updates with PM feedback

Michael Bender · Michael Bender · commit 77f6abf99861 · 2023-10-30T16:09:46.000-05:00
diff --git a/articles/virtual-network-manager/concept-security-admins.md b/articles/virtual-network-manager/concept-security-admins.md
@@ -101,7 +101,7 @@ Based on the industry study and suggestions from Microsoft, we recommend custome
 | **5800** | TCP | VNC Remote Frame Buffer over HTTP |
 | **5900** | TCP | VNC Remote Frame Buffer over HTTP |
 | **11211** | UDP | Memcached |
-m
+
 ### Management at scale
 
 Azure Virtual Network Manager provides a way to manage your security policies at scale with security admin rules. When you apply a security admin configuration to a [network group](./concept-network-groups.md), a network group can contain dozens or hundreds of VNets, and all of the resources in the network groups’ scope have those security admin rules applied to them.
@@ -110,26 +110,26 @@ New resources are protected along with existing resources. For example, if you a
 
 When new security risks are identified, you can deploy them at scale by creating a security admin rule to protect against the new risk and applying it to your network groups. Once this new rule is deployed, all resources in the scope of the network groups will be protected now and in the future.
 
-## Non-application of security admin rules
+## Nonapplication of security admin rules
 
 In most instances, security admin rules are applied to all virtual networks and subnets within the scope of a network group's applied security configuration. However, there are some services that don't apply security admin rules due to the network requirements of the service. These requirements are enforced by the service's network intent policy.
 
-### Non-application at virtual network level
+### Nonapplication of security admin rules at virtual network level
 
-By default, security admin rules aren't applied when they're deployed to a virtual network containing the following services:
+By default, security admin rules aren't applied to a virtual network containing the following services:
 
 - [Azure SQL Managed Instances](/azure/azure-sql/managed-instance/connectivity-architecture-overview#mandatory-security-rules-with-service-aided-subnet-configuration)
 - Azure Databricks  
 
-When this happens, the security admin rules are skipped for all others services deployed in the virtual network. If you want *Allow* rules applied to those other services in the virtual network, you create your security configuration with the `AllowRulesOnly` field set in the [securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices](/dotnet/api/microsoft.azure.management.network.models.networkintentpolicybasedservice?view=azure-dotnet) .NET class. When set, *Allow* rules in your security configuration will be applied to other services on the virtual networks with Azure SQL Managed Instances or Azure Databricks. All *Deny* rules will be skipped for the virtual network. Virtual networks without these services can continue using *Allow* and *Deny* rules. 
+When a virtual network contains these services, the security admin rules skip this virtual network. If you want *Allow* rules applied to this virtual network, you create your security configuration with the `AllowRulesOnly` field set in the [securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices](/dotnet/api/microsoft.azure.management.network.models.networkintentpolicybasedservice?view=azure-dotnet) .NET class. When set, *Allow* rules in your security configuration will be applied to this virtual network. All *Deny* rules will not be applied on this virtual network. Virtual networks without these services can continue using *Allow* and *Deny* rules. 
 
 You can create a security configuration with *Allow* rules only and deploy it to your virtual networks with [Azure PowerShell](/powershell/module/az.network/new-aznetworkmanagersecurityadminconfiguration#example-1) and [Azure CLI](/cli/azure/network/manager/security-admin-config#az-network-manager-security-admin-config-create-examples).
 
 > [!NOTE]
 > When multiple Azure Virtual Network Manager instances apply different settings in the `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` class to the same virtual network, the setting of the network manager instance with the highest scope will be used.
 > Let's say you have two virtual network managers. The first network manager is scoped to the root management group and has a security configuration with set to *AllowRulesOnly* in the `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` class. The second virtual network manager is scoped to a subscription under the root management group and uses the default field of *None* in it's security configuration. When both configurations apply security admin rules to the same virtual network, the *AllowRulesOnly* setting will be applied to the virtual network.
 
-### Non-application at subnet level
+### Nonapplication of security admin rules at subnet level
 
 Like network intent policies, there are some services that don't apply security admin rules when they're deployed in a subnet within the scope of a security configuration. Those services include:
 
@@ -142,7 +142,7 @@ Like network intent policies, there are some services that don't apply security
 - Azure ExpressRoute Gateway
 
 > [!NOTE]
-> If you want to apply security admin rules on subnets containing an [Azure Application Gateway](../application-gateway/application-gateway-private-deployment.md), ensure each subnet only contains gateways that have been provisioned with *Network Isolation* enabled. If a subnet contains an Azure Application Gateway without network isolation, security admin rules won't be applied to this subnet.
+> If you want to apply security admin rules on subnets containing an Azure Application Gateway, ensure each subnet only contains gateways that have been provisioned with [network isolation](../application-gateway/application-gateway-private-deployment.md) enabled. If a subnet contains an Azure Application Gateway without network isolation, security admin rules won't be applied to this subnet.
 
 ## Security admin fields
 
diff --git a/articles/virtual-network-manager/faq.md b/articles/virtual-network-manager/faq.md
@@ -87,17 +87,17 @@ You can view Azure Virtual Network Manager settings under **Network Manager** fo
 
 Should a regional outage occur, all configurations applied to current resources managed persist, and you can't modify existing configurations, or create new configuration.
 
-### Can a virtual network managed by Azure Virtual Network Manager be peered to a non-managed virtual network?
+### Can a virtual network managed by Azure Virtual Network Manager be peered to a nonmanaged virtual network?
 
