Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into mb-0320-reusable-path

mgblythe · mgblythe · commit 5303a73a8023 · 2024-03-20T13:01:47.000-07:00
diff --git a/articles/cost-management-billing/manage/cancel-azure-subscription.md b/articles/cost-management-billing/manage/cancel-azure-subscription.md
@@ -114,7 +114,7 @@ After you cancel, your services are disabled. That means your virtual machines a
 
 :::image type="content" source="./media/cancel-azure-subscription/cancel-window.png" alt-text="Screenshot showing the cancellation window." lightbox="./media/cancel-azure-subscription/cancel-window.png" :::
 
-After you cancel a subscription, your billing stops immediately. You can delete your subscription directly using the Azure portal seven days after you cancel it, when the **Delete subscription** option becomes available. When your subscription is deleted, Microsoft waits 30 to 90 days before permanently deleting your data in case you need to access it or recover your data. We don't charge you for retaining the data. For more information, see [Microsoft Trust Center - How we manage your data](https://go.microsoft.com/fwLink/p/?LinkID=822930).
+After you cancel a subscription, your billing stops immediately. You can delete your subscription directly using the Azure portal seven days after you cancel it, when the **Delete subscription** option becomes available. When your subscription is cancelled, Microsoft waits 30 to 90 days before permanently deleting your data in case you need to access it or recover your data. We don't charge you for retaining the data. For more information, see [Microsoft Trust Center - How we manage your data](https://go.microsoft.com/fwLink/p/?LinkID=822930).
 
 >[!NOTE]
 > You must manually cancel your SaaS subscriptions before you cancel your Azure subscription. Only pay-as-you-go SaaS subscriptions are cancelled automatically by the Azure subscription cancellation process.
diff --git a/articles/iot-operations/get-started/quickstart-add-assets.md b/articles/iot-operations/get-started/quickstart-add-assets.md
@@ -76,43 +76,14 @@ To add an asset endpoint:
     kubectl get assetendpointprofile -n azure-iot-operations
     ```
 
-    After you define an asset, an OPC UA connector pod discovers it. The pod uses the asset endpoint that you specify in the asset definition to connect to an OPC UA server. You can use `kubectl` to view the discovery pod that was created when you added the asset endpoint. The pod name looks like `aio-opc-opc.tcp-1-8f96f76-kvdbt`:
+1. To enable the quickstart scenario, configure your asset endpoint to connect without mutual trust established. Run the following command:
 
     ```console
-    kubectl get pods -n azure-iot-operations
+    kubectl patch AssetEndpointProfile opc-ua-connector-0 -n azure-iot-operations --type=merge -p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"opc-ua-connector-0\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'
     ```
 
-    When the OPC PLC simulator is running, data flows from the simulator, to the connector, to the OPC UA broker, and finally to the MQ broker.
-
-The following step lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation. To enable the asset endpoint to use an untrusted certificate:
-
-> [!CAUTION]
-> Don't use untrusted certificates in production environments. To learn more, see [Configure an OPC PLC simulator](../manage-devices-assets/howto-configure-opc-plc-simulator.md).
-
-1. Run the following command to enable the use of an untrusted certificate. Replace the two placeholders with your cluster name and resource group name:
-
-    ```azurecli
-    az k8s-extension update \
-    --version 0.3.0-preview \
-    --name opc-ua-broker \
-    --release-train preview \
-    --cluster-name <cluster-name> \
-    --resource-group <azure-resource-group> \
-    --cluster-type connectedClusters \
-    --auto-upgrade-minor-version false \
-    --config opcPlcSimulation.deploy=true \
-    --config opcPlcSimulation.autoAcceptUntrustedCertificates=true
-    ```
-
-1. To enable the asset endpoint to use an untrusted certificate, run the following command on the machine where your cluster is running:
-
-    ```console
-    kubectl apply -f https://raw.githubusercontent.com/Azure-Samples/explore-iot-operations/main/samples/quickstarts/opc-ua-connector-0.yaml
-    ```
-
-    The following snippet shows the YAML file that you applied:
-
-    :::code language="yaml" source="~/azure-iot-operations-samples/samples/quickstarts/opc-ua-connector-0.yaml":::
+    > [!CAUTION]
+    > Don't use this configuration in production or pre-production environments. Exposing your cluster to the internet without proper authentication might lead to unauthorized access and even DDOS attacks.
 
