Merge branch 'main' of https://github.com/MicrosoftDocs/azure-docs-pr into cdn-edgio

Author: halkazwini

articles/azure-government/documentation-government-overview-wwps.md

@@ -124,10 +124,10 @@ Most customers will connect to Azure over the Internet, and the precise routing
 
 #### *Your datacenter connection to Azure region*
 
-[Virtual Network](../virtual-network/virtual-networks-overview.md) (VNet) provides a means for Azure virtual machines (VMs) to act as part of your internal (on-premises) network. You have options to securely connect to a VNet from your on-premises infrastructure – choose an [IPSec protected VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) (for example, point-to-site VPN or site-to-site VPN) or a private connection by using Azure [ExpressRoute](../expressroute/expressroute-introduction.md) with several [data encryption options](../expressroute/expressroute-about-encryption.md).
+[Virtual Network](../virtual-network/virtual-networks-overview.md) (VNet) provides a means for Azure virtual machines (VMs) to act as part of your internal (on-premises) network. You have options to securely connect to a VNet from your on-premises infrastructure – choose an [IPsec protected VPN](../vpn-gateway/vpn-gateway-about-vpngateways.md) (for example, point-to-site VPN or site-to-site VPN) or a private connection by using Azure [ExpressRoute](../expressroute/expressroute-introduction.md) with several [data encryption options](../expressroute/expressroute-about-encryption.md).
 
-- **IPSec protected VPN** uses an encrypted tunnel established across the public Internet, which means that you need to rely on the local Internet service providers for any network-related assurances.
-- **ExpressRoute** allows you to create private connections between Microsoft datacenters and your on-premises infrastructure or colocation facility. ExpressRoute connections don't go over the public Internet and offer lower latency and higher reliability than IPSec protected VPN connections. [ExpressRoute locations](../expressroute/expressroute-locations-providers.md) are the entry points to Microsoft’s global network backbone and they may or may not match the location of Azure regions. For example, you can connect to Microsoft in Amsterdam through ExpressRoute and have access to all Azure cloud services hosted in Northern and Western Europe. However, it’s also possible to have access to the same Azure regions from ExpressRoute connections located elsewhere in the world. Once the network traffic enters the Microsoft backbone, it's guaranteed to traverse that private networking infrastructure instead of the public Internet.
+- **IPsec protected VPN** uses an encrypted tunnel established across the public Internet, which means that you need to rely on the local Internet service providers for any network-related assurances.
+- **ExpressRoute** allows you to create private connections between Microsoft datacenters and your on-premises infrastructure or colocation facility. ExpressRoute connections don't go over the public Internet and offer lower latency and higher reliability than IPsec protected VPN connections. [ExpressRoute locations](../expressroute/expressroute-locations-providers.md) are the entry points to Microsoft’s global network backbone and they may or may not match the location of Azure regions. For example, you can connect to Microsoft in Amsterdam through ExpressRoute and have access to all Azure cloud services hosted in Northern and Western Europe. However, it’s also possible to have access to the same Azure regions from ExpressRoute connections located elsewhere in the world. Once the network traffic enters the Microsoft backbone, it's guaranteed to traverse that private networking infrastructure instead of the public Internet.
 
 #### *Traffic across Microsoft global network backbone*
 

articles/cloud-services/cloud-services-guestos-msrc-releases.md

@@ -4407,7 +4407,7 @@ The following tables show the Microsoft Security Response Center (MSRC) updates
 | MS15-117 |[3101722] |Security Update for NDIS to Address Elevation of Privilege |2.45 |November 10, 2015 |
 | MS15-118 |[3104507] |Security Updates for .NET Framework to Address Elevation of Privilege |4.26, 3.33, 2.45 |November 10, 2015 |
 | MS15-119 |[3104521] |Security Update for Winsock to Address Elevation of Privilege |4.26, 3.33, 2.45 |November 10, 2015 |
-| MS15-120 |[3102939] |Security Update for IPSec to Address Denial of Service |4.26, 3.33 |November 10, 2015 |
+| MS15-120 |[3102939] |Security Update for IPsec to Address Denial of Service |4.26, 3.33 |November 10, 2015 |
 | MS15-121 |[3081320] |Security Update to Schannel to Address Spoofing |4.26, 3.33, 2.45 |November 10, 2015 |
 | MS15-122 |[3105256] |Security Update for Kerberos to Address Security Feature Bypass |4.26, 3.33, 2.45 |November 10, 2015 |
 | Microsoft Security Advisory |[3097966] |Inadvertently disclosed Digital Certificates Could Allow spoofing |4.26, 3.33, 2.45 |November 10, 2015 |

articles/expressroute/expressroute-bfd.md

@@ -68,7 +68,7 @@ router bgp 65020
 Between BFD peers, the slower of the two peers determine the transmission rate. MSEEs BFD transmission/receive intervals are set to 300 milliseconds. In certain scenarios, the interval may be set at a higher value of 750 milliseconds. By configuring a higher value, you can force these intervals to be longer but it's not possible to make them shorter.
 
