updated concept articles for security and deployment order

HollyCl · HollyCl · commit 6004c5129f73 · 2024-03-21T09:46:47.000-04:00
diff --git a/articles/operator-5g-core/concept-deployment-order.md b/articles/operator-5g-core/concept-deployment-order.md
@@ -6,7 +6,7 @@ ms.author: HollyCl
 ms.service: azure-operator-5g-core
 ms.custom: devx-track-azurecli
 ms.topic: concept-article #required; leave this attribute/value as-is.
-ms.date: 03/07/2024
+ms.date: 03/21/2024
 
 #CustomerIntent: As a <type of user>, I want <what?> so that <why?>.
 ---
@@ -15,26 +15,20 @@ ms.date: 03/07/2024
 
 Mobile Packet Core resources have minimal ordering constraints. To bring up network functions, the cluster services must be already running successfully. The same set of cluster services can be reused for multiple network functions and the cluster services must be deployed on every cluster that hosts the network functions.
 
-## Azure CLI commands used to deploy resources
+## Mobile Packet Core resource deployment order
 
-Use the following Azure CLI commands to deploy resources.
+Deploy resources in the following order. Note that the Microsoft.MobilePacketCore/clusterServices resource must be deployed first. All other resources may be deployed in any order or in parallel.
   
-```azurecli
-{ 
-   [ 
-    Microsoft.MobilePacketCore/clusterServices 
-   ], 
-   [ 
-    Microsoft.MobilePacketCore/amfDeployments 
-    Microsoft.MobilePacketCore/smfDeployments 
-    Microsoft.MobilePacketCore/nrfDeployments 
-    Microsoft.MobilePacketCore/nssfDeployments 
-    Microsoft.MobilePacketCore/upfDeployments 
-    Microsoft.MobilePacketCore/observabilityServices 
-   ]
-```
+Microsoft.MobilePacketCore/clusterServices 
+Microsoft.MobilePacketCore/amfDeployments 
+Microsoft.MobilePacketCore/smfDeployments 
+Microsoft.MobilePacketCore/nrfDeployments 
+Microsoft.MobilePacketCore/nssfDeployments 
+Microsoft.MobilePacketCore/upfDeployments 
+Microsoft.MobilePacketCore/observabilityServices 
+
 
 ## Related content
 
-- [Complete the prerequisites to deploy Azure Operator 5G Core Preview on Azure Kubernetes Service]  (quickstart-complete-prerequisites-deploy-azure-kubernetes-service.md)
+- [Complete the prerequisites to deploy Azure Operator 5G Core Preview on Azure Kubernetes Service](quickstart-complete-prerequisites-deploy-azure-kubernetes-service.md)
 - [Complete the prerequisites to deploy Azure Operator 5G Core Preview on Nexus Azure Kubernetes Service](quickstart-complete-prerequisites-deploy-nexus-azure-kubernetes-service.md)
diff --git a/articles/operator-5g-core/concept-security.md b/articles/operator-5g-core/concept-security.md
@@ -10,9 +10,11 @@ ms.date: 03/07/2024
 
 # Security in Azure Operator 5G Core Preview
 
-Microsoft is built on Zero Trust security, including Azure Operator 5G Core Preview. Rather than assuming that everything behind the corporate firewall is safe, Zero Trust assumes an open environment where trust must always be validated. Zero Trust is equally applied to all workload environments, both on Nexus and on Azure.
+Microsoft is built on Zero Trust security, including Azure Operator 5G Core Preview. Rather than assuming that everything behind the operator firewall is safe, Zero Trust assumes an open environment where trust must always be validated. Zero Trust is equally applied to all workload environments, both on Nexus and on Azure.
 
- Zero Trust follows Azure Operator 5G Core from development through deployment and monitoring.  
+ Zero Trust follows Azure Operator 5G Core from development through deployment and runtime protection.  
+
+The Azure Operator 5G Core security posture is designed and built to prevent, detect, and defend against the latest security threats. 
 
 ## Development
 
@@ -33,12 +35,9 @@ Azure Operator 5G Core is deployed based on a security blueprint that ensures th
 - Encryption of traffic within the NFs and between NFs (3GPP).
 - Secure storage of data at rest.
 