 1. To enable the configuration changes to take effect immediately, first find the name of your `aio-opc-supervisor` pod by using the following command:
 
@@ -128,6 +99,14 @@ The following step lowers the security level for the OPC PLC so that it accepts
     kubectl delete pod aio-opc-supervisor-956fbb649-k9ppr -n azure-iot-operations
     ```
 
+After you define an asset, an OPC UA connector pod discovers it. The pod uses the asset endpoint that you specify in the asset definition to connect to an OPC UA server. You can use `kubectl` to view the discovery pod that was created when you added the asset endpoint. The pod name looks like `aio-opc-opc.tcp-1-8f96f76-kvdbt`:
+
+```console
+kubectl get pods -n azure-iot-operations
+```
+
+When the OPC PLC simulator is running, data flows from the simulator, to the connector, to the OPC UA broker, and finally to the MQ broker.
+
 ## Manage your assets
 
 After you select your cluster in Azure IoT Operations portal, you see the available list of assets on the **Assets** page. If there are no assets yet, this list is empty:
@@ -214,7 +193,7 @@ The sample tags you added in the previous quickstart generate messages from your
 
 ```json
 {
-    "Timestamp": "2024-03-08T00:54:58.6572007Z", 
+    "Timestamp": "2024-03-08T00:54:58.6572007Z",
     "MessageType": "ua-deltaframe",
     "payload": {
       "temperature": {
@@ -271,7 +250,7 @@ kubectl get akrii -n azure-iot-operations
 
 It might take a few minutes for the instance to show up.
 
-The output from the previous command looks like the following example. 
+The output from the previous command looks like the following example.
 
 ```console
 NAMESPACE              NAME                      CONFIG             SHARED   NODES            AGE
@@ -280,7 +259,7 @@ azure-iot-operations   akri-opcua-asset-dbdef0   akri-opcua-asset   true     ["d
 
 Now you can use these resources in the local cluster namespace.
 
-To confirm that Akri connected to the OPC UA Broker, copy and paste the name of the Akri instance from the previous step into the following command: 
+To confirm that Akri connected to the OPC UA Broker, copy and paste the name of the Akri instance from the previous step into the following command:
 
 ```bash
 kubectl get akrii <AKRI_INSTANCE_NAME> -n azure-iot-operations -o json
@@ -293,7 +272,7 @@ The command output looks like the following example. This example output shows t
 
         "brokerProperties": {
             "ApplicationUri": "Boiler #2",
-            "AssetEndpointProfile": "{\"spec\":{\"uuid\":\"opc-ua-broker-opcplc-000000-azure-iot-operation\"……   
+            "AssetEndpointProfile": "{\"spec\":{\"uuid\":\"opc-ua-broker-opcplc-000000-azure-iot-operation\"……
 ```
 
 ## How did we solve the problem?
diff --git a/articles/iot-operations/get-started/quickstart-deploy.md b/articles/iot-operations/get-started/quickstart-deploy.md
@@ -285,6 +285,15 @@ az keyvault create --enable-rbac-authorization false --name "<your unique key va
    >[!TIP]
    >If you get an error that says *Your device is required to be managed to access your resource*, go back to the previous step and make sure that you signed in interactively.
 
+1. These quickstarts use the **OPC PLC simulator** to generate sample data. To configure the simulator for the quickstart scenario, run the following command:
+
+    > [!IMPORTANT]
+    > Don't use the following example in production, use it for simulation and test purposes only. The example lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation.
+
+    ```azurecli
+    az k8s-extension update --version 0.3.0-preview --name opc-ua-broker --release-train preview --cluster-name $CLUSTER_NAME --resource-group $RESOURCE_GROUP --cluster-type connectedClusters --auto-upgrade-minor-version false --config opcPlcSimulation.deploy=true --config opcPlcSimulation.autoAcceptUntrustedCertificates=true
+    ```
+
 ## View resources in your cluster
 
