Merge pull request #108917 from denrea/hdinsight-service-tags

ShawnJackson · web-flow · commit 86d35e0af57e · 2020-03-31T10:51:17.000-05:00
edit pass: hdinsight-service-tags
diff --git a/articles/hdinsight/hdinsight-service-tags.md b/articles/hdinsight/hdinsight-service-tags.md
@@ -1,6 +1,6 @@
 ---
 title: Network security group (NSG) service tags for Azure HDInsight
-description: Use HDInsight service tags to allow inbound traffic to your cluster from HDInsight health and management services nodes, without explicitly adding IP addresses to your network security groups.
+description: Use HDInsight service tags to allow inbound traffic to your cluster from health and management services nodes, without adding IP addresses to your NSGs.
 author: hrasheed-msft
 ms.author: hrasheed
 ms.service: hdinsight
@@ -9,23 +9,23 @@ ms.custom: hdinsightactive
 ms.date: 03/10/2020
 ---
 
-# Network security group (NSG) service tags for Azure HDInsight
+# NSG service tags for Azure HDInsight
 
-HDInsight service tags for network security groups (NSGs) are groups of IP addresses for health and management services. These groups help minimize complexity for security rule creation. [Service tags](../virtual-network/security-overview.md#service-tags) provide an alternative method for allowing inbound traffic from specific IP addresses without entering each of the [management IP addresses](hdinsight-management-ip-addresses.md) in your network security groups.
+Azure HDInsight service tags for network security groups (NSGs) are groups of IP addresses for health and management services. These groups help minimize complexity for security rule creation. [Service tags](../virtual-network/security-overview.md#service-tags) provide an alternative method for allowing inbound traffic from specific IP addresses without entering each of the [management IP addresses](hdinsight-management-ip-addresses.md) in your NSGs.
 
-These service tags are created and managed by the HDInsight service. You can't create your own service tag, or modify an existing tag. Microsoft manages the address prefixes that match to the service tag, and automatically updates the service tag as addresses change.
+The HDInsight service manages these service tags. You can't create your own service tag or modify an existing tag. Microsoft manages the address prefixes that match to the service tag and automatically updates the service tag as addresses change.
 
-## Getting started with service tags
+## Get started with service tags
 
 You have two options for using service tags in your network security groups:
 
-1. Use a single HDInsight service tag - this option will open your virtual network to all of the IP Addresses that the HDInsight service is using to monitor clusters across all regions. This option is the simplest method, but may not be appropriate if you have restrictive security requirements.
+- **Use a single global HDInsight service tag**: This option opens your virtual network to all IP addresses that the HDInsight service uses to monitor clusters across all regions. This option is the simplest method, but might not be appropriate if you have restrictive security requirements.
 
-1. Use multiple regional service tags - this option will open your virtual network to only the IP Addresses that HDInsight is using in that specific region. However, if you're using multiple regions, then you'll need to add multiple service tags to your virtual network.
+- **Use multiple regional service tags**: This option opens your virtual network to only the IP addresses that HDInsight uses in that specific region. However, if you're using multiple regions, you'll need to add multiple service tags to your virtual network.
 
 ## Use a single global HDInsight service tag
 
-The easiest way to begin using service tags with your HDInsight cluster is to add the global tag `HDInsight` to a network security group rule.
+The easiest way to begin using service tags with your HDInsight cluster is to add the global tag `HDInsight` to an NSG rule.
 
 1. From the [Azure portal](https://portal.azure.com/), select your network security group.
 
@@ -35,19 +35,19 @@ The easiest way to begin using service tags with your HDInsight cluster is to ad
 
 1. From the **Source service tag** drop-down list, select **HDInsight**.
 
-    ![Azure portal add service tag](./media/hdinsight-service-tags/azure-portal-add-service-tag.png)
+    ![Add a service tag from the Azure portal](./media/hdinsight-service-tags/azure-portal-add-service-tag.png)
 
-This tag contains the IP addresses of health and management services for all of the regions where HDInsight is available, and will ensure that your cluster can communicate with the necessary health and management services no matter where it's created.
+This tag contains the IP addresses of health and management services for all regions where HDInsight is available. The tag will ensure that your cluster can communicate with the necessary health and management services no matter where it's created.
 
