Skip to content

Commit 6004c51

Browse files
committed
updated concept articles for security and deployment order
1 parent e56eac5 commit 6004c51

File tree

3 files changed

+95
-25
lines changed

3 files changed

+95
-25
lines changed

articles/operator-5g-core/concept-deployment-order.md

Lines changed: 12 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ ms.author: HollyCl
66
ms.service: azure-operator-5g-core
77
ms.custom: devx-track-azurecli
88
ms.topic: concept-article #required; leave this attribute/value as-is.
9-
ms.date: 03/07/2024
9+
ms.date: 03/21/2024
1010

1111
#CustomerIntent: As a <type of user>, I want <what?> so that <why?>.
1212
---
@@ -15,26 +15,20 @@ ms.date: 03/07/2024
1515

1616
Mobile Packet Core resources have minimal ordering constraints. To bring up network functions, the cluster services must be already running successfully. The same set of cluster services can be reused for multiple network functions and the cluster services must be deployed on every cluster that hosts the network functions.
1717

18-
## Azure CLI commands used to deploy resources
18+
## Mobile Packet Core resource deployment order
1919

20-
Use the following Azure CLI commands to deploy resources.
20+
Deploy resources in the following order. Note that the Microsoft.MobilePacketCore/clusterServices resource must be deployed first. All other resources may be deployed in any order or in parallel.
2121

22-
```azurecli
23-
{
24-
[
25-
Microsoft.MobilePacketCore/clusterServices
26-
],
27-
[
28-
Microsoft.MobilePacketCore/amfDeployments
29-
Microsoft.MobilePacketCore/smfDeployments
30-
Microsoft.MobilePacketCore/nrfDeployments
31-
Microsoft.MobilePacketCore/nssfDeployments
32-
Microsoft.MobilePacketCore/upfDeployments
33-
Microsoft.MobilePacketCore/observabilityServices
34-
]
35-
```
22+
Microsoft.MobilePacketCore/clusterServices
23+
Microsoft.MobilePacketCore/amfDeployments
24+
Microsoft.MobilePacketCore/smfDeployments
25+
Microsoft.MobilePacketCore/nrfDeployments
26+
Microsoft.MobilePacketCore/nssfDeployments
27+
Microsoft.MobilePacketCore/upfDeployments
28+
Microsoft.MobilePacketCore/observabilityServices
29+
3630

3731
## Related content
3832

39-
- [Complete the prerequisites to deploy Azure Operator 5G Core Preview on Azure Kubernetes Service] (quickstart-complete-prerequisites-deploy-azure-kubernetes-service.md)
33+
- [Complete the prerequisites to deploy Azure Operator 5G Core Preview on Azure Kubernetes Service](quickstart-complete-prerequisites-deploy-azure-kubernetes-service.md)
4034
- [Complete the prerequisites to deploy Azure Operator 5G Core Preview on Nexus Azure Kubernetes Service](quickstart-complete-prerequisites-deploy-nexus-azure-kubernetes-service.md)

articles/operator-5g-core/concept-security.md

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -10,9 +10,11 @@ ms.date: 03/07/2024
1010

1111
# Security in Azure Operator 5G Core Preview
1212

13-
Microsoft is built on Zero Trust security, including Azure Operator 5G Core Preview. Rather than assuming that everything behind the corporate firewall is safe, Zero Trust assumes an open environment where trust must always be validated. Zero Trust is equally applied to all workload environments, both on Nexus and on Azure.
13+
Microsoft is built on Zero Trust security, including Azure Operator 5G Core Preview. Rather than assuming that everything behind the operator firewall is safe, Zero Trust assumes an open environment where trust must always be validated. Zero Trust is equally applied to all workload environments, both on Nexus and on Azure.
1414

15-
Zero Trust follows Azure Operator 5G Core from development through deployment and monitoring.
15+
Zero Trust follows Azure Operator 5G Core from development through deployment and runtime protection.
16+
17+
The Azure Operator 5G Core security posture is designed and built to prevent, detect, and defend against the latest security threats.
1618

1719
## Development
1820

@@ -33,12 +35,9 @@ Azure Operator 5G Core is deployed based on a security blueprint that ensures th
3335
- Encryption of traffic within the NFs and between NFs (3GPP).
3436
- Secure storage of data at rest.
3537

36-
## Monitoring
37-
38-
Security monitoring of the application occurs through a combination of native alerting from the NF and Azure security applications. It includes:
38+
## Runtime protection
3939

