work in progress

dlepow · dlepow · commit 5df577d9013a · 2020-04-03T17:57:32.000-07:00
diff --git a/articles/container-registry/container-registry-transfer-images.md b/articles/container-registry/container-registry-transfer-images.md
@@ -2,62 +2,59 @@
 title: Transfer images
 description: Transfer images in bulk from one container registry to another registry by creating a transfer pipeline using Azure storage accounts
 ms.topic: article
-ms.date: 03/31/2020
+ms.date: 04/03/2020
 ms.custom: 
 ---
 
 # Transfer images to another registry
 
-This article shows how to transfer images or other registry artifacts in bulk from one Azure container registry to another registry. The source and target registries can be in the same or different subscriptions, or potentially in different Active Directory tenants or Azure clouds. 
+This article shows how to transfer images or other registry artifacts in bulk from one Azure container registry to another registry. The source and target registries can be in the same or different subscriptions, or potentially different Active Directory tenants or Azure clouds. 
 
 To transfer images, you create a transfer *pipeline*:
 
 * Create source and target storage resources, and store storage access secrets in Azure key vaults 
-* Create and run a registry resource to export images to the source storage account 
+* Create and run a resource that exports images to the source storage account 
 * Copy images from the source storage account to the target storage account
-* Create a registry resource to import images to the target registry. You can set up the import pipeline to trigger whenever images are in the source storage account
+* Create a resource that imports images to the target registry. You can set up the import pipeline to trigger whenever images are in the source storage account
 
-Transferring registry images offers a more general, scalable alternative to [importing images](container-registry-import-images.md) from one container registry to another.
+Transferring registry images is a more general, scalable alternative to [importing images](container-registry-import-images.md) from one container registry to another.
 
 In this article, you use the Azure CLI and Azure Resource Manager templates to create the resources and transfer pipeline. If you'd like to use the Azure CLI locally, you must have Azure CLI version **XXX** or later installed and logged in with [az login][az-login]. Run `az --version` to find the version. If you need to install or upgrade the CLI, see [Install Azure CLI][azure-cli].
 
 This feature is available in the **Premium** container registry service tier. For information about registry service tiers and limits, see [Azure Container Registry SKUs](container-registry-skus.md).
 
-
 ## Prerequisites
 
-* **Container registries** - For this scenario you need an existing source registry with images to transfer, and a target registry. The source and target registry can be in the same or a different Azure subscription. For the steps in article, the registries must be in the same Active Directory tenant. If you need to create a registry, see [Quickstart: Create a private container registry using the Azure CLI](container-registry-get-started-cli.md). 
-* **Storage accounts** - Create source and target storage accounts in the same Azure subscriptions as your source and target registries. If needed, create the storage accounts with the [Azure CLI](../storage/common/storage-account-create.md?tabs=azure-cli) or other tools.
-
-  [TODO: Needed to create source and target blob containers??]
-
-* **Key vaults** Create key vaults to store secrets in the same Azure subscriptions as your source and target registries. If needed, create source and target key vaults with the [Azure CLI](../key-vault/quick-create-cli.md) or other tools.
+* **Container registries** - For this scenario you need an existing source registry with images to transfer, and a target registry. The source and target registries can be in the same or a different Azure subscription. The steps in this article assume that the registries are in the same Active Directory tenant. If you need to create a registry, see [Quickstart: Create a private container registry using the Azure CLI](container-registry-get-started-cli.md). 
+* **Storage accounts** - Create source and target storage accounts in the same Azure subscription or subscriptions as your source and target registries. If needed, create the storage accounts with the [Azure CLI](../storage/common/storage-account-create.md?tabs=azure-cli) or other tools. In each account, create a blob container for image transfer. For example, create a container named *transfer*
+* **Key vaults** Create key vaults to store secrets in the same Azure subscription or subscriptions as your source and target registries. If needed, create source and target key vaults with the [Azure CLI](../key-vault/quick-create-cli.md) or other tools.
 
 ## Scenario overview
 
-You create the following three resources for ACR Transfer. All are created using PUT operations. 
+You create the following three resources for ACR Transfer. All are created using PUT operations. These resources operate on two storage accounts:
 
-* **ExportPipeline** - Long-lasting resource that contains high level target information, such as storage blob container URI and the key vault secret URI of the target storage SAS token. 
-* **ImportPipeline** - Long lasting resource that contains high level source info, such as storage blob container URI and the KV secret URI of the source storage SAS token. Source trigger is enabled by default so the pipeline will run automatically when artifacts land in the source storage container. 
+* A *source* storage account, where images from the source registry get exported
+* A *target* storage account, from which images are imported to the target registry
+
+* **ExportPipeline** - Long-lasting resource that contains high-level information about the the *source* storage account. This information includes the storage blob container URI and the key vault secret URI of the storage SAS token. 
+* **ImportPipeline** - Long-lasting resource that contains high-level information about the *target* storage account. This information includes the storage blob container URI and the key vault secret URI of the storage SAS token. An import trigger is enabled by default, so the pipeline runs automatically when artifacts land in the target storage container. 
 * **PipelineRun** Resource used to invoke either an ExportPipeline or ImportPipeline resource.  
 
-An ExportPipeline must be run manually by creating a PipelineRun resource. When you run the ExportPipeline, you specify the artifacts to be exported.  
+You run the ExportPipeline manually by creating a PipelineRun resource. When you run the ExportPipeline, you specify the artifacts to be exported.  
 
