Fixing links, rewriting networking concept section, removing redundant section in service endpoint article.

Author: roygara

articles/storage/elastic-san/elastic-san-best-practices.md

@@ -26,7 +26,7 @@ This article provides some general guidance on getting optimal performance with
 
 :::image type="content" source="media/elastic-san-best-practices/enable-accelerated-networking.png" alt-text="Screenshot of VM creation flow, enable accelerated networking highlighted." lightbox="media/elastic-san-best-practices/enable-accelerated-networking.png":::
 
-- You must use 32 sessions per target volume for each volume to achieve its maximum IOPS and/or throughput limits. Use Multipath I/O (MPIO) on the client to manage these multiple sessions to each volume for load balancing. Scripts are available for [Windows](elastic-san-connect-windows.md#connect-to-volumes), [Linux](elastic-san-connect-linux.md#connect-to-volumes), or on the Connect to volume page for your volumes in the Azure portal, which uses 32 sessions by default. Windows software iSCSI initiator has a limit of maximum 256 sessions. If you need to connect more than eight volumes to a Windows VM, reduce the number of sessions to each volume as needed. 
+- You must use 32 sessions per target volume for each volume to achieve its maximum IOPS and/or throughput limits. Use Multipath I/O (MPIO) on the client to manage these multiple sessions to each volume for load balancing. Scripts are available for [Windows](elastic-san-connect-windows.md), [Linux](elastic-san-connect-linux.md), or on the Connect to volume page for your volumes in the Azure portal, which uses 32 sessions by default. Windows software iSCSI initiator has a limit of maximum 256 sessions. If you need to connect more than eight volumes to a Windows VM, reduce the number of sessions to each volume as needed. 
 
 #### Azure VMware Solution
 

articles/storage/elastic-san/elastic-san-configure-service-endpoints.md

@@ -180,103 +180,23 @@ You can manage virtual network rules for volume groups through the Azure portal,
     >
     > You can use the **subscription** parameter to retrieve the subnet ID for a virtual network belonging to another Microsoft Entra tenant.
 
-    ```azurecli
-    az elastic-san volume-group show -e $sanName -g $RgName -n $volumeGroupName
-
-    az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.Storage.Global"
-
-    # First, get the current length of the list of virtual networks to ensure you append a new network instead of replacing existing ones.
-    virtualNetworkListLength = az elastic-san volume-group show -e $sanName -n $volumeGroupName -g $RgName --query 'length(networkAcls.virtualNetworkRules)'
-    
-    az elastic-san volume-group update -e $sanName -g $RgName --name $volumeGroupName --network-acls virtual-network-rules[$virtualNetworkListLength] "{virtualNetworkRules:[{id:/subscriptions/subscriptionID/resourceGroups/RGName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/default, action:Allow}]}"
-    ```
-
-
-If you need to, you can remove network rules. As an example, the following command removes the first network rule, modify it to remove the network rule you'd like.
-    
-    ```azurecli
-    az elastic-san volume-group update -e $sanName -g $RgName -n $volumeGroupName --network-acls virtual-network-rules[1]=null
-    ```
-
----
-
-
-#### Configure virtual network rules
-
-All incoming requests for data over a service endpoint are blocked by default. Only applications that request data from allowed sources that you configure in your network rules are able to access your data. 
-
-You can manage virtual network rules for volume groups through the Azure portal, PowerShell, or CLI.
-
-> [!IMPORTANT]
-> To enable access to your storage account from a virtual network/subnet in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal doesn't show subnets in other Microsoft Entra tenants.
->
-> If you delete a subnet that has been included in a network rule, it will be removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group.
-
-### [Portal](#tab/azure-portal)
-
-1. Navigate to your SAN and select **Volume groups**.
-1. Select a volume group and select **Create**.
-1. Add an existing virtual network and subnet and select **Save**.
-
-### [PowerShell](#tab/azure-powershell)
-
-- List virtual network rules.
-- Enable service endpoint for Azure Storage on an existing virtual network and subnet.
-- Add a network rule for a virtual network and subnet.
-
-    ```azurepowershell
-    $Rules = Get-AzElasticSanVolumeGroup -ResourceGroupName $RgName -ElasticSanName $sanName -Name $volGroupName
-    $Rules.NetworkAclsVirtualNetworkRule
-
-    Get-AzVirtualNetwork -ResourceGroupName "myresourcegroup" -Name "myvnet" | Set-AzVirtualNetworkSubnetConfig -Name "mysubnet" -AddressPrefix "10.0.0.0/24" -ServiceEndpoint "Microsoft.Storage.Global" | Set-AzVirtualNetwork
-
-    $rule = New-AzElasticSanVirtualNetworkRuleObject -VirtualNetworkResourceId $Subnet.Id -Action Allow
-    
-    Add-AzElasticSanVolumeGroupNetworkRule -ResourceGroupName $RgName -ElasticSanName $EsanName -VolumeGroupName $EsanVgName -NetworkAclsVirtualNetworkRule $rule
-    ```
-
-    > [!TIP]
-    > To add a network rule for a subnet in a virtual network belonging to another Microsoft Entra tenant, use a fully qualified **VirtualNetworkResourceId** parameter in the form "/subscriptions/subscription-ID/resourceGroups/resourceGroup-Name/providers/Microsoft.Network/virtualNetworks/vNet-name/subnets/subnet-name".
-
-- Remove a virtual network rule.
-
-    ```azurepowershell
-    ## You can remove a virtual network rule by object, by resource ID, or by removing all the rules in a volume group
-    ### remove by networkRule object
-    Remove-AzElasticSanVolumeGroupNetworkRule -ResourceGroupName myRGName -ElasticSanName mySANName -VolumeGroupName myVolGroupName -NetworkAclsVirtualNetworkRule $virtualNetworkRule1,$virtualNetworkRule2
-    ### remove by networkRuleResourceId
-    Remove-AzElasticSanVolumeGroupNetworkRule -ResourceGroupName myRGName -ElasticSanName mySANName -VolumeGroupName myVolGroupName -NetworkAclsVirtualNetworkResourceId "myResourceID"
-    ### Remove all network rules in a volume group by pipeline
-    ((Get-AzElasticSanVolumeGroup -ResourceGroupName myRGName -ElasticSanName mySANName -VolumeGroupName myVolGroupName).NetworkAclsVirtualNetworkRule) | Remove-AzElasticSanVolumeGroupNetworkRule -ResourceGroupName myRGName -ElasticSanName mySANName -VolumeGroupName myVolGroupName
-    ```
+```azurecli
+az elastic-san volume-group show -e $sanName -g $RgName -n $volumeGroupName
 
