Skip to content

Commit 5807418

Browse files
committed
acrolinx
1 parent a924745 commit 5807418

File tree

1 file changed

+24
-19
lines changed

1 file changed

+24
-19
lines changed

articles/virtual-network/tutorial-restrict-network-access-to-resources.md

Lines changed: 24 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
4545

4646
[!INCLUDE [cloud-shell-try-it.md](~/reusable-content/ce-skilling/azure/includes/cloud-shell-try-it.md)]
4747

48-
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you are running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.
48+
If you choose to install and use PowerShell locally, this article requires the Azure PowerShell module version 1.0.0 or later. Run `Get-Module -ListAvailable Az` to find the installed version. If you need to upgrade, see [Install Azure PowerShell module](/powershell/azure/install-azure-powershell). If you're running PowerShell locally, you also need to run `Connect-AzAccount` to create a connection with Azure.
4949

5050
### [CLI](#tab/cli)
5151

@@ -73,7 +73,7 @@ Service endpoints are enabled per service, per subnet.
7373

7474
1. Select **+ Subnet**.
7575

76-
1. On the **Add subnet** page, enter or select the following information:
76+
1. On the **Add subnet** page, enter, or select the following information:
7777

7878
| Setting | Value |
7979
| --- | --- |
@@ -130,7 +130,7 @@ Service endpoints are enabled per service, per subnet.
130130
$virtualNetwork | Set-AzVirtualNetwork
131131
```
132132
133-
1. Create an additional subnet in the virtual network. In this example, a subnet named *subnet-private* is created with a service endpoint for *Microsoft.Storage*:
133+
1. Create another subnet in the virtual network. In this example, a subnet named *subnet-private* is created with a service endpoint for *Microsoft.Storage*:
134134
135135
```azurepowershell-interactive
136136
$subpriv = @{
@@ -181,7 +181,7 @@ Azure Bastion uses your browser to connect to VMs in your virtual network over S
181181
New-AzPublicIpAddress @ip
182182
```
183183
184-
1. Use the [New-AzBastion](/powershell/module/az.network/new-azbastion) command to create a new Standard SKU Bastion host in **AzureBastionSubnet**:
184+
1. Use the [New-AzBastion](/powershell/module/az.network/new-azbastion) command to create a new standard Bastion host in **AzureBastionSubnet**:
185185
186186
```azurepowershell-interactive
187187
$bastion = @{
@@ -252,7 +252,7 @@ By default, all virtual machine instances in a subnet can communicate with any r
252252
253253
1. In **Network security groups**, select **+ Create**.
254254
255-
1. In the **Basics** tab of **Create network security group**, enter or select the following information:
255+
1. In the **Basics** tab of **Create network security group**, enter, or select the following information:
256256
257257
| Setting | Value |
258258
| ------- | ----- |
@@ -290,7 +290,7 @@ az network nsg create \
290290

291291
---
292292

293-
### Create outbound NSG rules
293+
### Create outbound Network Security Group (NSG) rules
294294

