The transport protocol type. | auto (default) detects HTTP/1 or HTTP/2,  `http` for HTTP/1, `http2` for HTTP/2, `tcp` for TCP. | No |
-
-<!--
-
-This is supposed to be the schema for ingress.  We haven't changed to this yet, but it's what we're planning on.
-
-https://github.com/Azure/azure-rest-api-specs/blob/4fcd6d4eb9153ff8dbbb2940d62c3789ca15e8ce/specification/app/resource-manager/Microsoft.App/stable/2022-10-01/ContainerApps.json#L703
-
-"Ingress": {
-      "description": "Container App Ingress configuration.",
-      "type": "object",
-      "properties": {
-        "fqdn": {
-          "description": "Hostname.",
-          "type": "string",
-          "readOnly": true
-        },
-        "external": {
-          "description": "Bool indicating if app exposes an external http endpoint",
-          "default": false,
-          "type": "boolean"
-        },
-        "targetPort": {
-          "format": "int32",
-          "description": "Target Port in containers for traffic from ingress",
-          "type": "integer"
-        },
-        "exposedPort": {
-          "format": "int32",
-          "description": "Exposed Port in containers for TCP traffic from ingress",
-          "type": "integer"
-        },
-        "transport": {
-          "description": "Ingress transport protocol",
-          "enum": [
-            "auto",
-            "http",
-            "http2",
-            "tcp"
-          ],
-          "type": "string",
-          "x-ms-enum": {
-            "name": "IngressTransportMethod",
-            "modelAsString": true
-          },
-          "default": "auto"
-        },
-        "traffic": {
-          "description": "Traffic weights for app's revisions",
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/TrafficWeight"
-          },
-          "x-ms-identifiers": [
-            "revisionName"
-          ]
-        },
-        "customDomains": {
-          "description": "custom domain bindings for Container Apps' hostnames.",
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/CustomDomain"
-          },
-          "x-ms-identifiers": [
-            "name"
-          ]
-        },
-        "allowInsecure": {
-          "description": "Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections",
-          "type": "boolean",
-          "default": false
-        },
-        "ipSecurityRestrictions": {
-          "description": "Rules to restrict incoming IP address.",
-          "type": "array",
-          "items": {
-            "$ref": "#/definitions/IpSecurityRestrictionRule"
-          },
-          "x-ms-identifiers": [
-            "name"
-          ]
-        },
-        "clientCertificateMode": {
-          "description": "Client certificate mode for mTLS authentication. Ignore indicates server drops client certificate on forwarding. Accept indicates server forwards client certificate but does not require a client certificate. Require indicates server requires a client certificate.",
-          "enum": [
-            "ignore",
-            "accept",
-            "require"
-          ],
-          "type": "string",
-          "x-ms-enum": {
-            "name": "IngressClientCertificateMode",
-            "modelAsString": true
-          }
-        },
-     }
-    },
--->
+| `traffic` | [Traffic splitting](traffic-splitting.md) weights split between revisions. | An array of rules | No |
+| `transport` | The transport protocol type. | auto (default) detects HTTP/1 or HTTP/2, `http` for HTTP/1, `http2` for HTTP/2, `tcp` for TCP. | No |
 
-## Enable ingress
 
-<!-- >[!NOTE]
-> Need to think about how to present the different options for enabling ingress.  Do we break the setting down to separate sections? 
-[Anthony] I think the descriptions in the above table should suffice for now.
--->
+## Enable ingress
 
 You can configure ingress for your container app using the Azure CLI, an ARM template, or the Azure portal.
 
+::: zone pivot="azure-cli"
+
 # [Azure CLI](#tab/azure-cli)
 
 This `az containerapp ingress enable` command enables ingress for your container app.  You must specify the target port, and you can optionally set the exposed port if your transport type is `tcp`.
@@ -146,7 +48,7 @@ az containerapp ingress enable \
     --name <app-name> \
     --resource-group <resource-group> \
     --target-port <target-port> \
-    --exposed-port tcp-exposed-port> \
+    --exposed-port <tcp-exposed-port> \
     --transport <transport> \
     --type <external>
     --allow-insecure
@@ -156,12 +58,17 @@ az containerapp ingress enable \
 