-If a source trigger is enabled, an ImportPipeline runs automatically. It can also be run manually using a PipelineRun. 
+If an import trigger is enabled, an ImportPipeline runs automatically. It can also be run manually using a PipelineRun. 
 
-### Alternate scenarios
-* The ImportPipeline and ExportPipeline may be located in different tenants. In this case, you need separate managed identities and key vaults for the export and import resources.
+### Things to know
+* The ImportPipeline and ExportPipeline may be located in different Active Directory tenants, or different Azure clouds. If run in different tenants or clouds, you need separate managed identities and key vaults for the export and import resources.
 * ExportPipelines and ImportPipelines also support system-assigned identities. In this case, assign the identity permissions to your key vault after the export resource is created and before running. 
 
 ## Create and store SAS tokens
 
-Transfer uses shared access signature (SAS) tokens to export to and import from storage accounts. The properties required to create SAS tokens are detailed below.  
-
-[TODO: Create containers, generate tokens at container level?]
+Transfer uses shared access signature (SAS) tokens to export to and import from the designated storage accounts. The properties required to create SAS tokens are detailed below.  
 
 ### SAS token for export
 
-Generate a SAS token for export in the source storage account.
+Generate a SAS token for export to the source storage account.
 
 SAS properties:
 * **Allowed services** - Blob 
@@ -85,7 +82,7 @@ az keyvault secret set \
 
 ### SAS token for import
 
-Generate a SAS token for import in the target storage account.
+Generate a SAS token for import from the target storage account.
 
 SAS properties:
 * **Allowed services** - Blob 
@@ -101,7 +98,7 @@ Copy the generated SAS token and use it to set the IMPORT_SAS environment variab
 ```console
 IMPORT_SAS='?sv=2019-02-02&...'
 
-Store the SAS token in your target Azure key vault using [az keyvault secret set][az-keyvault-secret-set]:
+Store the SAS token in your target Azure key vault using [az keyvault secret set][az-keyvault-secret-set] command:
 
 ```azurecli
 az keyvault secret set \
@@ -149,7 +146,7 @@ targetResourceID=$(az identity show \
 
 ## Grant each identity access to key vault 
 
-Run the [az keyvault set-policy][az-keyvault-set-policy] command to grant each identity access to the respective key vault:
+Run the [az keyvault set-policy][az-keyvault-set-policy] command to grant the source and target identities access to their respective key vaults:
 
 ```azurecli
 # Source key vault
@@ -169,7 +166,7 @@ az keyvault set-policy --name targetkeyvault \
 
 ### Create the ExportPipeline resource 
 
-Create an ExportPipeline resource in your source container registry using Azure Resource Manager template deployment. The ExportPipeline resource is provisioned with the user-assigned identity you created previously.
+Create an ExportPipeline resource for your source container registry using Azure Resource Manager template deployment. The ExportPipeline resource is provisioned with the source user-assigned identity you created previously.
 
 Copy ExportPipeline Resource Manager template files from [here](add link - TBD).
 
@@ -180,7 +177,7 @@ az deployment group create \
   --resource-group myResourceGroup \
   --template-file azuredeploy.json \
   --parameters azuredeploy.parameters.json \
-  --parameters userAssignedIdentity=$resourceID
+  --parameters userAssignedIdentity=$sourceResourceID
 ```
  
 ### Run the ExportPipeline resource 
@@ -200,24 +197,24 @@ az group deployment create \
 
 ## Transfer blob (optional) 
 
-Copy the blob to the target storage account using the AzCopy command. See [Copy blobs between storage accounts](/storage/common/storage-use-azcopy-blobs.md#copy-blobs-between-storage-accounts). 
+Use the AzCopy command to copy the blob from the source storage account to the target storage account. See [Copy blobs between storage accounts](/storage/common/storage-use-azcopy-blobs.md#copy-blobs-between-storage-accounts). 
 
 [TODO: What does the AzCopy command look like? Is it the `azcopy sync` shown below?]
 
-Synchronize the source and target storage containers:
+The following `azcopy sync` command ynchronizes the transfer containers in the source and target storage accounts:
 
 ```console
 azcopy sync \
-  'https://<source-storage-account-name>.blob.core.windows.net/<container-name>' \
-  'https://<destination-storage-account-name>.blob.core.windows.net/<container-name>' \
+  'https://<source-storage-account-name>.blob.core.windows.net/transfer' \
+  'https://<destination-storage-account-name>.blob.core.windows.net/transfer' \
   --recursive 
 ```
 
 ## Import 
 
 ### Create the ImportPipeline resource 
 
-Create an ImportPipeline resource in your target container registry using Azure Resource Manager template deployment. The ImportPipeline resource is provisioned with the user-assigned identity you created previously. 
+Create an ImportPipeline resource in your target container registry using Azure Resource Manager template deployment. The ImportPipeline resource is provisioned with the target user-assigned identity you created previously. By default, the pipeline is triggered to import automatically when the target storage account has images.
 
 Copy ImportPipeline Resource Manager template files from [here](add link - TBD).
 
@@ -228,7 +225,7 @@ az group deployment create \
   --resource-group myResourceGroup \ 
   --template-file azuredeploy.json \ 
   --parameters azuredeploy.parameters.json \
-  --parameters userAssignedIdentity=$resourceID 
+  --parameters userAssignedIdentity=$targetResourceID 
 ```
 
 ### Run the ImportPipeline resource manually (optional) 