295295
### [Portal](#tab/portal)
296296

@@ -312,7 +312,7 @@ az network nsg create \
312312
| Destination | Select **Service Tag**. |
313313
| Destination service tag | Select **Storage**. |
314314
| Service | Leave default of **Custom**. |
315-
| Destination port ranges | Enter **445**. </br> SMB protocol is used to connect to a file share created in a later step. |
315+
| Destination port ranges | Enter **445**. |
316316
| Protocol | Select **Any**. |
317317
| Action | Select **Allow**. |
318318
| Priority | Leave the default of **100**. |
@@ -530,7 +530,7 @@ The steps required to restrict network access to resources created through Azure
530530
531531
For more information about connecting to a storage account using a managed identity, see [Use a managed identity to access Azure Storage](/entra/identity/managed-identities-azure-resources/tutorial-linux-managed-identities-vm-access?pivots=identity-linux-mi-vm-access-storage).
532532
533-
The key is used to create a file share in a later step. Enter `$storageAcctKey` and note the value, as you'll also need to manually enter it in a later step when you map the file share to a drive in a VM.
533+
The key is used to create a file share in a later step. Enter `$storageAcctKey` and note the value. You manually enter it in a later step when you map the file share to a drive in a virtual machine.
534534
535535
### [CLI](#tab/cli)
536536
@@ -662,7 +662,7 @@ To restrict network access to a subnet:
662662
663663
### [PowerShell](#tab/powershell)
664664
665-
1. By default, storage accounts accept network connections from clients in any network. To limit access to selected networks, change the default action to *Deny* with [Update-AzStorageAccountNetworkRuleSet](/powershell/module/az.storage/update-azstorageaccountnetworkruleset). Once network access is denied, the storage account is not accessible from any network.
665+
1. By default, storage accounts accept network connections from clients in any network. To limit access to selected networks, change the default action to *Deny* with [Update-AzStorageAccountNetworkRuleSet](/powershell/module/az.storage/update-azstorageaccountnetworkruleset). Once network access is denied, the storage account isn't accessible from any network.
666666
667667
```azurepowershell-interactive
668668
$storagerule = @{
@@ -727,7 +727,7 @@ To test network access to a storage account, deploy a virtual machine to each su
727727
728728
### Create the second virtual machine
729729
730-
1. Repeat the steps in the previous section to create a second virtual machine. Replace the following values in **Create a virtual machine**:
730+
1. Create a second virtual machine repeating the steps in the previous section. Replace the following values in **Create a virtual machine**:
731731
732732
| Setting | Value |
733733
| ------- | ----- |
@@ -743,7 +743,7 @@ To test network access to a storage account, deploy a virtual machine to each su
743743
744744
### Create the first virtual machine
745745
746-
Create a virtual machine in the *subnet-public* subnet with [New-AzVM](/powershell/module/az.compute/new-azvm). When running the command that follows, you are prompted for credentials. The values that you enter are configured as the user name and password for the VM.
746+
Create a virtual machine in the *subnet-public* subnet with [New-AzVM](/powershell/module/az.compute/new-azvm). When running the command that follows, you're prompted for credentials. The values that you enter are configured as the user name and password for the VM.
747747
748748
```azurepowershell-interactive
749749
$vm1 = @{
@@ -773,7 +773,7 @@ $vm2 = @{
773773
New-AzVm @vm2
774774
```
775775

776-
It takes a few minutes for Azure to create the VM. Do not continue to the next step until Azure finishes creating the VM and returns output to PowerShell.
776+
It takes a few minutes for Azure to create the VM. Don't continue to the next step until Azure finishes creating the VM and returns output to PowerShell.
777777

778778
### [CLI](#tab/cli)
779779

@@ -840,7 +840,7 @@ The virtual machine you created earlier that is assigned to the **subnet-private
840840

841841
1. In **Security + networking**, select **Access keys**.
842842

843-
1. Copy the value of **key1**. You may need to select the **Show** button to display the key.
843+
1. Copy the value of **key1**. You might need to select the **Show** button to display the key.
844844

845845
:::image type="content" source="./media/tutorial-restrict-network-access-to-resources/storage-account-access-key.png" alt-text="Screenshot of storage account access key.":::
846846

@@ -904,7 +904,7 @@ The virtual machine you created earlier that is assigned to the **subnet-private
904904

905905
1. In **Security + networking**, select **Access keys**.
906906

907-
1. Copy the value of **key1**. You may need to select the **Show** button to display the key.
907+
1. Copy the value of **key1**. You might need to select the **Show** button to display the key.
908908

909909
:::image type="content" source="./media/tutorial-restrict-network-access-to-resources/storage-account-access-key.png" alt-text="Screenshot of storage account access key.":::
910910

@@ -958,7 +958,7 @@ The virtual machine you created earlier that is assigned to the **subnet-private
958958
ping bing.com
959959
```
960960
961-
You receive no replies, because the network security group associated to the *Private* subnet does not allow outbound access to public IP addresses other than the addresses assigned to the Azure Storage service.
961+
You receive no replies, because the network security group associated to the *Private* subnet doesn't allow outbound access to public IP addresses other than the addresses assigned to the Azure Storage service.
962962
963963
1. Close the Bastion connection to **vm-private**.
964964
@@ -1014,7 +1014,7 @@ SSH into the *vm-private* VM.
10141014
10151015
1. Enter the username and password you specified when creating the virtual machine. Select **Connect**.
10161016
1017-
1. Repeat the previous command to attempt to map the drive to the file share in the storage account. You may need to copy the storage account access key again for this procedure:
1017+
1. Repeat the previous command to attempt to map the drive to the file share in the storage account. You might need to copy the storage account access key again for this procedure:
10181018
10191019
```powershell
10201020
$key = @{
@@ -1080,7 +1080,7 @@ SSH into the *vm-private* VM.
10801080
10811081
1. Enter the username and password you specified when creating the virtual machine. Select **Connect**.
10821082
1083-
1. Repeat the previous command to attempt to map the drive to the file share in the storage account. You may need to copy the storage account access key again for this procedure:
1083+
1. Repeat the previous command to attempt to map the drive to the file share in the storage account. You might need to copy the storage account access key again for this procedure:
10841084
10851085
```powershell
10861086
$key = @{
@@ -1125,7 +1125,12 @@ SSH into the *vm-private* VM.
11251125
Get-AzStorageFile @storage
11261126
```
11271127
1128-
Access is denied, and you receive a *Get-AzStorageFile : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request is not authorized to perform this operation* error, because your computer is not in the *subnet-private* subnet of the *vnet-1* virtual network.
1128+
Access is denied. You receive an output similar to the following example.
1129+
1130+
```output
1131+
Get-AzStorageFile : The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 - HTTP Error Message: This request isn't authorized to perform this operation
1132+
```
1133+
Your computer isn't in the *subnet-private* subnet of the *vnet-1* virtual network.
11291134
11301135
### [CLI](#tab/cli)
11311136
@@ -1209,7 +1214,7 @@ In this tutorial:
12091214

12101215
To learn more about service endpoints, see [Service endpoints overview](virtual-network-service-endpoints-overview.md) and [Manage subnets](virtual-network-manage-subnet.md).
12111216

1212-
If you have multiple virtual networks in your account, you may want to establish connectivity between them so that resources can communicate with each other. To learn how to connect virtual networks, advance to the next tutorial.
1217+
If you have multiple virtual networks in your account, you might want to establish connectivity between them so that resources can communicate with each other. To learn how to connect virtual networks, advance to the next tutorial.
12131218

12141219
> [!div class="nextstepaction"]
12151220
> [Connect virtual networks](./tutorial-connect-virtual-networks-portal.md)

0 commit comments

Comments
 (0)