-## Monitoring
-
-Security monitoring of the application occurs through a combination of native alerting from the NF and Azure security applications. It includes:
+## Runtime protection
 
-- Security Logging - Visibility for actions internal to the application.
-- Microsoft Defender – Optional protection from cyber threats and vulnerabilities.
+Security monitoring of the application occurs through a combination of native alerting from the NF and Azure security applications, including security logging, which allows for the visibility of actions internal to the application.
 
 ## Related content
 
diff --git a/articles/operator-nexus/concepts-read-only-command.md b/articles/operator-nexus/concepts-read-only-command.md
@@ -0,0 +1,77 @@
+---
+title: Azure Operator Nexus: Run read-only commands
+description: Get an overview of read-only commands for Azure Operator Nexus.
+author: HollyCl
+ms.author: HollyCl
+ms.service: azure-operator-nexus
+ms.topic: concept-article #Required; leave this attribute/value as-is.
+ms.date: 03/20/2024
+
+
+---
+
+
+# Run read-only commands
+
+Troubleshooting network devices is a critical aspect of effective network management. Ensuring the health and optimal performance of your infrastructure requires timely diagnosis and resolution of issues. This article presents a comprehensive approach to troubleshooting Azure Operator Nexus devices using read-only (RO) commands.
+
+## Understanding read-only Commands
+
+RO commands serve as essential tools for network administrators. Unlike read-write (RW) commands that modify device configurations, RO commands allow administrators to gather diagnostic information without altering the device’s state. These commands provide valuable insights into the device’s status, configuration, and operational data.
+
+## Read-only diagnostic API
+
+The read-only diagnostic API enables users to execute `show` commands on network devices via an API call. This efficient method allows administrators to remotely run diagnostic queries across all network fabric devices. Key features of the Read-Only diagnostic API include: 
+
+- **Efficiency** -  Execute `show` commands  without direct access to the device console.
+
+- **Seamless Integration with AZCLI** -  Users can utilize the regular Azure Command-Line Interface (AZCLI) to pass the desired `show` command. The API then facilitates command execution on the target device, fetching the output.
+
+- **JSON Output** -  Results from the executed commands are presented in JSON format, making it easy to parse and analyze.
+
+- **Secure Storage** - The output data is stored in the customer-owned storage account, ensuring data security and compliance.
+
+By using the Read-Only diagnostic API, network administrators can efficiently troubleshoot issues, verify configurations, and monitor device health across their Azure Operator Nexus devices.
+
+## Prerequisites
+
+- Provision the Nexus Network Fabric successfully.
+
+- Provide the storage URL with WRITE access via a support ticket.
+
+- The Storage URL must be located in a different region from the Network Fabric. For instance, if the Fabric is hosted in East US, the storage URL should be outside of East US.
+
+For example, if the shared access token (SAS) URL of the container is *readonlydiagnosticsAPI.blob.core.windows.net/read-only-test-XXXXXXXXXX*, then the Network Fabric ARM ID would be */subscriptions/ XXXX-XXXX-XXXX-XXXX /resourceGroups ResourceGroupName /providers/Microsoft.ManagedNetworkFabric/networkFabrics/NFName*.
+
+## Command restrictions
+
+To ensure security and compliance, RO commands must follow specific rules, including:
+
+- All commands must start with `show`.
+- Only an absolute command can be provided as an input. Do no abbreviate to short forms or prompts. `show interfaces Ethernet 1/1 status`. 
+- Commands such as `sh int stat` or `sh int et1/1 status` aren’t supported.  
+- Commands must not be null, empty, or consist of a single word.
+- Commands must not include the pipe character (|).
+- Commands must not end with `tech-support`, `agent logs`, `ip route`, or `ip route vrf all`.
+
+Consider the following rules when using a `show` command:
+
+- Only one `show` command is permitted on a specific device at any time. However, you can run `show` commands on another CLI window or device at the same time.
+- `show` commands are currently unrestricted, except for a few high CPU-intensive commands.
+
+## Execute the read-only command
+
+To run a read-only command, you must first contact Microsoft support. Once they've made the necessary updates, run the following Azure CLI command:
+
+```azurecli
+az networkfabric device run-ro --resource-name "<NFResourceName>" --resource-group "<NFResourceGroupName>" --ro-command ”show version”  
+
+```
+
+You can programmatically check the status of the operation using the following Azure CLI command. The status displays, indicating if the API failed or succeeded.
+
+```azurecli
+az rest -m get -u “<Azure-operationsstatus-endpoint url>”   
+```
+Navigate to the container to view the results of the RO command and to and download the generated output file. 
+## Related content
