fixed acro

wtnlee · wtnlee · commit 7b867cae676b · 2024-07-29T14:31:40.000-07:00
diff --git a/articles/virtual-wan/how-to-nva-hub.md b/articles/virtual-wan/how-to-nva-hub.md
@@ -14,52 +14,52 @@ This article shows you how to deploy an **Integrated Network Virtual Appliance (
 
 ## Background
 
-You can deploy select NVAs directly into your Virtual WAN hub. NVAs deployed in the Virtual WAN hub are typically split into three categories:
+ NVAs deployed in the Virtual WAN hub are typically split into three categories:
 
 * **Connectivity appliances**: Used to terminate VPN and SD-WAN connections from on-premises. Connectivity appliances use Border Gateway Protocol (BGP) to exchange routes with the Virtual WAN hub.
-* **Next-Generation Firewall (NGFW) appliances**: Used in conjunction with [Routing Intent](how-to-routing-policies.md) to provide bump-in-the-wire inspection for traffic traversing the Virtual WAN hub.
-* **Dual-role connectivity and Firewall appliances**: Single device that both connects on-premises to Azure connectivtion and security inspection for traffic traversing the Virtual WAN hub.
+* **Next-Generation Firewall (NGFW) appliances**: Used with [Routing Intent](how-to-routing-policies.md) to provide bump-in-the-wire inspection for traffic traversing the Virtual WAN hub.
+* **Dual-role connectivity and Firewall appliances**: Single device that both connect on-premises devices to Azure and inspect traffic traversing the Virtual WAN hub.
 
-For the list of NVAs that can be deployed in the Virtual WAN hub and their respective capabiltiies, see [Virtual WAN NVA partners](about-nva-hub.md#partners).
+For the list of NVAs that can be deployed in the Virtual WAN hub and their respective capabilities, see [Virtual WAN NVA partners](about-nva-hub.md#partners).
 
 ## Deployment Mechanisms
 
-Network Virtual Appliances can be deployed through a couple of different workflows. Different Network Virtual Appliancce partners support different deployment mechanisms. Every Virtual WAN integrated NVA partner supports the **Azure Marketplace Managed Application** workflow. For information about other deployment methods, reference your NVA provider's documentation.
+Network Virtual Appliances can be deployed through a couple of different workflows. Different Network Virtual Appliance partners support different deployment mechanisms. Every Virtual WAN integrated NVA partner supports the **Azure Marketplace Managed Application** workflow. For information about other deployment methods, reference your NVA provider's documentation.
 
-* **Azure Marketplace Managed Application**: All Virtual WAN NVA partners leverage Azure Managed Applications to deploy Integrated NVAs in the Virtual WAN hub. Azure Managed Applications offer you an easy way to deploy NVAs into the Virtual WAN hub via an Azure Portal experience that is built by the NVA provider. The Azure Portal experience collects critical deployment and configuration parameters needed to deployu and boot-strap the NVA. For more information on Azure Managed Applications, see [Managed Application documentation](../azure-resource-manager/managed-applications/overview.md). Reference your provider's documentation on the full deployment workflow via Azure Managed Application.
-* **NVA orchestrator deployments**: Certain NVA partners allow you to deploy NVAs into the Hub directly from the NVA orchestration or management software. NVA deployments from NVA orchestration software typically requires you to provide an Azure service principal to the NVA orchestration software. The Azure service principal is used by the NVA orchestration software to interact with Azure API's to deploy and manage NVAs in the hub. This workflow is very specific to the NVA provider's implementation. Reference your provider's documentation for more information.
-* **Other deployment mechanisms**: NVA partners may also offer other mechanisms to deploy NVAs in the hub such as ARM templates and Terraform. Reference your provider's documentation for more information on leveraging other supported deployment mecahnisms.
+* **Azure Marketplace Managed Application**: All Virtual WAN NVA partners use Azure Managed Applications to deploy Integrated NVAs in the Virtual WAN hub. Azure Managed Applications offer you an easy way to deploy NVAs into the Virtual WAN hub via an Azure portal experience that is created by the NVA provider. The Azure portal experience collects critical deployment and configuration parameters needed to deploy and boot-strap the NVA. For more information on Azure Managed Applications, see [Managed Application documentation](../azure-resource-manager/managed-applications/overview.md). Reference your provider's documentation on the full deployment workflow via Azure Managed Application.
+* **NVA orchestrator deployments**: Certain NVA partners allow you to deploy NVAs into the Hub directly from the NVA orchestration or management software. NVA deployments from NVA orchestration software typically require you to provide an Azure service principal to the NVA orchestration software. The Azure service principal is used by the NVA orchestration software to interact with Azure APIs to deploy and manage NVAs in the hub. This workflow is specific to the NVA provider's implementation. Reference your provider's documentation for more information.
+* **Other deployment mechanisms**: NVA partners may also offer other mechanisms to deploy NVAs in the hub such as ARM templates and Terraform. Reference your provider's documentation for more information on other supported deployment mechanisms.
 
