fixes

Author: asudbring

articles/virtual-network/secure-virtual-network.md

@@ -18,9 +18,9 @@ This article provides guidance on how to best secure your Azure Virtual Network
 
 ## Virtual Network architecture
 
-- **Isolate and control network traffic**: Segment, isolate, and control network traffic across both ingress and egress flows. Apply defense in depth principles by using localized network controls at all available network boundaries across both east-west and north-south traffic. To minimize network visibility, segment your network and start with least-privilege network controls. 
+- **Isolate and control network traffic**: Segment, isolate, and control network traffic across both ingress and egress flows. Apply defense in depth principles by using localized network controls at all available network boundaries across both east-west and north-south traffic. To minimize network visibility, segment your network and start with least-privilege network controls. For more information, see [Recommendations for building a segmentation strategy](/azure/well-architected/security/segmentation)
 
-- **Filter traffic**:  Ensure that traffic that enters a boundary is expected, allowed, and safe.
+- **Filter traffic**:  Ensure that traffic that enters a boundary is expected, allowed, and safe. For more information, see [Recommendations for networking and connectivity](/azure/well-architected/security/networking).
 
 - **Apply firewalls at the edge**: Internet edge traffic is north-south traffic and includes ingress and egress. To detect or block threats, an edge strategy must mitigate as many attacks as possible to and from the internet.
 
@@ -38,35 +38,35 @@ Network security for Virtual Networks focuses on controlling traffic flow, imple
 
 - **Implement network-based intrusion detection**: Deploy network virtual appliances with IDS/IPS capabilities or use Azure Firewall Premium with intrusion detection and prevention system (IDPS) features to monitor and block malicious network traffic. For more information, see [Azure Firewall Premium IDPS](/azure/firewall/premium-features#idps).
 
-- **Use service tags to simplify security rules**: Replace specific IP addresses with service tags in your NSG rules to allow communication with Azure services while maintaining security. Service tags are automatically updated by Microsoft as IP ranges change. For more information, see [Service tags](/azure/virtual-network/service-tags-overview).
+- **Use service tags to simplify security rules**: Replace specific IP addresses with service tags in your NSG rules to allow communication with Azure services while maintaining security. Microsoft automatically updates service tags as IP ranges change. For more information, see [Service tags](/azure/virtual-network/service-tags-overview).
 
 - **Configure packet capture for forensic analysis**: Enable packet capture on virtual machines or use VPN Gateway packet capture to record network traffic for security analysis and incident investigation. For more information, see [Network Watcher packet capture](/azure/network-watcher/network-watcher-packet-capture-overview).
 
-- **Implement Azure Bastion for secure RDP/SSH access**: Use Azure Bastion to securely connect to virtual machines over RDP or SSH without exposing them to the public internet. This eliminates the need for public IP addresses on VMs and reduces attack surface. For more information, see [Azure Bastion](/azure/bastion/bastion-overview).
+- **Implement Azure Bastion for secure RDP/SSH access**: Use Azure Bastion to securely connect to virtual machines over RDP or SSH without exposing them to the public internet. Bastion eliminates the need for public IP addresses on VMs and reduces attack surface. For more information, see [Azure Bastion](/azure/bastion/bastion-overview).
 
 - **Implement Azure NAT Gateway for outbound traffic**: Use Azure NAT Gateway to provide a static outbound IP address for virtual network resources, ensuring consistent egress traffic and simplifying firewall rules. NAT Gateway also provides protection against port exhaustion. For more information, see [Azure NAT Gateway](/azure/virtual-network/nat-gateway/nat-overview).
 
-- **Set up private link for Azure services**: Use Azure Private Link to access Azure PaaS services (like Azure Storage, SQL Database) over a private endpoint within your virtual network. This eliminates exposure to the public internet and enhances security by keeping traffic within the Azure backbone network. For more information, see [Azure Private Link](/azure/private-link/private-link-overview).
+- **Set up private link for Azure services**: Use Azure Private Link to access Azure PaaS services (like Azure Storage, SQL Database) over a private endpoint within your virtual network. Private Link eliminates exposure to the public internet and enhances security by keeping traffic within the Azure backbone network. For more information, see [Azure Private Link](/azure/private-link/private-link-overview).
 
-- **Set subnets to private**: For subnets that do not require public internet access, configure them as private subnets. Use Azure Firewall or NAT Gateway for controlled outbound access if needed. For more information, see [Default outbound access in Azure](/azure/virtual-network/ip-services/default-outbound-access)
+- **Set subnets to private**: For subnets that don't require public internet access, configure them as private subnets. Use Azure Firewall or NAT Gateway for controlled outbound access if needed. For more information, see [Default outbound access in Azure](/azure/virtual-network/ip-services/default-outbound-access)
 
 ## Identity management
 
 Identity management for Virtual Networks involves controlling access to network resources and ensuring that only authorized users and services can modify network configurations. Proper identity controls prevent unauthorized network changes and maintain network security posture.
 
 - **Use Azure RBAC for network resource access**: Assign appropriate built-in roles such as Network Contributor or custom roles with specific permissions to control who can create, modify, or delete virtual networks and related resources. Follow the principle of least privilege. For more information, see [Azure RBAC for networking](/azure/role-based-access-control/built-in-roles#networking).
 
