Rough Draft of Steps w/ old screenshots

mbender-ms · mbender-ms · commit 81d88a5d3a8f · 2022-08-02T11:02:12.000-05:00
diff --git a/articles/virtual-network-manager/how-to-block-high-risk-ports.md b/articles/virtual-network-manager/how-to-block-high-risk-ports.md
@@ -14,28 +14,10 @@ Remove all the comments in this template before you sign-off or merge to the
 main branch.
 -->
 
-<!--
-This template provides the basic structure of a how-to article.
-See the [how-to guidance](contribute-how-to-write-howto.md) in the contributor guide.
-
-To provide feedback on this template contact 
-[the templates workgroup](mailto:templateswg@microsoft.com).
--->
-
-<!-- 1. H1
-Required. Start your H1 with a verb. Pick an H1 that clearly conveys the task the 
-user will complete.
--->
-
 # How to block high-risk network ports with Security Admin Rules in Azure Virtual Network Manager
 
-<!-- 2. Introductory paragraph 
-Required. Lead with a light intro that describes, in customer-friendly language, 
-what the customer will learn, or do, or accomplish. Answer the fundamental “why 
-would I want to do this?” question. Keep it short.
--->
 
-In this article, you will learn to block high risk network ports using Azure Virtual Network Manager and Security Admin Rules. You'll walk through the creation of an Azure Virtual Network Manager instance, group your vnets with network groups, and create & deploy security admin configurations for your orginization. You'll deploy an general block rule for high risk ports. Then you'll create an exception for managing a specific application's vnet. This is will allow you to manage access to the application vnets using network security groups.
+In this article, you will learn to block high risk network ports using Azure Virtual Network Manager and Security Admin Rules. You'll walk through the creation of an Azure Virtual Network Manager instance, group your virtual networks (VNets) with network groups, and create & deploy security admin configurations for your organization. You'll deploy an general block rule for high risk ports. Then you'll create an exception for managing a specific application's VNet. This is will allow you to manage access to the application VNets using network security groups.
 
 ### Describe Scenario
 
@@ -49,10 +31,22 @@ In this article, you will learn to block high risk network ports using Azure Vir
 * You understand how to 
 * You understand each element in a [Security admin rule](concept-security-admins.md).
 * An Azure account with an active subscription. [Create an account for free](https://azure.microsoft.com/free/?WT.mc_id=A261C142F).
+* A group of virtual networks that can be split into
+
+## Deploy Virtual Network environment 5 VNETS (3 PROD, 2 APP)
+For this How-to, you will need a virtual network environment that includes production and test virtual networks. For the this, you may use the following table or your own configuration of virtual networks:
+| Name | IPv4 address space | subnet |
+| ---- | ----| ---- |
+| vnetA-gen | 10.0.0.0/16 | default - 10.0.1.0/24 |
+| vnetB-gen | 10.1.0.0/16 | default - 10.1.0.0/24 |
+| vnetC-gen | 10.2.0.0/16 | default - 10.2.0.0/24 |
+| vnetD-app | 10.3.0.0/16 | default - 10.3.0.0/24 |
+| vnetE-app | 10.4.0.0/16 | default - 10.4.0.0/24 |
+
+* Place all virtual networks in the subscription, region, and resource group
 
-## Deploy Virtual Network environment 5 VNETS (3 PROD, 2 Test)
-You will deploy a virtual network environment that includes production and test virtual networks.
 
+Not sure how to build a virtual network? Learn more in [Quickstart: Create a virtual network using the Azure portal](quick-create-portal.md).
 
 ## Create a Virtual Network Manager
 In this section, you will deploy a Virtual Network Manager instance with the Security admin feature in your organization.
@@ -74,15 +68,19 @@ In this section, you will deploy a Virtual Network Manager instance with the Sec
     | [Features](concept-network-manager-scope.md#features) | Select the features you want to enable for Azure Virtual Network Manager. Available features are *Connectivity*, *SecurityAdmin*, or *Select All*. </br> Connectivity - Enables the ability to create a full mesh or hub and spoke network topology between virtual networks within the scope. </br> SecurityAdmin - Enables the ability to create global network security rules. |
 
 1. Select **Review + create** and then select **Create** once validation has passed.
+1. Select **Go to resource** when deployment is complete and review the virtual network manager configuration
 
 ## Create a Network Group
-With your virtual network manager created, you now create a network group to encapsulate the VNets you want to protect. This will include all of the VNets in the organization as a general all-encompassing rule to block high risk network ports is needed.
-1. <!-- Step 1 -->
-1. <!-- Step 2 -->
-1. <!-- Step n -->
+With your virtual network manager created, you now create a network group to encapsulate the VNets you want to protect. This will include all of the VNets in the organization as a general all-encompassing rule to block high risk network ports is needed. You will manually add all of the VNets.
+1. Select **Network Groups**, under **Settings**.
+1. Select **+ Create**, enter a *name* for the network group, and select **Add**.
+1. On the *Network groups* page, select the network group you created.
+1. Select **Add**, under **Static Membership** to manually add all the VNets.
+1. On the **Add static members** page, select all of the virtual networks you wish to include, and select **Add**.
 
