minor updates

Michael Bender · Michael Bender · commit 58c1f6b1be11 · 2024-11-04T11:44:58.000-06:00
diff --git a/articles/private-link/create-network-security-perimeter-cli.md b/articles/private-link/create-network-security-perimeter-cli.md
@@ -18,19 +18,16 @@ Get started with network security perimeter by creating a network security perim
 ## Prerequisites
 
 - An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+  
+[!INCLUDE [network-security-perimeter-add-preview](../../includes/network-security-perimeter-add-preview.md)]
+
 - The [latest Azure CLI](/cli/azure/install-azure-cli), or you can use Azure Cloud Shell in the portal.
   - This article **requires version 2.38.0 or later** of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
 - After upgrading to the latest version of Azure CLI, import the network security perimeter commands using `az extension add --name nsp`.
-- Re-register the `Microsoft.Network` resource provider with the following command:
-    
-    ```azure
-    az provider register --namespace Microsoft.Network 
-    ```
 
 [!INCLUDE [azure-cli-prepare-your-environment.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment-no-header.md)]
 
 
-[!INCLUDE [network-security-perimeter-add-preview](../../includes/network-security-perimeter-add-preview.md)]
 
 
 ## Connect to your Azure account and select your subscription
diff --git a/articles/private-link/create-network-security-perimeter-powershell.md b/articles/private-link/create-network-security-perimeter-powershell.md
@@ -34,14 +34,6 @@ Get started with network security perimeter by creating a network security perim
     Install-AzModule -Name Az.Network -AllowPrerelease -Force
     Install-AzModule -Path https://azposhpreview.blob.core.windows.net/public/Az.Network.5.6.1-preview.nupkg
     ```
-
-- Register the Microsoft.Network resource provider:
-
-    ```azurepowershell-interactive
-    # Register the Microsoft.Network resource provider
-    Register-AzResourceProvider -ProviderNamespace Microsoft.Network
-    ```
-
 * If you choose to use Azure PowerShell locally:
   * [Install the latest version of the Az PowerShell module](/powershell/azure/install-azure-powershell).
   * Connect to your Azure account using the
@@ -66,7 +58,6 @@ Set-AzContext -Subscription <subscriptionId>
 
