Update L4 steps

EthanChangAED · web-flow · commit 4a6d52f4090b · 2024-10-24T00:05:11.000+08:00
diff --git a/articles/iot-operations/manage-layered-network/howto-configure-l4-cluster-layered-network.md b/articles/iot-operations/manage-layered-network/howto-configure-l4-cluster-layered-network.md
@@ -16,7 +16,7 @@ ms.service: azure-iot-operations
 
 [!INCLUDE [public-preview-note](../includes/public-preview-note.md)]
 
-Azure IoT Layered Network Management Preview is one of the Azure IoT Operations Preview components. However, it can be deployed individually to the top network layer for supporting the Azure IoT Operations in the lower layer. In the top level of your network layers (usually level 4 of the ISA-95 network architecture), the cluster and Layered Network Management service have direct internet access. Once the setup is completed, the Layered Network Management service is ready for receiving network traffic from the child layer and forwards it to Azure Arc.
+Azure IoT Layered Network Management Preview is a component to support Azure IoT Operations Preview. However, it needs to be deployed individually to the top network layer for supporting the Azure IoT Operations in the lower layer. In the top level of your network layers (usually level 4 of the ISA-95 network architecture), the cluster and Layered Network Management service have direct internet access. Once the setup is completed, the Layered Network Management service is ready for receiving network traffic from the child layer and forwards it to Azure Arc.
 
 ## Prerequisites
 Meet the following minimum requirements for deploying the Layered Network Management individually on the system.
@@ -50,7 +50,6 @@ The following steps for setting up [AKS Edge Essentials](/azure/aks/hybrid/aks-e
         az extension add --name k8s-extension
         ```
 
-    - [Install Azure CLI extension](/cli/azure/iot/ops) using `az extension add --name azure-iot-ops`.
 
 ## Create the K3S cluster
 
@@ -60,6 +59,8 @@ The following steps for setting up [AKS Edge Essentials](/azure/aks/hybrid/aks-e
     curl -sfL https://get.k3s.io | sh -s - --disable=traefik --write-kubeconfig-mode 644
     ```
     
+    Refer to the [K3s quick-start guide](https://docs.k3s.io/quick-start) for more detail.
+
     > [!IMPORTANT]
     > Be sure to use the `--disable=traefik` parameter to disable treafik. Otherwise, you might have an issue when you try to allocate public IP for the Layered Network Management service in later steps.
 
@@ -78,64 +79,47 @@ The following steps for setting up [AKS Edge Essentials](/azure/aks/hybrid/aks-e
 
 # [AKS Edge Essentials](#tab/aksee)
 
-## Prepare Windows 11
-
-1. Install [Windows 11](https://www.microsoft.com/software-download/windows11) on your device.
-1. Install [Helm](https://helm.sh/docs/intro/install/) 3.8.0 or later.
-1. Install [Kubectl](https://kubernetes.io/docs/tasks/tools/).
-1. Install AKS Edge Essentials. Follow the steps in [Prepare your machines for AKS Edge Essentials](/azure/aks/hybrid/aks-edge-howto-setup-machine).
-1. Install Azure CLI. Follow the steps in [Install Azure CLI on Windows](/cli/azure/install-azure-cli-windows).
-1. Install connectedk8s using the following command:
-
-    ```bash
-    az extension add --name connectedk8s
-    az extension add --name k8s-extension
-    ```
-
-1. [Install Azure CLI extension](/cli/azure/iot/ops) using `az extension add --name azure-iot-ops`.
+For hosting the Layered Network Management service, you need a single machine deployment of AKS Edge Essentials. You can follow the AKS Edge Essentials documentation to create your cluster with default confiurations.
 
-## Create the AKS Edge Essentials cluster
+## Prepare Windows 11
 
-1. Verify you meet the [Prerequisites](/azure/aks/hybrid/aks-edge-quickstart#prerequisites) section of the AKS Edge Essentials quickstart.
-1. Follow the [Prepare your machines for AKS Edge Essentials](/azure/aks/hybrid/aks-edge-howto-setup-machine) steps to install AKS Edge Essentials on your Windows 11 machine.
-1. Follow the steps in the [Single machine deployment](/azure/aks/hybrid/aks-edge-howto-single-node-deployment) article.
-    Use the *New-AksEdgeDeployment* PowerShell command to create a file named **aks-ee-config.json**, make the following modifications:
-    - In the **Init** section, change the **ServiceIPRangeSize** property to **10**.
+1. Follow the steps in [Prepare your machines for AKS Edge Essentials](/azure/aks/hybrid/aks-edge-howto-setup-machine) to setup your Windows machine.
 
-        ```json
-        "Init": {
-            "ServiceIPRangeSize": 10
-          },
+1. In addition, you need to install the Azure CLI and extensions for later steps.
+    1. Install Azure CLI. Follow the steps in [Install Azure CLI on Windows](/cli/azure/install-azure-cli-windows).
+    1. Install connectedk8s using the following command:
+        ```bash
+        az extension add --name connectedk8s
+        az extension add --name k8s-extension
         ```
 
