MicrosoftDocs
diff --git a/‎articles/modeling-simulation-workbench/concept-connector.md
Lines changed: 4 additions & 4 deletions b/‎articles/modeling-simulation-workbench/concept-connector.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/modeling-simulation-workbench/concept-network.md
Lines changed: 58 additions & 0 deletions b/‎articles/modeling-simulation-workbench/concept-network.md
Lines changed: 58 additions & 0 deletions
diff --git a/‎articles/modeling-simulation-workbench/how-to-guide-private-network.md
Lines changed: 39 additions & 14 deletions b/‎articles/modeling-simulation-workbench/how-to-guide-private-network.md
Lines changed: 39 additions & 14 deletions
@@ -12,7 +12,7 @@ ms.date: 01/01/2023
 ---
 # Connectors in Azure Modeling and Simulation Workbench
 
-Connectors define the network access method between users and the Azure Modeling and Simulation Workbench chamber. Connectors support connectivity through allowlisted public IPs, VPN, or Azure ExpressRoute. A chamber can have only one connector configured at a time. Connectors also configure copy-paste functionality into chamber VMs. Connector types are immutable and once created can't be changed to another access model. Connectors are part of the Idle mode setting to reduce cost.
+Connectors define the network access method between users and the Azure Modeling and Simulation Workbench chamber. Connectors support connectivity through allowlisted public IPs, VPN, or Azure ExpressRoute. A chamber can have only one connector configured at a time. Connectors also configure copy-paste functionality for all workload VMs in the chamber. Connector types are immutable and once created can't be changed to another access model. Connectors are part of the Idle mode setting that reduce cost.
 
 ## Public IP access via allowlist
 
@@ -30,7 +30,7 @@ A VPN connector can be created which deploys infrastructure specifically for VPN
 
 [Azure ExpressRoute](/azure/expressroute/expressroute-introduction) provides secure, dedicated, encrypted connectivity from on-premises to an Azure landing zone. A Workbench Owner must create a connector expressly for ExpressRoute, providing the necessary virtual network, supporting network infrastructure, and peer the appropriate vnets.
 