 # Register the Microsoft.Network resource provider
 Register-AzResourceProvider -ProviderNamespace Microsoft.Network
-
 ```
 
 ## Create a resource group and key vault
diff --git a/articles/private-link/network-security-perimeter-concepts.md b/articles/private-link/network-security-perimeter-concepts.md
@@ -17,10 +17,12 @@ Azure Network Security Perimeter allows organizations to define a logical networ
 For access patterns involving traffic from virtual networks to PaaS resources, see [What is Azure Private Link?](private-link-overview.md).
 
 Features of Network Security Perimeter include:
-- Service to service communication to prevent data exfiltration.
+
+- Service to service communication within perimeter members, preventing data exfiltration to non-authorized destinations.
 - Public network access control for PaaS resources.
 - Access logs for audit and compliance.
-- Manage access rules for all the PaaS resources within the perimeter. 
+- Manage external public access with explicit rules for PaaS resources associated with the perimeter.
+
 
 
 :::image type="content" source="media/network-security-perimeter-concepts/network-security-perimeter-overview.png" alt-text="Diagram of securing a service with network security perimeter." lightbox="media/network-security-perimeter-concepts/network-security-perimeter-overview-large.png":::
diff --git a/articles/private-link/network-security-perimeter-transition.md b/articles/private-link/network-security-perimeter-transition.md
@@ -13,13 +13,11 @@ ms.date: 11/04/2024
 
 In this article, you learn about the different access modes and how to transition to a [network security perimeter](./network-security-perimeter-concepts.md) in Azure. Access modes control the resource's access and logging behavior.
 
-## Configuration points for access modes 
-
-### Access mode configuration point on resource associations 
+## Access mode configuration point on resource associations 
 
 The **access mode** configuration point is part of a resource association on the perimeter and therefore can be set by the perimeter's administrator. 
 
-The property `accessMode` can be set in a resource association to control the resource's connectivity and logging behavior. 
+The property `accessMode` can be set in a resource association to control the resource's public network access and logging behavior. 
 
 The possible values of `accessMode` are currently Enforced and Learning. 
 
@@ -85,23 +83,25 @@ When associated with a perimeter and configured in *Learning* mode with `p
 
 In special cases when `publicNetworkAccess` is set to `SecuredByPerimeter` but the resource is still not associated with a perimeter, no network security perimeter access rules can allow access. Therefore the resource becomes locked down for public access. The following table summarizes the behavior with this configuration:
 
-| **publicNetworkAccess** | **Disabled (existing value)** | **Enabled (existing value)** | **SecuredByPerimeter (new value)** |
-|-----------------|---------------|----------------|------------|
-| **Perimeter access** | Denied | Denied | Denied |
-| **Public inbound** | Denied | Allowed only by resource rules | Denied |
-| **Public outbound** | Allowed only by resource rules | Allowed only by resource rules | Denied |
-| **Trusted access** | Allowed | Allowed | Denied |
-| **Private access** | Allowed | Allowed | Allowed |
+| **publicNetworkAccess** | **SecuredByPerimeter (new value)** |
+|-----------------|-----------------|
+| **Perimeter access** | Denied |
+| **Public inbound** | Denied |
+| **Public outbound** | Denied |
+| **Trusted access** | Denied |
+| **Trusted access** | Denied |
+| **Private access** | Allowed |
 
 The **locked down for public access** mode exists by-design and helps prevent PaaS resources not yet associated with a perimeter from being temporarily exposed to public networks or to other PaaS resources. Administrators can apply Azure Policy to ensure publicNetworkAccess is set to SecuredByPerimeter from the moment a resource is created. 
 
 The behavior of public network access on PaaS resources according to the association's accessMode value and the resource's `publicNetworkAccess` value can be summarized as follows: 
 
+| **Association access mode** |  |  |  |
+|-----------------|-------------------|-----------------|-----------------|
 | **Public network access** | **Not associated** | **Learning mode** | **Enforced mode** |
-|-------------|-----------|-------------|-----------|
-| **Enabled** | Inbound: Resource rules </br> Outbound: Allowed | Inbound: Network security perimeter + Resource rules </br> Outbound: Network security perimeter rules + Allowed | Inbound: Network security perimeter rules </br> Outbound: Network security perimeter rules |
-| **Disabled** | Inbound: Denied </br> Outbound: Allowed | Inbound: Network security perimeter rules </br> Outbound: Network security perimeter rules + Allowed | Inbound: Network security perimeter rules </br> Outbound: Network security perimeter rules |
-| **SecuredByPerimeter** | Inbound: Denied </br> Outbound: Denied | Inbound: Network security perimeter rules </br> Outbound: Network security perimeter rules | Inbound: Network security perimeter rules </br> Outbound: Network security perimeter rules |
+| **Enabled** | Inbound: Resource rules</br>Outbound: Allowed | Inbound: Network security perimeter + Resource rules</br> Outbound: Network security perimeter rules + Allowed | Inbound: Network security perimeter rules</br>Outbound: Network security perimeter rules |
+| **Disabled** | Inbound: Denied</br>Outbound: Allowed | Inbound: Network security perimeter rules</br>Outbound: Network security perimeter rules + Allowed | Inbound: Network security perimeter rules</br>Outbound: Network security perimeter rules |
+| **SecuredByPerimeter** | Inbound: Denied</br>Outbound: Denied | Inbound: Network security perimeter rules</br>Outbound: Network security perimeter rules | Inbound: Network security perimeter rules</br>Outbound: Network security perimeter rules |
 
 ## Next steps
 
diff --git a/includes/media/network-security-perimeter-add-preview/re-register-microsoft-network-provider.png b/includes/media/network-security-perimeter-add-preview/re-register-microsoft-network-provider.png
diff --git a/includes/network-security-perimeter-add-preview.md b/includes/network-security-perimeter-add-preview.md
@@ -5,12 +5,34 @@
  author: mbender
  ms.service: azure-private-link
  ms.topic: include
- ms.date: 04/19/2024
+ ms.date: 11/04/2024
  ms.author: mbender> -ms
 ms.custom: include file
 ---
 
 - Registration for the Azure Network Security Perimeter public preview is required. To register, add the `AllowNSPInPublicPreview` feature flag to your subscription. 
   :::image type="content" source="media/network-security-perimeter-add-preview/network-security-perimeter-add-preview-feature.png" alt-text="Screenshot of addition of network security perimeter feature flag to Azure subscription.":::
-  
-  For more information on adding feature flags, see [Set up preview features in Azure subscription](../articles/azure-resource-manager/management/preview-features.md).
+
+  For more information on adding feature flags, see [Set up preview features in Azure subscription](../articles/azure-resource-manager/management/preview-features.md).
+
+- After the feature flag is added, you need to re-register the `Microsoft.Network` resource provider in your subscription.
+  - To re-register the `Microsoft.Network` resource provider in the Azure portal, select your subscription, and then select **Resource providers**. Search for `Microsoft.Network` and select **Re-register**.
+
+    :::image type="content" source="media/network-security-perimeter-add-preview/re-register-microsoft-network-provider.png" alt-text="Screenshot of re-registration of Microsoft.Network resource provider in subscription.":::
+
+  - To re-register the `Microsoft.Network` resource provider, use the following Azure PowerShell command:
+
+  ```azurepowershell-interactive
+  # Register the Microsoft.Network resource provider
+  Register-AzResourceProvider -ProviderNamespace Microsoft.Network
+  ```
+
+  - To re-register the `Microsoft.Network` resource provider, use the following Azure CLI command:
+
+    ```azurecli-interactive
+    # Register the Microsoft.Network resource provider
+    az provider register --namespace Microsoft.Network
+    ```
+
+    
+  For more information on re-registering resource providers, see [Azure resource providers and types](/azure/azure-resource-manager/management/resource-providers-and-types).