-## Pre-requisites
+## Prerequisites
 
-The following tutorial assumes that you have already created a Virtual WAN resource with at least one Virtual WAN hub. The tutorial also assumes that you are deploying NVAs via Azure Marketplace Managed Application. 
+The following tutorial assumes that you have deployed a Virtual WAN resource with at least one Virtual WAN hub. The tutorial also assumes that you are deploying NVAs via Azure Marketplace Managed Application. 
 
 ### <a name="requiredpermissions"></a> Required Permissions
 
 To deploy a Network Virtual Appliance in a Virtual WAN Hub, the user or service principal that creates and manages the NVA must have at minimum the following permissions:
 
 * Microsoft.Network/virtualHubs/read over the Virtual WAN hub in which the NVA is deployed into.
 * Microsoft.Network/networkVirtualAppliances/write over the resource group where the NVA is deployed into.
-* Microsoft.Network/publicIpAddresses/join over the public IP address resources that are deployed with the Network Virtual Appliance for [Internet Inbound or DNAT](how-to-network-virtual-appliance-inbound.md) use cases.
+* Microsoft.Network/publicIpAddresses/join over the public IP address resources that are deployed with the Network Virtual Appliance for [Internet Inbound](how-to-network-virtual-appliance-inbound.md) use cases.
 
-These permissions need to be granted to the Azure Marketplace Managed Application to ensure deployments succeed. Additional permissions may be required based on the implementation of the deployment workflow developed by your NVA partner.
+These permissions need to be granted to the Azure Marketplace Managed Application to ensure deployments succeed. Other permissions may be required based on the implementation of the deployment workflow developed by your NVA partner.
 
 ## Assigning Permissions to Azure Managed Application
 
 >[!NOTE]
-> At this time, assigning additional permisisons to faciliate Azure Managed Application deployments of Network Virtual Appliances in Virtual WAN is not required for all NVA deployments but will be in the future. Reference provider documentation to determine whether or not user-assigned identities are applicable to your enviornment.
+> At this time, assigning extra permissions to faciliate Azure Managed Application deployments of Network Virtual Appliances in Virtual WAN is not required for all NVA deployments but will be in the future. Reference provider documentation to determine whether or not user-assigned identities are applicable to your enviornment.
 
 Network Virtual Appliances that are deployed via Azure Marketplace Managed Application are deployed in a special resource group in your Azure tenant called the **managed resource group**. When you create a Managed Application in your subscription, a corresponding and separate **managed resource group** is created in your subscription. All Azure resources created by the Managed Application (including the Network Virtual Appliance) are deployed into the **managed resource group**.
 
-Azure Marketplace owns a first-party service principal that performs the deployment of resources into the **managed resource group**. This first-party principal has permissions to create resources in the **managed resource group**, but does not have permissions to read, update or create Azure resources outside of the **managed resource group**.
+Azure Marketplace owns a first-party service principal that performs the deployment of resources into the **managed resource group**. This first-party principal has permissions to create resources in the **managed resource group**, but doesn;t have permissions to read, update or create Azure resources outside of the **managed resource group**.
 
-To ensure that your NVA deployment is performed with the sufficient level of permissions, grant additional permissions to Azure Marketplace. You can do this by deploying your Managed Application with a user-assigned managed identity that has permissions over the Virtual WAN hub and public IP address(es) with which you want to use the Network Virtual Appliance. This user-assigned Managed Identity is used only for initial deployment of resources in the Managed Resource Group and is only used in the context of that Managed Application deployment.
+To ensure that your NVA deployment is performed with the sufficient level of permissions, grant additional permissions to Azure Marketplace. You can grant additional permissions by deploying your Managed Application with a user-assigned managed identity that has permissions over the Virtual WAN hub and public IP address that you want to use the Network Virtual Appliance. This user-assigned Managed Identity is used only for initial deployment of resources in the Managed Resource Group and is only used in the context of that Managed Application deployment.
 