 ## Create a Security Admin Configuration
 It’s time to construct our security admin rules within a configuration so that we can apply those rules to all the VNets within OurNetworkGroup at once. Create rules for all of your high risk ports. In this section, you'll add rules for SSH, FTP, and HTTP.
+1. Return to your virtual network manager resource.
 1. Select **Configurations** under *Settings* and then select **+ Create**.
 
     :::image type="content" source="./media/create-virtual-network-manager-portal/add-configuration.png" alt-text="Screenshot of add a security admin configuration.":::
@@ -97,13 +95,15 @@ It’s time to construct our security admin rules within a configuration so that
 
 ## Add a rule collection
 
-1. Enter a *Name* to identify this rule collection and then select the *Target network groups* you want to apply the set of rules to.
+1. Select **+ Add** from the *Add a security configuration page*.
+
+1. Enter a *Name* to identify this rule collection and then select the *Target network groups* you want to apply the set of rules to. The target group will be the network group containing all of your virtual networks.
 
     :::image type="content" source="./media/how-to-block-network-traffic-portal/rule-collection-target.png" alt-text="Screenshot of rule collection name and target network groups.":::
 
 ## Add a security rule
 
-1. Select **+ Add** from the *Add a rule collection page*.
+1. Select **+ Add** under **Security admin rules**.
 
     :::image type="content" source="./media/how-to-block-network-traffic-portal/add-rule-button.png" alt-text="Screenshot of add a rule button.":::
 
@@ -151,28 +151,38 @@ If you just created a new security admin configuration, make sure to deploy this
     :::image type="content" source="./media/how-to-block-network-traffic-portal/deploy-security-configuration.png" alt-text="Screenshot of deploy a security configuration page.":::
 
 1. Select **Next** and **Deploy** to deploy the security admin configuration.
-## Create a Network Group for traffic exceptions for allowed application traffic
-We need to create a network group specifically for the Application 1 team’s VNets so that we can create security admin rules that pertain only to Application 1’s VNets and allow them to handle SSH traffic through their own NSGs. Since we already have OurNetworkManager created, we can go ahead and create another network group. 
+## Create a Network Group for exception virtual networks
+With traffic blocked across all of your VNets, you need an exception to allow traffic to your application virtual networks. To do this, you will create a network group specifically for the application VNets and deploy a security admin rule allowing SSH traffic to application resources. 
+
+1. From your virtual network manager, select **Network Groups**, under **Settings**.
+1. Select **+ Create**, enter a *name* for the application network group, and select **Add**.
+1. Under **Define Dynamic Membership**, select **Define**.
+1. Enter or select the values to allow traffic to your application virtual network. 
+1. Select **Preview Resources** to review the **Effective Virtuals Networks** included, and select **Close**.
+1. Select **Save**.
 
 ## Create a Security Admin Rule Collection for Application 1
 We can now create an exception for Application 1’s VNets by adding a new rule collection and security admin rule to our existing security admin configuration.
 
+> [!Important]
+> In order for your security admin rule to allow traffic to your application virtual networks, the priority needs to be set to a **lower number** than existing rules blocking traffic. 
+>
+>For example, an all network rule blocking **SSH** has a priority of **10** so your allow rule should have a priority from **1 to 9**.
+1. From your virtual network manager, select **Configurations** and select your security configuration.
+1. Select **Rule collections** under **Settings**, then select **+ Create** to create a new rule collection.
+1. On the **Add a rule collection page**, enter a name for your application rule collection and choose the application network group you created.
+1. Under the **Security admin rules**, select + Add.
+1. Enter or select the values to allow specific network traffic to your application network group, and select **add** when completed.
+
+1. Repeat the add rule process for all traffic needing an exception.
+1. Select **Save** when you are done.
 ## Re-deploy the Security Admin Configuration
 We’re at the final step, which is to redeploy OurSecurityConfig since we’ve modified this configuration by adding a rule collection.
 
-
-## Verify security admin rules
-
-Go to the **Networking** settings for a virtual machine in the one of the virtual networks you applied the security admin rules to. If you don't have one, deploy a test virtual machine into one of the virtual networks. You'll now see a new section below the network security group rules about security rules applied by Azure Virtual Network Manager.
-
-:::image type="content" source="./media/how-to-block-network-traffic-portal/vm-security-rules.png" alt-text="Screenshot of security admin rules under virtual machine network settings." lightbox="./media/how-to-block-network-traffic-portal/vm-security-rules-expanded.png":::
-
-## Clean up
-
-<!-- 5. Next steps
-Required. Provide at least one next step and no more than three. Include some 
-context so the customer can determine why they would click the link.
--->
+1. From your virtual network manager, select **Configurations**.
+1. Select your security admin configuration and select **Deploy**
+1. On the **Deploy Configuration** page, select all target regions receiving the deployment and 
+1. Select **Next** and **Deploy**.
 
 ## Next steps
 <!-- Add a context sentence for the following links -->