-## Next step
+## Resources
 
-> [!div class="nextstepaction"]
-> [Create a connector](./how-to-guide-set-up-networking.md)
+* [Create a public connector](./how-to-guide-public-network.md)
+* [Create a private network connector](./how-to-guide-private-network.md)
@@ -0,0 +1,58 @@
+---
+title: "Networking: Azure Modeling and Simulation Workbench"
+description: About networking architecture in the Azure Modeling and Simulation Workbench.
+author: yousefi-msft
+ms.author: yousefi
+ms.service: modeling-simulation-workbench
+ms.topic: concept-article
+ms.date: 10/13/2024
+
+#CustomerIntent: As an administrator, I want to understand the networking architecture and capabilities in Azure Modeling and Simulation Workbench.
+---
+
+# Networking overview
+
+The Modeling and Simulation Workbench is a managed, cloud-based platform-as-a-service (PaaS) with an isolated network infrastructure. [Chambers](./concept-chamber.md) are designed for confidentiality and each is a self-contained, private work environment. No connections to the internet or to other chambers are possible. The network allows only remote desktop connections to chamber virtual machines (VM). No file mounts, SSH, or custom connections are possible from or into a chamber.
+
+This article provides an overview of the Modeling and Simulation Workbench network architecture and provides references to guides for managing those resources.
+
+## Chamber networking
+
+[Chambers](./concept-chamber.md) are isolated environments where users in the same enterprise or organization can collaborate. Every virtual machine in the same chamber is connected to the same subnet and can directly communicate to other VMs in the same chamber. Chamber VMs can't communicate with the internet, VMs in other chambers, or on-premises infrastructure. Chamber-to-chamber communication is only achieved using [shared storage](./concept-storage.md#workbench-tier-shared-storage). Virtual machines can only be connected to using a specially provisioned remote desktop client.
+
+### Desktop service
+
+A remote desktop client is required to communicate with chamber VMs. Users can't initiate SSH connections to VMs from outside a chamber, but can SSH between VMs after connecting to the desktop service. The desktop client prohibits file shares, printer, and removable storage access. Refer to the [Quickstart: Connect to desktop](quickstart-connect-desktop.md) article to learn how to connect to a VM.
+
+### Chamber license service
+
+Every chamber has its own [license service](./concept-license-service.md). License servers are automatically provisioned with each chamber for the four major Electronic Design Automation (EDA) vendors. The license servers are only accessible by VMs from within the chamber and can't integrate with  license servers in other chambers or on-premises license servers.
+
+### Red Hat package repository
+
+Azure maintains a private mirror of the official Red Hat Update Infrastructure (RHUI). Chamber VMs can access the Azure RHUI using the Red Hat's `yum` and `dnf` package managers to install packages distributed in the official mirrors. Learn more about Red Hat package management at [Linux package management with YUM and RPM](https://www.redhat.com/sysadmin/how-manage-packages) on the Red Hat site.
+
+### Firewalls
+
+The Modeling and Simulation Workbench provides the standard Azure Red Hat Enterprise Linux (RHEL) 8.8 image, with only a few modifications. The `firewalld` daemon, shipped and enabled by default on all RHEL 8.8 images, remains enabled in Modeling and Simulation Workbench chamber VMs.
+
+> [!IMPORTANT]
+> The `firewalld` service might block communications for applications and services not installed via a Red Hat package or package manager. Refer to the application's documentation and the guide to [configure firewalls](how-to-guide-configure-firewall-red-hat.md) on how to manage firewall rules. Modifying firewalls on individual VMs won't enable access to VMs located in the other chambers or on-premises infrastructure.
+
+## Connectors
+
+[Connectors](concept-connector.md) are connectivity resources associated with chambers and configure networking access to a chamber from outside a workbench. Connectors are created either as public IP or private network connector. [Public IP](./how-to-guide-public-network.md) connectors allow access to your chamber from the internet and control access via an IP address allowlist.  [Private network](./how-to-guide-private-network.md) connectors create network endpoints on virtual network in your subscription and require you to peer with another virtual network, such as virtual private network (VPN) gateway.
+
+## Storage and data pipelines
+
+There are several types and tiers of [storage](./concept-storage.md) in the Modeling and Simulation Workbench. Storage local to a VM, [chamber storage](./how-to-guide-manage-chamber-storage.md), and [shared storage](./how-to-guide-manage-shared-storage.md) are accessible outside of a chamber. Storage volumes can't be mounted or accessed from the internet or on-premises infrastructure.
+
+The [data pipeline](./concept-data-pipeline.md) is the only means of [exporting](./how-to-guide-download-data.md) or [importing](./how-to-guide-upload-data.md) into a workbench. With public networking connectors, the connector defines what IP addresses can use the data pipeline.  
+
+## Related content
+
+* [Import data into Azure Modeling and Simulation Workbench](how-to-guide-upload-data.md)
+* [Export data from Azure Modeling and Simulation Workbench](how-to-guide-download-data.md)
+* [Configure firewalls in Red Hat](how-to-guide-configure-firewall-red-hat.md)
+* [Set up a public IP network connector](how-to-guide-public-network.md)
+* [Set up a private networking connector](how-to-guide-private-network.md)
@@ -1,6 +1,6 @@
 ---
 title: "Create a private network connector: Azure Modeling and Simulation Workbench"
-description: Learn how to deploy a connector on a private virtual network.
+description: Learn how to deploy a private connector for a virtual private network.
 author: yousefi-msft
 ms.author: yousefi
 ms.service: modeling-simulation-workbench
@@ -38,7 +38,7 @@ Before you create a [connector](./concept-connector.md) for private IP networkin
 
 ## Create the private network connector
 
-Each chamber can have only one connector. If you have a public IP connector or other type already associated with the target chamber, you must first [delete the connector](#cleaning-up-resources). In the chamber where you want to create a private network connector:
+Each chamber can have only one connector. If you have a public IP connector or other type already associated with the target chamber, you must first [delete the connector](#delete-a-connector). In the chamber where you want to create a private network connector:
 
 1. Select the **Connector** option in the **Settings** at the left.
     :::image type="content" source="media/howtoguide-private-network/chamber-select-connector.png" alt-text="Screenshot of chamber overview with Connector option outlined in red rectangle.":::
@@ -53,12 +53,10 @@ Each chamber can have only one connector. If you have a public IP connector or o
 1. Select **Review + create**.
 1. If validation passes, select **Create**. Private networking connectors take approximately 30 minutes to deploy.
 
-## Deployed resources
+## Network interfaces and private endpoints
 
 When the Modeling and Simulation Workbench creates a private connector, it deploys the following resources in the same resource group and location as the workbench.
 
-### Network interfaces and private endpoints
-
 Six [network interfaces](/azure/virtual-network/virtual-network-network-interface) (NIC) and corresponding [private endpoints](/azure/private-link/private-endpoint-overview) are created. The NICs are all joined to the private virtual network and subnet specified during setup and given an address on the subnet. The private endpoint connects the NIC to Modeling and Simulation resources hosted in the Microsoft managed environment. The resulting connection becomes part of an [Azure Private Link](/azure/private-link/private-link-overview) service.
 
