Merge pull request #245127 from robswain/copyedits

prmerger-automator[bot] · web-flow · commit 7b46490c227b · 2023-07-17T14:36:07.000Z
Add warning for compatibility issue with AAD and web proxy
diff --git a/articles/private-5g-core/azure-private-5g-core-release-notes-2305.md b/articles/private-5g-core/azure-private-5g-core-release-notes-2305.md
@@ -20,31 +20,32 @@ Packet core versions are supported until two subsequent versions have been relea
 
 ## What's new
 
-- **User-Plane Inactivity Detection** - Starting from AP5GC 2305, a user-plane inactivity timer with a value of 600 seconds is configured for 5G sessions. If there is no traffic for a period of 600 seconds and RAN-initiated Access Network release has not occurred, the Packet Core will release Access Network resources.
+- **User-Plane Inactivity Detection** - Starting from AP5GC 2305, a user-plane inactivity timer with a value of 600 seconds is configured for 5G sessions. If there is no traffic for 600 seconds and RAN-initiated Access Network release has not occurred, the Packet Core will release Access Network resources.
 
-- **UE (user equipment) to UE internal forwarding** - This release delivers the ability for AP5GC to internally forward UE data traffic destined to another UE in the same Data Network (without going via an external router).  
+- **UE (user equipment) to UE internal forwarding** - This release delivers the ability for AP5GC to internally forward UE data traffic destined to another UE in the same Data Network (without going via an external router).
 
-  If you are currently using the default service with allow-all SIM policy along with NAT enabled for the Data Network, or with an external router with deny rules for this traffic, you might have UE to UE traffic forwarding blocked. If you want to continue this blocking behavior with AP5GC 2305, see [Configure UE to UE internal forwarding](configure-internal-forwarding.md).  
+  If you're currently using the default service with allow-all SIM policy along with NAT enabled for the Data Network, or with an external router with deny rules for this traffic, you might have UE to UE traffic forwarding blocked. If you want to continue this blocking behavior with AP5GC 2305, see [Configure UE to UE internal forwarding](configure-internal-forwarding.md).
 
-  If you are not using the default service with allow-all SIM policy and want to allow UE-UE internal forwarding, see [Configure UE to UE internal forwarding](configure-internal-forwarding.md).
+  If you're not using the default service with allow-all SIM policy and want to allow UE-UE internal forwarding, see [Configure UE to UE internal forwarding](configure-internal-forwarding.md).
 
-- **Event Hubs feed of UE Usage** - This feature enhances AP5GC to provide an Azure Event Hubs feed of UE Data Usage events. You can integrate with Event Hubs to build reports on how your private 4G/5G network is being used or carry out other data processing using the information in these events.  If you want to enable this feature for your deployment, please contact your support representative.
+- **Event Hubs feed of UE Usage** - This feature enhances AP5GC to provide an Azure Event Hubs feed of UE Data Usage events. You can integrate with Event Hubs to build reports on how your private 4G/5G network is being used or carry out other data processing using the information in these events.  If you want to enable this feature for your deployment, contact your support representative.
 
 ## Issues fixed in the AP5GC 2305 release
 
 The following table provides a summary of issues fixed in this release.
 
   |No.  |Feature  | Issue |
   |-----|-----|-----|
-  | 1 | Packet forwarding | In scenarios of sustained high load (e.g., continuous setup of hundreds of TCP flows per second) combined with NAT pin-hole exhaustion, AP5GC can encounter a memory leak, leading to a short period of service disruption resulting in some call failures. This issue has been fixed in this release. |
+  | 1 | Packet forwarding | In scenarios of sustained high load (e.g. continuous setup of hundreds of TCP flows per second) combined with NAT pin-hole exhaustion, AP5GC can encounter a memory leak, leading to a short period of service disruption resulting in some call failures. This issue has been fixed in this release. |
   | 2 | Install/Upgrade | Changing the technology type of a deployment from 4G (EPC) to 5G using the upgrade or site delete/add sequence is not supported. This issue has been fixed in this release. |
-  | 3 | Local dashboards | In some scenarios, the Azure Private 5G Core local dashboards don't show session rejection under the **Device and Session Statistics** panel if "Session Establishment" requests are rejected due to invalid PDU type (e.g. IPv6 when only IPv4 is supported). This issue has been fixed in this release. | 
+  | 3 | Local dashboards | In some scenarios, the Azure Private 5G Core local dashboards don't show session rejection under the **Device and Session Statistics** panel if "Session Establishment" requests are rejected due to invalid PDU type (e.g. IPv6 when only IPv4 is supported). This issue has been fixed in this release. |
 
 ## Known issues in the AP5GC 2305 release
 
   |No.  |Feature  | Issue | Workaround/comments |
   |-----|-----|-----|-----|
-  | 1 | Local Dashboards | Where Azure Active Directory is used to authenticate access to AP5GC Local Dashboards, this traffic doesn't transmit via the web proxy when enabled on the Azure Stack Edge appliance that the packet core is running on. | Not applicable. |
+  | 1 | Local Dashboards | When a web proxy is enabled on the Azure Stack Edge appliance that the packet core is running on and Azure Active Directory is used to authenticate access to AP5GC Local Dashboards, the traffic to Azure Active Directory does not transmit via the web proxy. If there is a firewall blocking traffic that does not go via the web proxy then enabling Azure Active Directory will cause the packet core install to fail. | Disable Azure Active Directory and use password based authentication to authenticate access to AP5GC Local Dashboards instead.
+Description |
   | 2 | Reboot | AP5GC may intermittently fail to recover after the underlying platform is rebooted and may require another reboot to recover. | Not applicable. |
 