 Yes, Azure Virtual Network Manager is fully compatible with pre-existing hub and spoke topology deployments using peering. This means that you won't need to delete any existing peered connections between the spokes and the hub. The migration occurs without any downtime to your network.
 
 ### Can I migrate an existing hub and spoke topology to Azure Virtual Network Manager?
 
-Yes, migrating existing VNets to AVNM’s hub and spoke topology is very easy and requires no down time. Customers can [create a hub and spoke topology connectivity configuration](how-to-create-hub-and-spoke.md) of the desired topology. When the deployment of this configuration is deployed, virtual network manager will automatically create the necessary peerings. Any pre-existing peerings set up by users will remain intact, ensuring there's no downtime.
+Yes, migrating existing VNets to AVNM’s hub and spoke topology is easy and requires no down time. Customers can [create a hub and spoke topology connectivity configuration](how-to-create-hub-and-spoke.md) of the desired topology. When the deployment of this configuration is deployed, virtual network manager will automatically create the necessary peerings. Any pre-existing peerings set up by users remain intact, ensuring there's no downtime.
 
 ### How do connected groups differ from virtual network peering regarding establishing connectivity between virtual networks?
 
-In Azure, VNet peering and connected groups are two methods of establishing connectivity between virtual networks (VNets). While VNet peering works by creating a 1:1 mapping between each peered VNet, connected groups use a new construct that establishes connectivity without such a mapping. In a connected group, all virtual networks are connected without individual peering relationships.  For example, if VNetA, VNetB, and VNetC are part of the same connected group, connectivity is enabled between each VNet without the need for individual peering relationships.
+In Azure, virtual network peering and connected groups are two methods of establishing connectivity between virtual networks (VNets). While virtual network peering works by creating a 1:1 mapping between each peered virtual network, connected groups use a new construct that establishes connectivity without such a mapping. In a connected group, all virtual networks are connected without individual peering relationships.  For example, if VNetA, VNetB, and VNetC are part of the same connected group, connectivity is enabled between each virtual network without the need for individual peering relationships.
 
 ### Do security admin rules apply to Azure Private Endpoints?
 
@@ -121,21 +121,21 @@ No, an Azure Virtual WAN hub isn't supported as the hub in a hub and spoke topol
 
 ### My Virtual Network isn't getting the configurations I'm expecting. How do I troubleshoot?
 
-#### Have you deployed your configuration to the VNet's region?
+#### Have you deployed your configuration to the virtual network's region?
 
 Configurations in Azure Virtual Network Manager don't take effect until they're deployed. Make a deployment to the virtual networks region with the appropriate configurations.
 
 #### Is your virtual network in scope?
 
 A network manager is only delegated enough access to apply configurations to virtual networks within your scope. Even if a resource is in your network group but out of scope, it doesn't receive any configurations.
 
-#### Are you applying security rules to a VNet containing Azure SQL Managed Instances?
+#### Are you applying security rules to a virtual network containing Azure SQL Managed Instances?
 
 Azure SQL Managed Instance has some network requirements. These are enforced through high priority Network Intent Policies, whose purpose conflicts with Security Admin Rules. By default, Admin rule application is skipped on VNets containing any of these Intent Policies. Since *Allow* rules pose no risk of conflict, you can opt to apply *Allow Only* rules. If you only wish to use Allow rules, you can set AllowRulesOnly on `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices`.
 
-#### Are you applying security rules to a VNet or subnet that contains services blocking security configuration rules?
+#### Are you applying security rules to a virtual network or subnet that contains services blocking security configuration rules?
 
-Certain services such as Azure SQL Managed Instance, Azure Databricks and Azure Application Gateway use Network Intent Policies to enforce network requirements. These policies are enforced through high priority Network Intent Policies, whose purpose conflicts with Security Admin Rules. By default, Admin rule application is skipped on VNets containing any of these Intent Policies. Since *Allow* rules pose no risk of conflict, you can opt to apply *Allow Only* rules. If you only wish to use Allow rules, you can set AllowRulesOnly on `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices`.
+Certain services such as Azure SQL Managed Instance, Azure Databricks and Azure Application Gateway require specific network requirements to function propertly. By default, security admin rule application is skipped on [VNets and subnets containing any of these services](./concept-security-admins.md#nonapplication-of-security-admin-rules). Since *Allow* rules pose no risk of conflict, you can opt to apply *Allow Only* rules by setting the security configurations' `AllowRulesOnly`field on `securityConfiguration.properties.applyOnNetworkIntentPolicyBasedServices` .NET class.
 
 ## Limits
 
@@ -169,7 +169,7 @@ Certain services such as Azure SQL Managed Instance, Azure Databricks and Azure
 
 * Azure Virtual Network Manager policies don't support the standard policy compliance evaluation cycle. For more information, see [Evaluation triggers](../governance/policy/how-to/get-compliance-data.md#evaluation-triggers).
 
-* The current preview of connected group has a limitation where traffic from a connected group cannot communicate with a private endpoint in this connected group if it has NSG enabled on it. However, this limitation will be removed once the feature is generally available.
+* The current preview of connected group has a limitation where traffic from a connected group can't communicate with a private endpoint in this connected group if it has NSG enabled on it. However, this limitation will be removed once the feature is generally available.
 ## Next steps
 
 Create an [Azure Virtual Network Manager](create-virtual-network-manager-portal.md) instance using the Azure portal.
