Merging changes synced from https://github.com/MicrosoftDocs/azure-docs-pr (branch live)

Author: Banani-Rath

articles/aks/private-clusters.md

@@ -96,6 +96,14 @@ az provider register --namespace Microsoft.Network
 ```
 ## Create a private AKS cluster
 
+### Create a resource group
+
+Create a resource group or use an existing resource group for your AKS cluster.
+
+```azurecli-interactive
+az group create -l westus -n MyResourceGroup
+```
+
 ### Default basic networking 
 
 ```azurecli-interactive
@@ -122,35 +130,29 @@ Where *--enable-private-cluster* is a mandatory flag for a private cluster.
 > [!NOTE]
 > If the Docker bridge address CIDR (172.17.0.1/16) clashes with the subnet CIDR, change the Docker bridge address appropriately.
 
-## Connect to the private cluster
+## Options for connecting to the private cluster
 
-The API server endpoint has no public IP address. Consequently, you must create an Azure virtual machine (VM) in a virtual network and connect to the API server. To do so, do the following:
+The API server endpoint has no public IP address. To manage the API server, you will need to use a VM that has access to the AKS cluster's Azure Virtual Network (VNet). There are several options for establishing network connectivity to the private cluster.
 
-1. Get credentials to connect to the cluster.
+* Create a VM in the same Azure Virtual Network (VNet) as the AKS cluster.
+* Use a VM in a separate network and set up [Virtual network peering][virtual-network-peering].  See the section below for more information on this option.
+* Use an [Express Route or VPN][express-route-or-VPN] connection.
 
-   ```azurecli-interactive
-   az aks get-credentials --name MyManagedCluster --resource-group MyResourceGroup
-   ```
+Creating a VM in the same VNET as the AKS cluster is the easiest option.  Express Route and VPNs add costs and require additional networking complexity.  Virtual network peering requires you to plan your network CIDR ranges to ensure there are no overlapping ranges.
 
-1. Do either of the following:
-   * Create a VM in the same virtual network as the AKS cluster.  
-   * Create a VM in a different virtual network, and peer this virtual network with the AKS cluster virtual network.
+## Virtual network peering
 
-     If you create a VM in a different virtual network, set up a link between this virtual network and the private DNS zone. To do so:
+As mentioned, VNet peering is one way to access your private cluster. To use VNet peering you need to set up a link between virtual network and the private DNS zone.
 
-     a. Go to the MC_* resource group in the Azure portal.  
-     b. Select the private DNS zone.   
-     c. In the left pane, select the **Virtual network** link.  
-     d. Create a new link to add the virtual network of the VM to the private DNS zone. It takes a few minutes for the DNS zone link to become available.  
-     e. Go back to the MC_* resource group in the Azure portal.  
-     f. In the right pane, select the virtual network. The virtual network name is in the form *aks-vnet-\**.  
-     g. In the left pane, select **Peerings**.  
-     h. Select **Add**, add the virtual network of the VM, and then create the peering.  
-     i. Go to the virtual network where you have the VM, select **Peerings**, select the AKS virtual network, and then create the peering. If the address ranges on the AKS virtual network and the VM's virtual network clash, peering fails. For more information, see  [Virtual network peering][virtual-network-peering].
-
-1. Access the VM via Secure Shell (SSH).
-1. Install the Kubectl tool, and run the Kubectl commands.
-
+1. Go to the MC_* resource group in the Azure portal.  
+2. Select the private DNS zone.   
+3. In the left pane, select the **Virtual network** link.  
+4. Create a new link to add the virtual network of the VM to the private DNS zone. It takes a few minutes for the DNS zone link to become available.  
+5. Go back to the MC_* resource group in the Azure portal.  
+6. In the right pane, select the virtual network. The virtual network name is in the form *aks-vnet-\**.  
+7. In the left pane, select **Peerings**.  
+8. Select **Add**, add the virtual network of the VM, and then create the peering.  
+9. Go to the virtual network where you have the VM, select **Peerings**, select the AKS virtual network, and then create the peering. If the address ranges on the AKS virtual network and the VM's virtual network clash, peering fails. For more information, see  [Virtual network peering][virtual-network-peering].
 