 While the deployment is in progress, you can watch the resources being applied to your cluster. You can use kubectl commands to observe changes on the cluster or, since the cluster is Arc-enabled, you can use the Azure portal.
diff --git a/articles/iot-operations/manage-devices-assets/howto-configure-opc-plc-simulator.md b/articles/iot-operations/manage-devices-assets/howto-configure-opc-plc-simulator.md
@@ -22,10 +22,12 @@ Azure IoT Operations installed. For more information, see [Quickstart: Deploy Az
 
 ## Deploy the OPC PLC simulator
 
-This section shows how to deploy the OPC PLC simulator. 
+This section shows how to deploy the OPC PLC simulator.
+
+The following step lowers the security level for the OPC PLC so that it accepts connections from Azure Iot OPC UA Broker or any client without an explicit peer certificate trust operation.
 
 > [!IMPORTANT]
-> Don't use the following example in production, use it for simulation and test purposes only. The example lowers the security level for the OPC PLC so that it accepts connections from any client without an explicit peer certificate trust operation.
+> Don't use the following example in production, use it for simulation and test purposes only.
 
 Run the following code to update the OPC UA Broker deployment and apply the new settings:
 
@@ -44,27 +46,51 @@ az k8s-extension update \
 
 The OPC PLC OPC UA server should run in the same deployment as a separate pod.
 
-## Get the certificate of the OPC PLC simulator
-The application instance certificate of the OPC PLC is a self-signed certificate managed by cert-manager and stored in the `secret aio-opc-ua-opcplc-default-application-cert-000000` kubernetes secret.
-
-To get the certificate, run the following commands on your cluster:
-
-```bash
-# extract the public key of the opc plc from the kubernetes secret
-kubectl -n azure-iot-operations get secret aio-opc-ua-opcplc-default-application-cert-000000 -o jsonpath='{.data.tls\.crt}' | base64 -d > opcplc.crt
-
-# optionally transform the certificate in *.der format
-openssl x509 -outform der -in opcplc.crt -out opcplc.der
-```
-
-## Configure OPC UA mutual trust
-The next step in OPC UA authentication is to configure mutual trust. In OPC UA communication, the OPC UA client and server authenticate each other.
-
-To complete this configuration, follow the steps to [configure mutual trust](howto-configure-opcua-certificates-infrastructure.md#how-to-handle-the-opc-ua-trusted-certificates-list). Use the certificate file you extracted in the previous section. 
+## Configure OPC UA mutual trust between Azure Iot OPC UA Broker Preview and the OPC PLC
 
-For simplicity, on the OPC PLC you don't need to do a mutual trust action. Mutual trust is configured with `autoAcceptUntrustedCertificates`, which accepts connections from any OPC UA client.
+The application instance certificate of the OPC PLC is a self-signed certificate managed by cert-manager and stored in the `secret aio-opc-ua-opcplc-default-application-cert-000000` kubernetes secret.
 
-## Optionally configure for no authentication
+1. Get the certificate, run the following commands on your cluster, and push it to Azure Key Vault.
+
+    ```bash
+    kubectl -n azure-iot-operations get secret aio-opc-ua-opcplc-default-application-cert-000000 -o jsonpath='{.data.tls\.crt}' | \
+    xargs -I {} \
+    az keyvault secret set \
+        --name "opcplc-crt" \
+        --vault-name <azure-key-vault-name> \
+        --value {} \
+        --encoding base64 \
+        --content-type application/x-pem-file
+    ```
+
+2. Configure the secret provider class (SPC) `aio-opc-ua-broker-trust-list` custom resource (CR) in the connected cluster. Use a K8s client such as kubectl to configure the secret `opcplc.crt`  in the SPC object array in the connected cluster.
+
+    ```yml
+    apiVersion: secrets-store.csi.x-k8s.io/v1
+    kind: SecretProviderClass
+    metadata:
+      name: aio-opc-ua-broker-trust-list
+      namespace: azure-iot-operations
+    spec:
+      provider: azure
+      parameters:
+        usePodIdentity: 'false'
+        keyvaultName: <azure-key-vault-name>
+        tenantId: <azure-tenant-id>
+        objects: |
+          array:
+            - |
+              objectName: opcplc-crt
+              objectType: secret
+              objectAlias: opcplc.crt
+              objectEncoding: hex
+    ```
+
+The projection of the Azure Key Vault secrets and certificates into the cluster takes some time depending on the configured polling interval.
+
+Now, the Azure IoT OPC UA Broker the trust relationship with OPC PLC should be established and you can proceed to create an `AssetEndpointProfile` to connect to your OPC PLC simulation server.
+
+## Optionally configure your `AssetEndpointProfile` without mutual trust established
 
 You can optionally configure an asset endpoint profile for the OPC PLC to run without mutual trust established. If you understand the risks, you can turn off authentication for testing purposes.
 