-    - In the **Network** section, verify the following properties are added or set. Replace the placeholder text with your values. Confirm that the *Ip4AddressPrefix* **A.B.C** doesn't overlap with the IP range that is assigned within network layers.
-
-        ```json
-        "Network": {
-            "NetworkPlugin": "flannel",
-            "Ip4AddressPrefix": "<A.B.C.0/24>",
-            "Ip4PrefixLength": 24,
-            "InternetDisabled": false,
-            "SkipDnsCheck": false,
-        ```
+## Create the AKS Edge Essentials cluster
 
-        For more information about deployment configurations, see [Deployment configuration JSON parameters](/azure/aks/hybrid/aks-edge-deployment-config-json).
+Follow the steps in [Single machine deployment](/azure/aks/hybrid/aks-edge-howto-single-node-deployment) to create your cluster.
+1. You need to complete step 1-3 in this document.
+1. In **aksedge-config.json** from step 1, you only need to make the following adjustment for Layered Network Management. You can keep the default value for the rest of the parameters. Otherwise, make proper adjustments based on your environment. 
+    ```json
+    "Init": {
+        "ServiceIPRangeSize": 10
+      },
+    ```
 
 ---
 
 ## Arc enable the cluster
 
+# [K3S Cluster](#tab/k3s)
+
 1. Sign in with Azure CLI. To avoid permission issues later, it's important that you sign in interactively using a browser window:
     ```powershell
     az login
     ```
-1. Set environment variables for the setup steps. Replace values in `<>` with valid values or names of your choice. The `CLUSTER_NAME` and `RESOURCE_GROUP` are created based on the names you provide:
+1. Set environment variables for the setup steps. Replace values in `<>` with valid values or names of your choice. The `CLUSTER_NAME` and `RESOURCE_GROUP` are created based on the names you provide. Refer to [Azure IoT Operations supported regions](../iot-operations/overview-iot-operations#supported-regions) for choosing the  `LOCATION`.
     ```powershell
     # Id of the subscription where your resource group and Arc-enabled cluster will be created
     $SUBSCRIPTION_ID = "<subscription-id>"
     # Azure region where the created resource group will be located
-    # Currently supported regions: : "westus3" or "eastus2"
-    $LOCATION = "WestUS3"
+    $LOCATION = "<region>"
     # Name of a new resource group to create which will hold the Arc-enabled cluster and Azure IoT Operations resources
     $RESOURCE_GROUP = "<resource-group-name>"
     # Name of the Arc-enabled cluster to create in your resource group
@@ -166,8 +150,12 @@ The following steps for setting up [AKS Edge Essentials](/azure/aks/hybrid/aks-e
     ```powershell
     az connectedk8s connect -n $CLUSTER_NAME -l $LOCATION -g $RESOURCE_GROUP --subscription $SUBSCRIPTION_ID
     ```
-    > [!TIP]
-    > If the `connectedk8s` commands fail, try using the cmdlets in [Connect your AKS Edge Essentials cluster to Arc](/azure/aks/hybrid/aks-edge-howto-connect-to-arc).
+
+# [AKS Edge Essentials](#tab/aksee)
+
+- Follow the steps in [Connect your AKS Edge Essentials cluster to Arc](/azure/aks/hybrid/aks-edge-howto-connect-to-arc).
+  - You need to complete step 1-3 in this document.
+---
 
 ## Deploy Layered Network Management Preview Service to the cluster
 
@@ -186,7 +174,7 @@ Once your Kubernetes cluster is Arc-enabled, you can deploy the Layered Network
 1. Use the *kubectl* command to verify the Layered Network Management operator is running.
 
     ```bash
-    kubectl get pods -n azure-iot-operations
+    kubectl get pods
     ```
 