 >[!NOTE]
->If you have configured Geo-redundant ExpressRoute circuits or use Site-to-Site IPSec VPN connectivity as backup. Enabling BFD would help failover quicker following an ExpressRoute connectivity failure. 
+>If you have configured Geo-redundant ExpressRoute circuits or use Site-to-Site IPsec VPN connectivity as backup. Enabling BFD would help failover quicker following an ExpressRoute connectivity failure. 
 >
 
 ## Next Steps

articles/expressroute/expressroute-for-cloud-solution-providers.md

@@ -117,7 +117,7 @@ Depending on which model is in use, Connect-To or Connect-Through, your customer
 2. **Network Security Group (NSG)** rules are for defining allowed traffic into and out of the subnets within VNets in Azure. By default, the NSG contains Block rules to block traffic from the Internet to the VNet and Allow rules for traffic within a VNet. For more information about Network Security Groups, look [here](https://azure.microsoft.com/blog/network-security-groups/).
 3. **Force tunneling**—This is an option to redirect internet bound traffic originating in Azure to be redirected over the 
    ExpressRoute connection to the on premises datacenter. For more information about Forced tunneling, look [here](expressroute-routing.md#advertising-default-routes).  
-4. **Encryption**—Even though the ExpressRoute circuits are dedicated to a specific customer, there's the possibility that the network provider could be breached, allowing an intruder to examine packet traffic. To address this potential, a customer or CSP can encrypt traffic over the connection by defining IPSec tunnel-mode policies for all traffic flowing between the on premises resources and Azure resources (refer to the optional Tunnel mode IPSec for Customer 1 in Figure 5: ExpressRoute Security, above). The second option would be to use a firewall appliance at each the end point of the ExpressRoute circuit. This requires another third-party firewall VMs/Appliances to be installed on both ends to encrypt the traffic over the ExpressRoute circuit.
+4. **Encryption**—Even though the ExpressRoute circuits are dedicated to a specific customer, there's the possibility that the network provider could be breached, allowing an intruder to examine packet traffic. To address this potential, a customer or CSP can encrypt traffic over the connection by defining IPsec tunnel-mode policies for all traffic flowing between the on premises resources and Azure resources (refer to the optional Tunnel mode IPsec for Customer 1 in Figure 5: ExpressRoute Security, above). The second option would be to use a firewall appliance at each the end point of the ExpressRoute circuit. This requires another third-party firewall VMs/Appliances to be installed on both ends to encrypt the traffic over the ExpressRoute circuit.
 
 ![alt text](./media/expressroute-for-cloud-solution-providers/expressroute-security.png)  
 

articles/governance/policy/concepts/policy-for-kubernetes.md

@@ -606,6 +606,12 @@ Finally, to identify the AKS cluster version that you're using, follow the linke
 
 ### Add-on versions available per each AKS cluster version
 
+#### 1.9.1
+Security improvements.
+- Released January 2025
+- Kubernetes 1.27+
+- Gatekeeper 3.17.1
+
 #### 1.8.0
 Policy can now be used to evaluate CONNECT operations, for instance, to deny `exec`s. Note that there is no brownfield compliance available for noncompliant CONNECT operations, so a policy with Audit effect that targets CONNECTs is a no op.
 

articles/network-watcher/vpn-troubleshoot-overview.md

@@ -30,7 +30,7 @@ The following table lists which gateways and connections are supported with Netw
 |Route Based | Supported|
 |Policy Based | Not Supported|
 |**Connection types**||
-|IPSec| Supported|
+|IPsec| Supported|
 |VNet2VNet| Supported|
 |ExpressRoute| Not Supported|
 |VPNClient| Not Supported|

articles/storage/files/storage-files-configure-s2s-vpn.md

@@ -383,7 +383,7 @@ To complete the deployment of a S2S VPN, you must create a connection between yo
 
    - **Subscription**: The desired Azure subscription.
    - **Resource group**: The desired resource group.
-   - **Connection type**: Because this a S2S connection, select **Site-to-site (IPSec)** from the drop-down list.
+   - **Connection type**: Because this a S2S connection, select **Site-to-site (IPsec)** from the drop-down list.
    - **Name**: The name of the connection. A virtual network gateway can host multiple connections, so choose a name that's helpful for your management and that will distinguish this particular connection.
    - **Region**: The region you selected for the virtual network gateway and the storage account.