@@ -73,14 +99,19 @@ You can optionally configure an asset endpoint profile for the OPC PLC to run wi
 
 To allow your asset endpoint profile to connect to any OPC PLC server without establishing mutual trust, use the `additionalConfiguration` setting to change the `AssetEndpointProfile` for OPC UA.
 
-Configure the setting as shown in the following example JSON code:
+Patch the asset endpoint with `autoAcceptUntrustedServerCertificates=true`:
 
-```json
-"security": {
-        "autoAcceptUntrustedServerCertificates": true
-         }
+```bash
+ENDPOINT_NAME=<name-of-you-endpoint-here>
+kubectl patch AssetEndpointProfile $ENDPOINT_NAME \
+-n azure-iot-operations \
+--type=merge \
+-p '{"spec":{"additionalConfiguration":"{\"applicationName\":\"'"$ENDPOINT_NAME"'\",\"security\":{\"autoAcceptUntrustedServerCertificates\":true}}"}}'
 ```
 
+> [!WARNING]
+> Don't use untrusted certificates in production environments.
+
 ## Related content
 
 - [Autodetect assets using Azure IoT Akri Preview](howto-autodetect-opcua-assets-using-akri.md)
diff --git a/articles/virtual-wan/route-maps-about.md b/articles/virtual-wan/route-maps-about.md
@@ -64,6 +64,8 @@ Before using Route-maps, take into consideration the following limitations:
 * Modifying the *Default* route is only supported when the default route is learned from on-premises or an NVA.
 * A prefix can be modified either by Route-maps, or by NAT, but not both.
 * Route-maps won't be applied to the [hub address space](virtual-wan-site-to-site-portal.md#hub).
+* Modifying the Default route is only supported when the default route is learned from on-Prem or an NVA.
+* Applying Route-Maps on NVAs in a spoke VNet is not supported. 
 
 ## Configuration workflow
 
@@ -157,4 +159,4 @@ For more information and steps, see [Monitor Route-maps using the Route Map dash
 
 * To configure Route-maps, see [How to configure Route-maps](route-maps-how-to.md).
 * To monitor routes, AS Path, and BGP communities, see the
-[Route Map dashboard](route-maps-dashboard.md).
+[Route Map dashboard](route-maps-dashboard.md).
diff --git a/includes/vpn-gateway-generate-profile-portal.md b/includes/vpn-gateway-generate-profile-portal.md
@@ -1,15 +1,16 @@
 ---
- author: cherylmc
- ms.service: vpn-gateway
- ms.topic: include
- ms.date: 12/01/2022
- ms.author: cherylmc
+author: cherylmc
+ms.service: vpn-gateway
+ms.topic: include
+ms.date: 03/20/2024
+ms.author: cherylmc
 ---
 
 1. In the Azure portal, go to the virtual network gateway for the virtual network to which you want to connect.
 1. On the virtual network gateway page, select **Point-to-site configuration** to open the Point-to-site configuration page.
-1. At the top of the **Point-to-site configuration** page, select **Download VPN client**. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you may not see any indications until the packet has generated.
+1. At the top of the **Point-to-site configuration** page, select **Download VPN client**. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you might not see any indications until the packet generates.
 
    :::image type="content" source="./media/vpn-gateway-generate-profile-portal/download-configuration.png" alt-text="Screenshot of Point-to-site configuration page." lightbox="./media/vpn-gateway-generate-profile-portal/download-configuration.png":::
 
-1. Once the configuration package has been generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway. Unzip the file to view the folders.
+1. Once the configuration package is generated, your browser indicates that a client configuration zip file is available. It's named the same name as your gateway.
+1. Unzip the file to view the folders. You'll use some, or all, of these files to configure your VPN client. The files that are generated correspond to the authentication and tunnel type settings that you configured on the P2S server.