 | Option | Property | Description | Values | Required |
 | --- | --- | --- | --- | --- |
-| `--type` | external | Allow ingress to your app from outside its Container Apps environment. | `external` or `internal`  | Yes |
+| `--type` | external | Allow ingress to your app from anywhere, or limit ingress to its internal 
+ Container Apps environment. | `external` or `internal`  | Yes |
 |`--allow-insecure` | allowInsecure | Allow HTTP connections to your app. |  | No |
 | `--target-port` | targetPort | The port your container listens to for incoming requests. | Set this value to the port number that your container uses. Your application ingress endpoint is always exposed on port `443`. | Yes |
 |`--exposed-port` | exposedPort | (TCP ingress only) An port for TCP ingress. If `external` is `true`, the value must be unique in the Container Apps environment if ingress is external. | A port number from `1` to `65535`. (can't be `80` or `443`) | No |
 |`--transport` | transport | The transport protocol type. | auto (default) detects HTTP/1 or HTTP/2,  `http` for HTTP/1, `http2` for HTTP/2, `tcp` for TCP. | No |
 
+::: zone-end
+
+::: zone pivot="azure-portal"
+
 # [Portal](#tab/portal)
 
 Enable ingress for your container app by using the portal.
@@ -186,6 +93,9 @@ You can configure ingress when you create your container app by using the Azure
 
 The **Ingress** settings page for your container app also allows you to configure **IP Restrictions**.  For information to configure IP restriction, see [IP Restrictions](ip-restrictions.md).
 
+::: zone-end
+
+::: zone pivot="azure-resource-manager"
 
 # [ARM template](#tab/arm-template)
 
@@ -211,6 +121,10 @@ Enable ingress for your container app by using the `ingress` configuration prope
 