     ```output
@@ -218,43 +206,97 @@ Create the Layered Network Management custom resource.
       allowList:
         enableArcDomains: true
         domains:
-        - destinationUrl: "*.ods.opinsights.azure.com"
+        - destinationUrl: "*.arc.azure.net"
           destinationType: external
-        - destinationUrl: "*.oms.opinsights.azure.com"
+        - destinationUrl: "*.data.mcr.microsoft.com"
           destinationType: external
-        - destinationUrl: "*.monitoring.azure.com"
+        - destinationUrl: "*.dp.kubernetesconfiguration.azure.com"
           destinationType: external
-        - destinationUrl: "*.handler.control.monitor.azure.com"
+        - destinationUrl: "*.guestnotificationservice.azure.com"
           destinationType: external
-        - destinationUrl: "quay.io"
+        - destinationUrl: "*.his.arc.azure.com"
           destinationType: external
-        - destinationUrl: "*.quay.io"
+        - destinationUrl: "*.login.microsoft.com"
           destinationType: external
-        - destinationUrl: "docker.io"
+        - destinationUrl: "*.login.microsoftonline.com"
           destinationType: external
-        - destinationUrl: "*.docker.io"
+        - destinationUrl: "*.obo.arc.azure.com"
           destinationType: external
-        - destinationUrl: "*.docker.com"
+        - destinationUrl: "*.servicebus.windows.net"
           destinationType: external
-        - destinationUrl: "gcr.io"
-          destinationType: external
-        - destinationUrl: "*.googleapis.com"
+        - destinationUrl: "graph.microsoft.com"
           destinationType: external
         - destinationUrl: "login.windows.net"
           destinationType: external
+        - destinationUrl: "management.azure.com"
+          destinationType: external
+        - destinationUrl: "mcr.microsoft.com"
+          destinationType: external
+        - destinationUrl: "sts.windows.net"
+          destinationType: external
+        - destinationUrl: "*.ods.opinsights.azure.com"
+          destinationType: external
         - destinationUrl: "graph.windows.net"
           destinationType: external
         - destinationUrl: "msit-onelake.pbidedicated.windows.net"
           destinationType: external
-        - destinationUrl: "*.vault.azure.net"
+        - destinationUrl: "*.azurecr.io"
+          destinationType: external
+        - destinationUrl: "*.azureedge.net"
+          destinationType: external
+        - destinationUrl: "*.blob.core.windows.net"
+          destinationType: external
+        - destinationUrl: "*.prod.hot.ingestion.msftcloudes.com"
+          destinationType: external
+        - destinationUrl: "*.prod.microsoftmetrics.com"
+          destinationType: external
+        - destinationUrl: "adhs.events.data.microsoft.com"
+          destinationType: external
+        - destinationUrl: "dc.services.visualstudio.com"
+          destinationType: external
+        - destinationUrl: "go.microsoft.com"
+          destinationType: external
+        - destinationUrl: "packages.microsoft.com"
+          destinationType: external
+        - destinationUrl: "www.powershellgallery.com"
+          destinationType: external
+        - destinationUrl: "*.gw.arc.azure.com"
+          destinationType: external
+        - destinationUrl: "*.gcs.prod.monitoring.core.windows.net"
+          destinationType: external
+        - destinationUrl: "*.prod.warm.ingest.monitor.core.windows.net"
           destinationType: external
-        - destinationUrl: "*.k8s.io"
+        - destinationUrl: "*.prod.hot.ingest.monitor.core.windows.net"
           destinationType: external
-        - destinationUrl: "*.pkg.dev"
+        - destinationUrl: "azure.archive.ubuntu.com"
+          destinationType: external
+        - destinationUrl: "crl.microsoft.com"
+          destinationType: external
+        - destinationUrl: "*.table.core.windows.net"
+          destinationType: external
+        - destinationUrl: "*.blob.storage.azure.net"
+          destinationType: external
+        - destinationUrl: "*.docker.com"
+          destinationType: external
+        - destinationUrl: "*.docker.io"
+          destinationType: external
+        - destinationUrl: "*.googleapis.com"
           destinationType: external
         - destinationUrl: "github.com"
           destinationType: external
-        - destinationUrl: "raw.githubusercontent.com"
+        - destinationUrl: "collect.traefik.io"
+          destinationType: external
+        - destinationUrl: "contracts.canonical.com"
+          destinationType: external
+        - destinationUrl: "database.clamav.net"
+          destinationType: external
+        - destinationUrl: "esm.ubuntu.com"
+          destinationType: external
+        - destinationUrl: "livepatch.canonical.com"
+          destinationType: external
+        - destinationUrl: "motd.ubuntu.com"
+          destinationType: external
+        - destinationUrl: "update.traefik.io"
           destinationType: external
         sourceIpRange:
         - addressPrefix: "0.0.0.0"
@@ -280,10 +322,10 @@ Create the Layered Network Management custom resource.
     lnm-level-4   LoadBalancer   10.43.91.54   192.168.0.4   80:30530/TCP,443:31117/TCP,10000:31914/TCP   95s
     ```
 
-### Add iptables configuration
+### Add iptables configuration for AKS Edge Essentials
 
 > [!IMPORTANT]
-> This step is for AKS Edge Essentials only.
+> This step is applicable only when hosting the Layered Network Management in an AKS Edge Essentials cluster.
 
 The Layered Network Management deployment creates a Kubernetes service of type *LoadBalancer*. To ensure that the service is accessible from outside the Kubernetes cluster, you need to map the underlying Windows host's ports to the appropriate ports on the Layered Network Management service. 
 