-- **Enable Azure Active Directory integration**: Use Azure AD as the centralized identity provider for managing access to network resources and related Azure services. This ensures consistent authentication and authorization across your network infrastructure.
+- **Enable Microsoft Entra ID integration**: Use Microsoft Entra ID as the centralized identity provider for managing access to network resources and related Azure services. Microsoft Entra ID integration ensures consistent authentication and authorization across your network infrastructure.
 
-- **Implement conditional access for network administrators**: Configure conditional access policies to require multi-factor authentication and restrict access to network management operations based on user location, device compliance, and risk level. For more information, see [Conditional Access](/azure/active-directory/conditional-access/overview).
+- **Implement conditional access for network administrators**: Configure conditional access policies to require multifactor authentication and restrict access to network management operations based on user location, device compliance, and risk level. For more information, see [Conditional Access](/azure/active-directory/conditional-access/overview).
 
 ## Privileged access
 
-Privileged access management for Virtual Networks focuses on securing administrative operations and ensuring that network configuration changes are performed by authorized personnel with appropriate oversight and monitoring.
+Privileged access management for Virtual Networks focuses on securing administrative operations and ensuring that authorized personnel perform network configuration changes with appropriate oversight and monitoring.
 
-- **Enforce multi-factor authentication for network administrators**: Require MFA for all users with network administration privileges to add an additional security layer beyond passwords. This significantly reduces the risk of credential-based attacks. For more information, see [Azure AD MFA](/azure/active-directory/authentication/concept-mfa-howitworks).
+- **Enforce multi-factor authentication for network administrators**: Require MFA for all users with network administration privileges to add an extra security layer beyond passwords. MFA significantly reduces the risk of credential-based attacks. For more information, see [Microsoft Entra multifactor authentication](/azure/active-directory/authentication/concept-mfa-howitworks).
 
-- **Use just-in-time access for network operations**: Implement Azure AD Privileged Identity Management to provide time-limited access to network administration roles. This reduces the window of exposure for privileged credentials. For more information, see [Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-configure).
+- **Use just-in-time access for network operations**: Implement Microsoft Entra Privileged Identity Management to provide time-limited access to network administration roles. JIT access reduces the window of exposure for privileged credentials. For more information, see [Privileged Identity Management](/azure/active-directory/privileged-identity-management/pim-configure).
 
 - **Monitor privileged network activities**: Enable logging and monitoring for all privileged network operations including NSG changes, route table modifications, and firewall rule updates. Use Azure Activity Log and Azure Monitor to track administrative actions. For more information, see [Azure Activity Log](/azure/azure-monitor/essentials/activity-log).
 
@@ -98,7 +98,7 @@ Comprehensive logging and threat detection for Virtual Networks enables security
 
 Asset management for Virtual Networks involves maintaining an inventory of network resources, implementing governance policies, and ensuring compliance with security standards. Effective asset management helps maintain security posture and enables rapid response to security incidents.
 
-- **Use Azure Policy for governance**: Implement Azure Policy definitions to enforce security standards for virtual networks, such as requiring NSGs on subnets, mandating specific security rules, or preventing creation of public IPs. For more information, see [Azure Policy for virtual networks](/azure/virtual-network/policy-reference).
+- **Use Azure Policy for governance**: Deploy Azure Policy definitions to enforce security standards for virtual networks. These policies can require NSGs on subnets, mandate specific security rules, or prevent creation of public IPs. For more information, see [Azure Policy for virtual networks](/azure/virtual-network/policy-reference).
 
 - **Tag network resources for organization**: Apply consistent tagging strategies to virtual networks, subnets, NSGs, and related resources to enable proper organization, cost management, and security policy enforcement. For more information, see [Resource tagging](/azure/azure-resource-manager/management/tag-resources).
 
@@ -108,9 +108,9 @@ Asset management for Virtual Networks involves maintaining an inventory of netwo
 
 ## Backup and recovery
 
-Backup and recovery for Virtual Networks focuses on preserving network configurations and ensuring rapid restoration of network connectivity in case of accidental deletion or configuration errors. While virtual networks themselves don't require traditional backups, configuration preservation is critical.
+Backup and recovery for Virtual Networks focuses on preserving network configurations and ensuring rapid restoration of network connectivity if there's accidental deletion or configuration errors. While virtual networks themselves don't require traditional backups, configuration preservation is critical.
 
-- **Export network configurations regularly**: Use Azure Resource Manager to export virtual network configurations as templates that can be stored and used for disaster recovery. Automate this process using Azure Automation or Azure DevOps pipelines. For more information, see [Export templates](/azure/azure-resource-manager/templates/export-template-portal).
+- **Export network configurations regularly**: Use Azure Resource Manager to export virtual network configurations as templates that can be stored and used for disaster recovery. Automate this process using Azure Automation or Azure Pipelines. For more information, see [Export templates](/azure/azure-resource-manager/templates/export-template-portal).
 
 - **Document network architecture**: Maintain comprehensive documentation of your network design, including IP address schemes, routing tables, security group rules, and connectivity requirements. Store this documentation in a secure, accessible location.