 ## Known issues from previous releases
diff --git a/articles/private-5g-core/enable-azure-active-directory.md b/articles/private-5g-core/enable-azure-active-directory.md
@@ -1,11 +1,11 @@
 ---
 title: Enable Azure Active Directory (Azure AD) for local monitoring tools
 titleSuffix: Azure Private 5G Core
-description: Complete the prerequisite tasks for enabling Azure Active Directory to access Azure Private 5G Core's local monitoring tools. 
+description: Complete the prerequisite tasks for enabling Azure Active Directory to access Azure Private 5G Core's local monitoring tools.
 author: robswain
 ms.author: robswain
 ms.service: private-5g-core
-ms.topic: how-to 
+ms.topic: how-to
 ms.date: 12/29/2022
 ms.custom: template-how-to
 ---
@@ -16,6 +16,9 @@ Azure Private 5G Core provides the [distributed tracing](distributed-tracing.md)
 
 In this how-to guide, you'll carry out the steps you need to complete after deploying or configuring a site that uses Azure AD to authenticate access to your local monitoring tools. You don't need to follow this if you decided to use local usernames and passwords to access the distributed tracing and packet core dashboards.
 
+> [!CAUTION]
+> Azure AD for local monitoring tools is not supported when a web proxy is enabled on the Azure Stack Edge device on which Azure Private 5G Core is running. If you have configured a firewall that blocks traffic not transmitted via the web proxy, then enabling Azure AD will cause the Azure Private 5G Core installation to fail.
+
 ## Prerequisites
 
 - You must have completed the steps in [Complete the prerequisite tasks for deploying a private mobile network](complete-private-mobile-network-prerequisites.md) and [Collect the required information for a site](collect-required-information-for-a-site.md).
@@ -32,13 +35,13 @@ In the authoritative DNS server for the DNS zone you want to create the DNS reco
 
 ## Register application
 
-You'll now register a new local monitoring application with Azure AD to establish a trust relationship with the Microsoft identity platform. 
+You'll now register a new local monitoring application with Azure AD to establish a trust relationship with the Microsoft identity platform.
 
 If your deployment contains multiple sites, you can use the same two redirect URIs for all sites, or create different URI pairs for each site. You can configure a maximum of two redirect URIs per site. If you've already registered an application for your deployment and you want to use the same URIs across your sites, you can skip this step.
 
 1. Follow [Quickstart: Register an application with the Microsoft identity platform](../active-directory/develop/quickstart-register-app.md) to register a new application for your local monitoring tools with the Microsoft identity platform.
     1. In *Add a redirect URI*, select the **Web** platform and add the following two redirect URIs, where *\<local monitoring domain\>* is the domain name for your local monitoring tools that you set up in [Configure domain system name (DNS) for local monitoring IP](#configure-domain-system-name-dns-for-local-monitoring-ip):
-    
+
         - https://*\<local monitoring domain\>*/sas/auth/aad/callback
         - https://*\<local monitoring domain\>*/grafana/login/azuread
 
@@ -74,7 +77,7 @@ To support Azure AD on Azure Private 5G Core applications, you'll need a YAML fi
 
 1. Convert each of the values you collected in [Collect the information for Kubernetes Secret Objects](#collect-the-information-for-kubernetes-secret-objects) into Base64 format. For example, you can run the following command in an Azure Cloud Shell **Bash** window:
 
-    ```bash    
+    ```bash
     echo -n <Value> | base64
     ```
 
@@ -115,7 +118,7 @@ You'll need to apply your Kubernetes Secret Objects if you're enabling Azure AD
 
 1. Sign in to [Azure Cloud Shell](../cloud-shell/overview.md) and select **PowerShell**. If this is your first time accessing your cluster via Azure Cloud Shell, follow [Access your cluster](../azure-arc/kubernetes/cluster-connect.md?tabs=azure-cli) to configure kubectl access.
 1. Apply the Secret Object for both distributed tracing and the packet core dashboards, specifying the core kubeconfig filename.
-    
+
     `kubectl apply -f  /home/centos/secret-azure-ad-local-monitoring.yaml --kubeconfig=<core kubeconfig>`
 
 1. Use the following commands to verify if the Secret Objects were applied correctly, specifying the core kubeconfig filename. You should see the correct **Name**, **Namespace**, and **Type** values, along with the size of the encoded values.
@@ -127,7 +130,7 @@ You'll need to apply your Kubernetes Secret Objects if you're enabling Azure AD
 1. Restart the distributed tracing and packet core dashboards pods.
 
     1. Obtain the name of your packet core dashboards pod:
-        
+
         `kubectl get pods -n core --kubeconfig=<core kubeconfig>" | grep "grafana"`
 
     1. Copy the output of the previous step and replace it into the following command to restart your pods.