 ## Dependencies  
 * The Private Link service is supported on Standard Azure Load Balancer only. Basic Azure Load Balancer isn't supported.  
@@ -175,6 +177,8 @@ The API server endpoint has no public IP address. Consequently, you must create
 [az-feature-list]: /cli/azure/feature?view=azure-cli-latest#az-feature-list
 [az-extension-add]: /cli/azure/extension#az-extension-add
 [az-extension-update]: /cli/azure/extension#az-extension-update
-[private-link-service]: https://docs.microsoft.com/azure/private-link/private-link-service-overview
+[private-link-service]: /private-link/private-link-service-overview
 [virtual-network-peering]: ../virtual-network/virtual-network-peering-overview.md
+[azure-bastion]: ../bastion/bastion-create-host-portal.md
+[express-route-or-vpn]: ../expressroute/expressroute-about-virtual-network-gateways.md
 

articles/azure-resource-manager/management/request-limits-and-throttling.md

@@ -118,7 +118,7 @@ Get-AzResourceGroup -Debug
 
 Which returns many values, including the following response value:
 
-```powershell
+```output
 DEBUG: ============================ HTTP RESPONSE ============================
 
 Status Code:
@@ -137,7 +137,7 @@ New-AzResourceGroup -Name myresourcegroup -Location westus -Debug
 
 Which returns many values, including the following values:
 
-```powershell
+```output
 DEBUG: ============================ HTTP RESPONSE ============================
 
 Status Code:

articles/azure-resource-manager/management/resource-providers-and-types.md

@@ -79,7 +79,7 @@ Get-AzResourceProvider -ListAvailable | Select-Object ProviderNamespace, Registr
 
 Which returns results similar to:
 
-```powershell
+```output
 ProviderNamespace                RegistrationState
 -------------------------------- ------------------
 Microsoft.ClassicCompute         Registered
@@ -97,7 +97,7 @@ Register-AzResourceProvider -ProviderNamespace Microsoft.Batch
 
 Which returns results similar to:
 
-```powershell
+```output
 ProviderNamespace : Microsoft.Batch
 RegistrationState : Registering
 ResourceTypes     : {batchAccounts, operations, locations, locations/quotas}
@@ -114,7 +114,7 @@ Get-AzResourceProvider -ProviderNamespace Microsoft.Batch
 
 Which returns results similar to:
 
-```powershell
+```output
 {ProviderNamespace : Microsoft.Batch
 RegistrationState : Registered
 ResourceTypes     : {batchAccounts}
@@ -131,7 +131,7 @@ To see the resource types for a resource provider, use:
 
 Which returns:
 
-```powershell
+```output
 batchAccounts
 operations
 locations
@@ -148,7 +148,7 @@ To get the available API versions for a resource type, use:
 
 Which returns:
 
-```powershell
+```output
 2017-05-01
 2017-01-01
 2015-12-01
@@ -166,7 +166,7 @@ To get the supported locations for a resource type, use.
 
 Which returns:
 
-```powershell
+```output
 West Europe
 East US
 East US 2
@@ -184,7 +184,7 @@ az provider list --query "[].{Provider:namespace, Status:registrationState}" --o
 
 Which returns results similar to:
 
-```azurecli
+```output
 Provider                         Status
 -------------------------------- ----------------
 Microsoft.ClassicCompute         Registered
@@ -212,7 +212,7 @@ az provider show --namespace Microsoft.Batch
 
 Which returns results similar to:
 
-```azurecli
+```output
 {
     "id": "/subscriptions/####-####/providers/Microsoft.Batch",
     "namespace": "Microsoft.Batch",
@@ -231,7 +231,7 @@ az provider show --namespace Microsoft.Batch --query "resourceTypes[*].resourceT
 
 Which returns:
 
-```azurecli
+```output
 Result
 ---------------
 batchAccounts
@@ -250,7 +250,7 @@ az provider show --namespace Microsoft.Batch --query "resourceTypes[?resourceTyp
 
 Which returns:
 
-```azurecli
+```output
 Result
 ---------------
 2017-05-01
@@ -270,7 +270,7 @@ az provider show --namespace Microsoft.Batch --query "resourceTypes[?resourceTyp
 
 Which returns:
 
-```azurecli
+```output
 Result
 ---------------
 West Europe

articles/azure-resource-manager/templates/cross-resource-group-deployment.md

@@ -326,7 +326,7 @@ New-AzResourceGroupDeployment `
 
 The output from the preceding example is:
 
-```powershell
+```output
  Name             Type                       Value
  ===============  =========================  ==========
  parentRG         String                     Parent resource group is parentGroup

articles/azure-resource-manager/templates/deploy-cli.md

@@ -18,13 +18,13 @@ You can target your deployment to either an Azure subscription or a resource gro
 
 To deploy to a **resource group**, use [az group deployment create](/cli/azure/group/deployment?view=azure-cli-latest#az-group-deployment-create):
 