40-
- Security Logging - Visibility for actions internal to the application.
41-
- Microsoft Defender – Optional protection from cyber threats and vulnerabilities.
40+
Security monitoring of the application occurs through a combination of native alerting from the NF and Azure security applications, including security logging, which allows for the visibility of actions internal to the application.
4241

4342
## Related content
4443

Lines changed: 77 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
---
2+
title: Azure Operator Nexus: Run read-only commands
3+
description: Get an overview of read-only commands for Azure Operator Nexus.
4+
author: HollyCl
5+
ms.author: HollyCl
6+
ms.service: azure-operator-nexus
7+
ms.topic: concept-article #Required; leave this attribute/value as-is.
8+
ms.date: 03/20/2024
9+
10+
11+
---
12+
13+
14+
# Run read-only commands
15+
16+
Troubleshooting network devices is a critical aspect of effective network management. Ensuring the health and optimal performance of your infrastructure requires timely diagnosis and resolution of issues. This article presents a comprehensive approach to troubleshooting Azure Operator Nexus devices using read-only (RO) commands.
17+
18+
## Understanding read-only Commands
19+
20+
RO commands serve as essential tools for network administrators. Unlike read-write (RW) commands that modify device configurations, RO commands allow administrators to gather diagnostic information without altering the device’s state. These commands provide valuable insights into the device’s status, configuration, and operational data.
21+
22+
## Read-only diagnostic API
23+
24+
The read-only diagnostic API enables users to execute `show` commands on network devices via an API call. This efficient method allows administrators to remotely run diagnostic queries across all network fabric devices. Key features of the Read-Only diagnostic API include:
25+
26+
- **Efficiency** - Execute `show` commands without direct access to the device console.
27+
28+
- **Seamless Integration with AZCLI** - Users can utilize the regular Azure Command-Line Interface (AZCLI) to pass the desired `show` command. The API then facilitates command execution on the target device, fetching the output.
29+
30+
- **JSON Output** - Results from the executed commands are presented in JSON format, making it easy to parse and analyze.
31+
32+
- **Secure Storage** - The output data is stored in the customer-owned storage account, ensuring data security and compliance.
33+
34+
By using the Read-Only diagnostic API, network administrators can efficiently troubleshoot issues, verify configurations, and monitor device health across their Azure Operator Nexus devices.
35+
36+
## Prerequisites
37+
38+
- Provision the Nexus Network Fabric successfully.
39+
40+
- Provide the storage URL with WRITE access via a support ticket.
41+
42+
- The Storage URL must be located in a different region from the Network Fabric. For instance, if the Fabric is hosted in East US, the storage URL should be outside of East US.
43+
44+
For example, if the shared access token (SAS) URL of the container is *readonlydiagnosticsAPI.blob.core.windows.net/read-only-test-XXXXXXXXXX*, then the Network Fabric ARM ID would be */subscriptions/ XXXX-XXXX-XXXX-XXXX /resourceGroups ResourceGroupName /providers/Microsoft.ManagedNetworkFabric/networkFabrics/NFName*.
45+
46+
## Command restrictions
47+
48+
To ensure security and compliance, RO commands must follow specific rules, including:
49+
50+
- All commands must start with `show`.
51+
- Only an absolute command can be provided as an input. Do no abbreviate to short forms or prompts. `show interfaces Ethernet 1/1 status`.
52+
- Commands such as `sh int stat` or `sh int et1/1 status` aren’t supported.
53+
- Commands must not be null, empty, or consist of a single word.
54+
- Commands must not include the pipe character (|).
55+
- Commands must not end with `tech-support`, `agent logs`, `ip route`, or `ip route vrf all`.
56+
57+
Consider the following rules when using a `show` command:
58+
59+
- Only one `show` command is permitted on a specific device at any time. However, you can run `show` commands on another CLI window or device at the same time.
60+
- `show` commands are currently unrestricted, except for a few high CPU-intensive commands.
61+
62+
## Execute the read-only command
63+
64+
To run a read-only command, you must first contact Microsoft support. Once they've made the necessary updates, run the following Azure CLI command:
65+
66+
```azurecli
67+
az networkfabric device run-ro --resource-name "<NFResourceName>" --resource-group "<NFResourceGroupName>" --ro-command ”show version”
68+
69+
```
70+
71+
You can programmatically check the status of the operation using the following Azure CLI command. The status displays, indicating if the API failed or succeeded.
72+
73+
```azurecli
74+
az rest -m get -u “<Azure-operationsstatus-endpoint url>”
75+
```
76+
Navigate to the container to view the results of the RO command and to and download the generated output file.
77+
## Related content

0 commit comments

Comments
 (0)