 * Two connections are created for connection nodes. As users and virtual machines (VM) are added to a chamber, more connection nodes are created.
@@ -67,21 +65,48 @@ Six [network interfaces](/azure/virtual-network/virtual-network-network-interfac
 * One connection for load balancer.
 * One connection for user authentication services.
 
-### DNS zones
+## DNS zones
 
 Modeling and Simulation Workbench creates three private domain name service (DNS) zones for a private network deployment. Each zone corresponds to one of the workbench services for file uploading, file downloading, and desktop connections. No DNS server is created. Administrators must join the zones to their own services.
 
-| Zone                              | Resolves for                          |
-|:----------------------------------|:--------------------------------------|
-| mswb.azure.com                    | Connector desktop dashboard and nodes |
-| privateLink.blob.core.windows.net | Data in pipeline endpoint             |
-| privateLink.file.core.windows.net | Data out pipeline endpoint            |
+| Service                               | Public cloud DNS zone             | Azure Gov cloud DNS Zone                |
+|:--------------------------------------|:----------------------------------|-----------------------------------------|
+| Connector desktop dashboard and nodes | mswb.azure.com                    | mswb.azure.us                           |
+| Data in pipeline endpoint             | privatelink.blob.core.windows.net | privatelink.blob.core.usgovcloudapi.net |
+| Data out pipeline endpoint            | privatelink.file.core.windows.net | privatelink.blob.core.usgovcloudapi.net |
+
+## Ports and IP addresses
+
+### Ports and protocols
+
+The Azure Modeling and Simulation Workbench require certain ports to be accessible from users workstation. Firewalls and VPNs might block access on these ports to certain destinations, when accessed from certain applications, or when connected to different networks. Check with your system administrator to ensure your client can access the service from all your work locations. All traffic to the chamber passes through the connector and the virtual network gateway or peer. Administrators can choose to implement a firewall or network security group to restrict traffic.
+
+* **53/TCP** and **53/UDP**: DNS queries.
+* **443/TCP**: Standard https port for accessing the VM dashboard and any Azure portal page.
+* **5510/TCP**: Used by the ETX client to provide VDI access for both the native and web-based client.
+* **8443/TCP**: Used by the ETX client to negotiate and authenticate to ETX management nodes.
+
+### IP addresses
+
+The private network connector doesn't deploy any public IP network interfaces or gateways. You must create your own gateway interface if connecting directly from the internet or peer the virtual network to another. The region you deploy your gateway interface to determines from which pool of Azure public IP addresses your gateway IP is chosen. Azure IP addresses are taken from Azure's IP ranges for the location in which the Workbench was deployed. A list of all Azure IP addresses and Service tags is available at [Azure IP Ranges and Service Tags – Public Cloud](https://www.microsoft.com/download/details.aspx?id=56519&msockid=1b155eb894cc6c3600a84ac5959a6d3f).
+
+The private IP addresses for the private networking connector are implemented as private network interface connections (NIC) on the virtual network's subnet you specified during initial deployment.
+
+Unlike the public connector, the network interfaces are deployed into your customer subscription and you can associate a network security group (NSG) with the interfaces, the virtual network, or configure a firewall on the virtual network or gateway.
+
+## Immediately terminate access
+
+Access to the chambers can be immediately terminated by [stopping the connector](./how-to-guide-start-stop-restart.md).
+
+## Idle the connector
+
+Idle mode sets the chambers into a preserved, but inactive state. Costs are reduced while still maintaining your configuration and settings. Learn more about idle mode in the [Manage chamber idle mode](how-to-guide-chamber-idle.md) article.
 
-## Starting, stopping, or restarting a connector
+## Start, stop, or restart a connector
 
-Connectors are controllable resources that can be stopped, started, restarted as needed. Instructions on how to are included in [Start, stop, and restart chambers, connectors, and VMs](how-to-guide-start-stop-restart.md). Stopping or restarting the connector interrupts desktop services for all users of the chamber. Stopping the connector is required to [idle a chamber](how-to-guide-chamber-idle.md) to reduce consumption costs.
+Connectors are controllable resources that can be stopped, started, restarted as needed. Instructions on how to are included in [Start, stop, and restart chambers, connectors, and VMs](how-to-guide-start-stop-restart.md). Stopping or restarting the connector interrupts desktop services and data pipelines for all users of the chamber. Stopping the connector is required to [idle a chamber](how-to-guide-chamber-idle.md) to reduce consumption costs.
 
-## Cleaning up resources
+## Delete a connector
 
 If you wish to delete the workbench or change the connector type, you must first delete the connector. Child resources must be deleted first.