-```azurecli
+```azurecli-interactive
 az group deployment create --resource-group <resource-group-name> --template-file <path-to-template>
 ```
 
 To deploy to a **subscription**, use [az deployment create](/cli/azure/deployment?view=azure-cli-latest#az-deployment-create):
 
-```azurecli
+```azurecli-interactive
 az deployment create --location <location> --template-file <path-to-template>
 ```
 
@@ -97,7 +97,7 @@ To pass parameter values, you can use either inline parameters or a parameter fi
 
 To pass inline parameters, provide the values in `parameters`. For example, to pass a string and array to a template is a Bash shell, use:
 
-```azurecli
+```azurecli-interactive
 az group deployment create \
   --resource-group testgroup \
   --template-file demotemplate.json \
@@ -108,7 +108,7 @@ If you're using Azure CLI with Windows Command Prompt (CMD) or PowerShell, pass
 
 You can also get the contents of file and provide that content as an inline parameter.
 
-```azurecli
+```azurecli-interactive
 az group deployment create \
   --resource-group testgroup \
   --template-file demotemplate.json \

articles/azure-resource-manager/templates/deploy-to-management-group.md

@@ -2,18 +2,12 @@
 title: Deploy resources to management group
 description: Describes how to deploy resources at the management group scope in an Azure Resource Manager template.
 ms.topic: conceptual
-ms.date: 03/06/2020
+ms.date: 03/09/2020
 ---
 
 # Create resources at the management group level
 
-Typically, you deploy Azure resources to a resource group in your Azure subscription. However, you can also create resources at the:
-
-* [subscription level](deploy-to-subscription.md)
-* management group level (covered in this article)
-* [tenant level](deploy-to-tenant.md)
-
-You use management group level deployments to take actions that make sense at that level, such as assigning [role-based access control](../../role-based-access-control/overview.md) or applying [policies](../../governance/policy/overview.md).
+As your organization matures, you may need to define and assign [policies](../../governance/policy/overview.md) or [role-based access controls](../../role-based-access-control/overview.md) for a management group. With management group level templates, you can declaratively apply policies and assign roles at the management group level.
 
 ## Supported resources
 
@@ -36,10 +30,10 @@ For templates, use:
 https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentTemplate.json#
 ```
 
-For parameter files, use:
+The schema for a parameter file is the same for all deployment scopes. For parameter files, use:
 
 ```json
-https://schema.management.azure.com/schemas/2019-08-01/managementGroupDeploymentParameters.json#
+https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#
 ```
 
 ## Deployment commands
@@ -158,11 +152,10 @@ The following example assigns an existing policy definition to the management gr
 
 ## Template sample
 
-* [Create a resource group, a policy and a policy assignment](https://github.com/Azure/azure-docs-json-samples/blob/master/management-level-deployment/azuredeploy.json).
+* [Create a resource group, a policy, and a policy assignment](https://github.com/Azure/azure-docs-json-samples/blob/master/management-level-deployment/azuredeploy.json).
 
 ## Next steps
 
 * To learn about assigning roles, see [Manage access to Azure resources using RBAC and Azure Resource Manager templates](../../role-based-access-control/role-assignments-template.md).
 * For an example of deploying workspace settings for Azure Security Center, see [deployASCwithWorkspaceSettings.json](https://github.com/krnese/AzureDeploy/blob/master/ARM/deployments/deployASCwithWorkspaceSettings.json).
-* To learn about creating Azure Resource Manager templates, see [Authoring templates](template-syntax.md).
-* For a list of the available functions in a template, see [Template functions](template-functions.md).
+* You can also deploy templates at [subscription level](deploy-to-subscription.md) and [tenant level](deploy-to-tenant.md).

articles/azure-resource-manager/templates/deploy-to-subscription.md

@@ -2,18 +2,12 @@
 title: Deploy resources to subscription
 description: Describes how to create a resource group in an Azure Resource Manager template. It also shows how to deploy resources at the Azure subscription scope.
 ms.topic: conceptual
-ms.date: 03/06/2020
+ms.date: 03/09/2020
 ---
 
 # Create resource groups and resources at the subscription level
 
-Typically, you deploy Azure resources to a resource group in your Azure subscription. However, you can also create resources at the:
-
-* subscription level (covered in this article)
-* [management group level](deploy-to-management-group.md)
-* [tenant level](deploy-to-tenant.md)
-
-You use subscription level deployments to take actions that make sense at that level, such as creating resource groups, or assigning [role-based access control](../../role-based-access-control/overview.md).
+To simplify the management of resources in your Azure subscription, you can define and assign [policies](../../governance/policy/overview.md) or [role-based access controls](../../role-based-access-control/overview.md) across the subscription. With subscription level templates, you declaratively apply policies and assign roles at the subscription. You can also create resource groups and deploy resources.
 
 To deploy templates at the subscription level, use Azure CLI, PowerShell, or REST API. The Azure portal doesn't support deployment in the subscription level.
 
@@ -41,10 +35,10 @@ For templates, use:
 https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#
 ```
 