-### [Azure CLI](#tab/azure-cli)
+az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.Storage.Global"
 
-- List information from a particular volume group, including their virtual network rules.
-- Enable service endpoint for Azure Storage on an existing virtual network and subnet.
-- Add a network rule for a virtual network and subnet.
+# First, get the current length of the list of virtual networks to ensure you append a new network instead of replacing existing ones.
+virtualNetworkListLength = az elastic-san volume-group show -e $sanName -n $volumeGroupName -g $RgName --query 'length(networkAcls.virtualNetworkRules)'
 
-    > [!TIP]
-    > To add a rule for a subnet in a virtual network belonging to another Microsoft Entra tenant, use a fully-qualified subnet ID in the form `/subscriptions/\<subscription-ID\>/resourceGroups/\<resourceGroup-Name\>/providers/Microsoft.Network/virtualNetworks/\<vNet-name\>/subnets/\<subnet-name\>`.
-    >
-    > You can use the **subscription** parameter to retrieve the subnet ID for a virtual network belonging to another Microsoft Entra tenant.
-
-    ```azurecli
-    az elastic-san volume-group show -e $sanName -g $RgName -n $volumeGroupName
-
-    az network vnet subnet update --resource-group "myresourcegroup" --vnet-name "myvnet" --name "mysubnet" --service-endpoints "Microsoft.Storage.Global"
+az elastic-san volume-group update -e $sanName -g $RgName --name $volumeGroupName --network-acls virtual-network-rules[$virtualNetworkListLength] "{virtualNetworkRules:[{id:/subscriptions/subscriptionID/resourceGroups/RGName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/default, action:Allow}]}"
+```
 
-    # First, get the current length of the list of virtual networks. This is needed to ensure you append a new network instead of replacing existing ones.
-    virtualNetworkListLength = az elastic-san volume-group show -e $sanName -n $volumeGroupName -g $RgName --query 'length(networkAcls.virtualNetworkRules)'
-    
-    az elastic-san volume-group update -e $sanName -g $RgName --name $volumeGroupName --network-acls virtual-network-rules[$virtualNetworkListLength] "{virtualNetworkRules:[{id:/subscriptions/subscriptionID/resourceGroups/RGName/providers/Microsoft.Network/virtualNetworks/$VnetName/subnets/default, action:Allow}]}"
-    ```
 
-- Remove a network rule. The following command removes the first network rule, modify it to remove the network rule you'd like.
+If you need to, you can remove network rules. As an example, the following command removes the first network rule, modify it to remove the network rule you'd like.
 
-    ```azurecli
-    az elastic-san volume-group update -e $sanName -g $RgName -n $volumeGroupName --network-acls virtual-network-rules[1]=null
-    ```
+```azurecli
+az elastic-san volume-group update -e $sanName -g $RgName -n $volumeGroupName --network-acls virtual-network-rules[1]=null
+```
 
 ---
 

articles/storage/elastic-san/elastic-san-networking-concepts.md

@@ -52,13 +52,15 @@ When you create a SAN, you can enable or disable public internet access to your
 >
 > Cross-region service endpoints and local ones can't coexist on the same subnet. To use cross-region service endpoints, delete existing **Microsoft.Storage** endpoints and recreate them as **Microsoft.Storage.Global**.
 
-## Virtual network rules
+## Control network traffic
 
-To further secure access to your Elastic SAN volumes, you can create virtual network rules for volume groups configured with service endpoints to allow access from specific subnets. You don't need network rules to allow traffic from a private endpoint since the storage firewall only controls access through public endpoints.
+### Private endpoints
 
-Each volume group supports up to 200 virtual network rules. If you delete a subnet that has been included in a network rule, it's removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group. Clients granted access via these network rules must also be granted the appropriate permissions to the Elastic SAN to volume group. To learn how to define network rules, see [Configure virtual network rules](elastic-san-configure-service-endpoints.md#configure-virtual-network-rules).
+When you approve the creation of a private endpoint, it grants implicit access to all traffic from the subnet hosting the private endpoint. If you need to control traffic at a more granular level, use [Network Policies](../../private-link/disable-private-endpoint-network-policy.md).
 
-Network rules only apply to the public endpoints of a volume group, not private endpoints. Approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint. To refine access rules and control traffic over private endpoints, use [Network Policies](../../private-link/disable-private-endpoint-network-policy.md).
+### Service endpoints
+
+You need to configure virtual network rules when using service endpoints because Service endpoints block all incoming requests for data by blocked by default. Each volume group in your Elastic SAN supports up to 200 virtual network rules. If you delete a subnet that has been included in a network rule, it's removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group. Clients granted access via these network rules must also be granted the appropriate permissions to the Elastic SAN to volume group. To learn how to define network rules, see [Configure virtual network rules](elastic-san-configure-service-endpoints.md#configure-virtual-network-rules)
 
 ## Data Integrity