 ## Use regional HDInsight service tags
 
-If option one won't work because you need more restrictive permissions, then you can allow only the service tags applicable for your region. The applicable service tags may be one, two, or three service tags, depending on the region where your cluster is created.
+If the global tag option won't work because you need more restrictive permissions, you can allow only the service tags that are applicable for your region. There may be one, two, or three applicable service tags, depending on the region where your cluster is created.
 
-To find out which service tags to add for your region, read the following sections of the document.
+To find out which service tags to add for your region, read the following sections of the article.
 
 ### Use a single regional service tag
 
-If you prefer service tag option two, and your cluster is located in one of the regions listed in this table, then you only need to add a single regional service tag to your network security group.
+If you prefer to use regional service tags and your cluster is located in one of the regions listed in this table, you only need to add a single regional service tag to your network security group.
 
 | Country | Region | Service tag |
 | ---- | ---- | ---- |
@@ -68,22 +68,22 @@ If you prefer service tag option two, and your cluster is located in one of the
 | Japan | Japan West | HDInsight.JapanWest |
 | France | France Central| HDInsight.FranceCentral |
 | UK | UK South | HDInsight.UKSouth |
-| Azure Government | USDoD Central   | HDInsight.USDoDCentral |
+| Azure Government | USDoD Central | HDInsight.USDoDCentral |
 | &nbsp; | USGov Texas | HDInsight.USGovTexas |
 | &nbsp; | UsDoD East | HDInsight.USDoDEast |
 | &nbsp; | USGov Arizona | HDInsight.USGovArizona |
 
 ### Use multiple regional service tags
 
-If you prefer service tag option two, and the region where your cluster is created wasn't listed above, then you need to allow multiple regional service tags. The need to use more than one is due to differences in the arrangement of resource providers for the various regions.
+If you prefer to use regional service tags but the region where your cluster is created wasn't listed in the preceding table, you need to allow multiple regional service tags. The need to use more than one is due to differences in the arrangement of resource providers for the various regions.
 
 The remaining regions are divided into groups based on which regional service tags they use.
 
 #### Group 1
 
-If your cluster is created in one of the regions in the table below, allow the service tags `HDInsight.WestUS` and `HDInsight.EastUS` in addition to the regional service tag listed. Regions in this section require three service tags.
+If your cluster is created in one of the regions in the following table, allow the service tags `HDInsight.WestUS` and `HDInsight.EastUS` in addition to the regional service tag listed. Regions in this section require three service tags.
 
-For example, if your cluster is created in the `East US 2` region, then you'll need to add the following service tags to your network security group:
+For example, if your cluster is created in the `East US 2` region, you'll need to add the following service tags to your network security group:
 
 - `HDInsight.EastUS2`
 - `HDInsight.WestUS`
@@ -106,17 +106,17 @@ For example, if your cluster is created in the `East US 2` region, then you'll n
 
 #### Group 2
 
-Clusters in the regions of **China North** and **China East**, need to allow two service tags: `HDInsight.ChinaNorth` and `HDInsight.ChinaEast`.
+Clusters in the regions of *China North* and *China East* need to allow two service tags: `HDInsight.ChinaNorth` and `HDInsight.ChinaEast`.
 
 #### Group 3
 
-Clusters in the regions of **US Gov Iowa** and **US Gov Virginia**, need to allow two service tags: `HDInsight.USGovIowa` and `HDInsight.USGovVirginia`.
+Clusters in the regions of *US Gov Iowa* and *US Gov Virginia* need to allow two service tags: `HDInsight.USGovIowa` and `HDInsight.USGovVirginia`.
 
 #### Group 4
 
-Clusters in the regions of **Germany Central** and **Germany Northeast**, need to allow two service tags: `HDInsight.GermanyCentral` and `HDInsight.GermanyNorthEast`.
+Clusters in the regions of *Germany Central* and *Germany Northeast* need to allow two service tags: `HDInsight.GermanyCentral` and `HDInsight.GermanyNortheast`.
 
 ## Next steps
 
-- [Network security groups - service tags](../virtual-network/security-overview.md#security-rules)
+- [Network security groups: service tags](../virtual-network/security-overview.md#security-rules)
 - [Create virtual networks for Azure HDInsight clusters](hdinsight-create-virtual-network.md)