 ---
 
+::: zone-end
+
+::: zone pivot="azure-cli"
+
 ## Disable ingress
 
 # [Azure CLI](#tab/azure-cli)
@@ -223,17 +137,30 @@ az containerapp ingress disable \
     --resource-group <resource-group> \
 ```
 
+::: zone-end
+
+::: zone pivot="azure-portal"
+
 # [Portal](#tab/portal)
 
-Disable ingress for your container app by using the portal.
+You can disable ingress for your container app  using the portal.
+
+1. Select **Ingress** from the **Settings** menu of the container app page.
+1. Deselect the **Ingress** **Enabled** setting.
+1. Select **Save**.
+
+:::image type="content" source="media/ingress/screenshot-disable-ingress.png" alt-text="Sceenshot of  disabling container app ingress.":::
+
+::: zone-end
+
+::: zone pivot="azure-resource-manager"
 
 # [ARM template](#tab/arm-template)
 
-Disable ingress for your container app by omitting the `ingress` configuration property entirely.
+Disable ingress for your container app by omitting the `ingress` configuration property from `properties.configuration` entirely.
 
 ---
 
-
 ## Next steps
 
 > [!div class="nextstepaction"]

articles/container-apps/ingress-overview.md

@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: container-apps
 ms.topic: conceptual
-ms.date: 03/28/2023
+ms.date: 03/29/2023
 ms.author: cshoe
 ---
 
@@ -23,9 +23,10 @@ Ingress supports:
 - [Traffic splitting between revisions](#traffic-splitting)
 - [Session affinity](#session-affinity)
 
+<!--
 > [!NOTE]
 > Add diagram here,  Talked with Anthony about this.  He thought that we should consult Ahmed.  I think that we should have a diagram that shows the ingress options and how they work together.
-
+-->
 For configuration details, see [Configure ingress](ingress-how-to.md).
 
 ## External and internal ingress
@@ -80,15 +81,13 @@ With TCP ingress enabled, your container app:
 
 You can access your app in the following ways:
 
-- The default fully qualified domain name (FQDN).  Each app in a Container Apps environment is automatically assigned an FQDN based on the environment's DNS suffix. To customize an environment's DNS suffix, see [Custom environment DNS Suffix](environment-custom-dns-suffix.md).
+- The default fully qualified domain name (FQDN):  Each app in a Container Apps environment is automatically assigned an FQDN based on the environment's DNS suffix. To customize an environment's DNS suffix, see [Custom environment DNS Suffix](environment-custom-dns-suffix.md).
 - A custom domain name:  You can configure a custom DNS domain for your Container Apps environment.  For more information, see [Custom domain names and certificates](./custom-domains-certificates.md).
 - The app name: You can use the app name for communication between apps in the same environment.
 
 ## IP restrictions
 
-Container Apps supports IP restrictions for ingress. You can create rules to either configure IP addresses that are allowed or denied access to your container app.
-
-For more information, see [Configure IP restrictions](ip-restrictions.md).
+Container Apps supports IP restrictions for ingress. You can create rules to either configure IP addresses that are allowed or denied access to your container app. For more information, see [Configure IP restrictions](ip-restrictions.md).
 
 ## Authentication
 
@@ -103,7 +102,7 @@ Containers Apps allows you to split incoming traffic between active revisions.
 
 ## Session affinity
 
-Session affinity, also known as sticky sessions, is a feature that allows you to route all HTTP requests from a client to the same replica. This feature is useful for stateful applications that require a consistent connection to the same replica.  For more information, see [Session affinity](sticky-sessions.md).
+Session affinity, also known as sticky sessions, is a feature that allows you to route all HTTP requests from a client to the same container app replica. This feature is useful for stateful applications that require a consistent connection to the same replica.  For more information, see [Session affinity](sticky-sessions.md).
 
 ## Next steps
 

articles/container-apps/ip-restrictions.md

@@ -5,7 +5,7 @@ services: container-apps
 author: craigshoemaker
 ms.service: container-apps
 ms.topic: how-to
-ms.date: 03/20/2023
+ms.date: 03/28/2023
 ms.author: cshoe
 zone_pivot_groups: azure-cli-or-portal
 ---
@@ -14,7 +14,7 @@ zone_pivot_groups: azure-cli-or-portal
 
 Azure Container Apps allows you to limit inbound traffic to your container app by configuring IP ingress restrictions via ingress configuration.
 
-There are two types restrictions:
+There are two types of restrictions:
 
 * *Allow*: Allow inbound traffic only from address ranges you specify in allow rules.
 * *Deny*: Deny all inbound traffic only from address ranges you specify in deny rules.
@@ -46,9 +46,11 @@ You can manage IP access restrictions rules through the Azure portal or Azure CL
 1. Go to your container app in the Azure portal.
 1. Select **Ingress** from the left side menu.
 1. Select the **IP Security Restrictions Mode** toggle to enable IP restrictions.  You can choose to allow or deny traffic from the specified IP address ranges.
-1. Select **Add* to create the rule.
+1. Select **Add** to create the rule.
+
     :::image type="content" source="media/ingress/screenshot-ingress-page-ip-restrictions.png" alt-text="Screenshot of IP restriction settings on container app Ingress page.":::
-1. Enter information in the following fields:
+
+1. Enter values in the following fields:
 
     | Field | Description |
     |-------|-------------|
@@ -58,7 +60,7 @@ You can manage IP access restrictions rules through the Azure portal or Azure CL
 
 1. Select **Add**.
 1. Repeat steps 4-6 to add more rules.
-1. When you have finished adding rules, select **Save** to save the rules.
+1. When you have finished adding rules, select **Save**.
     :::image type="content" source="media/ingress/screenshot-save-ip-restriction.png" alt-text="Screenshot to save IP restrictions on container app Ingress page.":::
 
 ### Update a rule
@@ -185,4 +187,4 @@ az containerapp ingress access-restriction list
 ## Next steps
 
 > [!div class="nextstepaction"]
-> [Manage scaling](scale-app.md)
+> [Configure Ingress](ingress-how-to.md)

articles/container-apps/media/ingress/screenshot-disable-ingress.png

@@ -51,15 +51,15 @@ Session affinity is configured by setting the `affinity` property in the `ingres
 
 You can enable session affinity when you create your container app via the Azure portal. To enable session affinity:
 
-1. Go to the **App settings** tab.  
+1. On the **Create Container App** page, select the **App settings** tab.  
 1. In the **Application ingress settings** section, select **Enabled** for the **Session affinity** setting.  
 
 
 :::image type="content" source="media/ingress/screenshot-session-affinity.png" alt-text="Screenshot of the session affinity setting in Create Container App page.":::
 
 You can also enable or disable session affinity after your container app is created. To enable session affinity:
 
-1. Go your app in the portal.
+1. Go  to your app in the portal.
 1. Select **Ingress**.
 1. You can enable or disable **Session affinity** by selecting or deselecting **Enabled**.
 1. Select **Save**.