-For parameter files, use:
+The schema for a parameter file is the same for all deployment scopes. For parameter files, use:
 
 ```json
-https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentParameters.json#
+https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#
 ```
 
 ## Deployment commands
@@ -382,5 +376,4 @@ New-AzSubscriptionDeployment `
 * To learn about assigning roles, see [Manage access to Azure resources using RBAC and Azure Resource Manager templates](../../role-based-access-control/role-assignments-template.md).
 * For an example of deploying workspace settings for Azure Security Center, see [deployASCwithWorkspaceSettings.json](https://github.com/krnese/AzureDeploy/blob/master/ARM/deployments/deployASCwithWorkspaceSettings.json).
 * Sample templates can be found at [GitHub](https://github.com/Azure/azure-quickstart-templates/tree/master/subscription-level-deployments).
-* To learn about creating Azure Resource Manager templates, see [Authoring templates](template-syntax.md).
-* For a list of the available functions in a template, see [Template functions](template-functions.md).
+* You can also deploy templates at [management group level](deploy-to-management-group.md) and [tenant level](deploy-to-tenant.md).

articles/azure-resource-manager/templates/deploy-to-tenant.md

@@ -2,18 +2,12 @@
 title: Deploy resources to tenant
 description: Describes how to deploy resources at the tenant scope in an Azure Resource Manager template.
 ms.topic: conceptual
-ms.date: 03/06/2020
+ms.date: 03/09/2020
 ---
 
 # Create resources at the tenant level
 
-Typically, you deploy Azure resources to a resource group in your Azure subscription. However, you can also create resources at the:
-
-* [subscription level](deploy-to-subscription.md)
-* [management group level](deploy-to-management-group.md)
-* tenant level (covered in this article)
-
-You use tenant level deployments to take actions that make sense at that level, such as assigning [role-based access control](../../role-based-access-control/overview.md) or applying [policies](../../governance/policy/overview.md).
+As your organization matures, you may need to define and assign [policies](../../governance/policy/overview.md) or [role-based access controls](../../role-based-access-control/overview.md) across your Azure AD tenant. With tenant level templates, you can declaratively apply policies and assign roles at a global level.
 
 ## Supported resources
 
@@ -36,10 +30,10 @@ For templates, use:
 https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentTemplate.json#
 ```
 
-For parameter files, use:
+The schema for a parameter file is the same for all deployment scopes. For parameter files, use:
 
 ```json
-https://schema.management.azure.com/schemas/2019-08-01/tenantDeploymentParameters.json#
+https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#
 ```
 
 ## Required access
@@ -176,5 +170,4 @@ The [following template](https://github.com/Azure/azure-quickstart-templates/tre
 ## Next steps
 
 * To learn about assigning roles, see [Manage access to Azure resources using RBAC and Azure Resource Manager templates](../../role-based-access-control/role-assignments-template.md).
-* To learn about creating Azure Resource Manager templates, see [Authoring templates](template-syntax.md).
-* For a list of the available functions in a template, see [Template functions](template-functions.md).
+* You can also deploy templates at [subscription level](deploy-to-subscription.md) or [management group level](deploy-to-management-group.md).

articles/azure-resource-manager/templates/error-resource-quota.md

@@ -70,7 +70,7 @@ Get-AzVMUsage -Location "South Central US"
 
 Which returns:
 
-```powershell
+```output
 Name                             Current Value Limit  Unit
 ----                             ------------- -----  ----
 Availability Sets                            0  2000 Count

articles/azure-resource-manager/templates/error-sku-not-available.md

@@ -36,7 +36,7 @@ Get-AzComputeResourceSku | where {$_.Locations -icontains "centralus"}
 
 The results include a list of SKUs for the location and any restrictions for that SKU. Notice that a SKU might be listed as `NotAvailableForSubscription`.
 
-```powershell
+```output
 ResourceType          Name           Locations   Zone      Restriction                      Capability           Value
 ------------          ----           ---------   ----      -----------                      ----------           -----
 virtualMachines       Standard_A0    centralus             NotAvailableForSubscription      MaxResourceVolumeMB   20480