 >[!NOTE]
 > Only user-assigned system identities can be assigned to Azure Managed Applications to deploy Network Virtual Appliances in the Virtual WAN Hub. System-assigned identities are not supported.
 
 1. Create a new user-assigned identity. For steps on creating new user-assigned identities, see [managed identity documentation](https://learn.microsoft.com/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities?pivots=identity-mi-methods-azp#create-a-user-assigned-managed-identity). You can also use an existing user-assigned identity.
-2. Assign permissions to your user-assigned identity to have at minimum the permissions described in the [Required Permissions]($requirespermissions) section alongside any permissions your NVA provider requires. You can also give the user-assigned identity a built-in Azure role like [Network Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/networking#network-contributor) that contains a superset of the needed permisisons.
+2. Assign permissions to your user-assigned identity to have at minimum the permissions described in the [Required Permissions]($requirespermissions) section alongside any permissions your NVA provider requires. You can also give the user-assigned identity a built-in Azure role like [Network Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles/networking#network-contributor) that contains a superset of the needed permissions.
 
 Alternatively, you can also create a [custom role](../role-based-access-control/custom-roles.md) with the following sample definition and assign the custom role to your user-assigned managed identity.
 
@@ -86,17 +86,17 @@ Alternatively, you can also create a [custom role](../role-based-access-control/
 
 ## Deploying the NVA
 
-The following section describes the steps needed to deploy a Network Virtual Appliance into the Virtual WAN hub using Azure MarketplaceManaged Appliation.
+The following section describes the steps needed to deploy a Network Virtual Appliance into the Virtual WAN hub using Azure Marketplace Managed Application.
 
 1. Navigate to your Virtual WAN hub and select **Network Virtual Appliance** under **Third party providers**.
 
   :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-menu.png"alt-text="Screenshot showing how to navigate to NVA menu under Virtual WAN hub."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-menu.png":::
 
 2. Select **Create network virtual appliance**.
 
-  :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-create.png"alt-text="Screenshot showing how to create NVA."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-create.png":::
+  :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-create.png"alt-text="Screenshot showing how to create NVA/"lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-create.png":::
 
-3. Choose the NVA vendor. In this example, "fortinet-ngfw" is selected and select  **Create**. At this point you will be re-directed to the NVA partner's Azure Marketplace managed application.
+3. Choose the NVA vendor. In this example, "fortinet-ngfw" is selected and select  **Create**. At this point, you're redirected to the NVA partner's Azure Marketplace managed application.
 
   :::image type="content" source="./media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png"alt-text="Screenshot showing how to select NVA vendor."lightbox="./media/network-virtual-appliance-creation/network-virtual-appliance-vendor.png":::
 
@@ -106,10 +106,10 @@ The following section describes the steps needed to deploy a Network Virtual App
 
 ### Permission errors
 
-* If you see an error message with error code **LinkeAuthorizationFailed**, this means that the user-assigned identity supplied as part of the Managed Application deployment did not have the proper permissions assigned. The exact permission(s) that are missing are described in the error message. In the example below, double-check that the user-assigned managed identity has READ permissions over the Virtual WAN hub you are trying to deploy the NVA into.
+* If you see an error message with error code **LinkeAuthorizationFailed**,  the user-assigned identity supplied as part of the Managed Application deployment didn't have the proper permissions assigned. The exact permissions that are missing are described in the error message. In the following example, double-check that the user-assigned managed identity has READ permissions over the Virtual WAN hub you're trying to deploy the NVA into.
 
 ```
-The client <> with object id <> has permission to perform action 'Microsoft.Network/networkVirtualAppliances/write' on scope '/subscriptions/<>/resourceGroups/mrg-<>; however, it does not have permission to perform action(s) 'Microsoft.Network/virtualHubs/read on the linked scope(s) '/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Network/virtualHubs/<> (respectively) or the linked scope(s) are invalid."
+The client <> with object id <> has permission to perform action 'Microsoft.Network/networkVirtualAppliances/write' on scope '/subscriptions/<>/resourceGroups/mrg-<>; however, it doesn't have permission to perform action(s) 'Microsoft.Network/virtualHubs/read on the linked scope(s) '/subscriptions/<>/resourceGroups/<>/providers/Microsoft.Network/virtualHubs/<> (respectively) or the linked scope(s) are invalid."
 ```
 
 
