scrub mentions that EiT is not supported for NFS shares

khdownie · khdownie · commit 9448f554864d · 2025-05-12T11:03:07.000-07:00
diff --git a/articles/storage/common/storage-require-secure-transfer.md b/articles/storage/common/storage-require-secure-transfer.md
@@ -17,7 +17,7 @@ ms.devlang: azurecli
 
 # Require secure transfer to ensure secure connections
 
-You can configure your storage account to accept requests from secure connections only by setting the **Secure transfer required** property for the storage account. When you require secure transfer, any requests originating from an insecure connection are rejected. Microsoft recommends that you always require secure transfer for all of your storage accounts, unless you're using NFS Azure file shares. The **Secure transfer required** property must be disabled in order for NFS Azure file shares to work.
+You can configure your storage account to accept requests from secure connections only by setting the **Secure transfer required** property for the storage account. When you require secure transfer, any requests originating from an insecure connection are rejected. We recommend that you require secure transfer for all of your storage accounts, except in certain cases where NFS Azure file shares are used with network-level security.
 
 When secure transfer is required, a call to an Azure Storage REST API operation must be made over HTTPS. Any request made over HTTP is rejected. By default, the **Secure transfer required** property is enabled when you create a storage account.
 
diff --git a/articles/storage/files/storage-files-how-to-mount-nfs-shares.md b/articles/storage/files/storage-files-how-to-mount-nfs-shares.md
@@ -48,7 +48,7 @@ To use NFS Azure file shares, you must either [create a private endpoint](storag
 
 ### Disable secure transfer
 
-Azure Files doesn't currently support encryption-in-transit with the NFS protocol and relies instead on network-level security. Therefore, you need to disable secure transfer on your storage account.
+Follow these steps to disable secure transfer on your storage account.
 
 1. Sign in to the [Azure portal](https://portal.azure.com/) and access the storage account containing the NFS share you created.
 1. Select **Configuration**.
diff --git a/articles/storage/files/storage-files-planning.md b/articles/storage/files/storage-files-planning.md
@@ -87,7 +87,6 @@ This means you'll need to consider the following network configurations:
 - If the required protocol is SMB and the access is from clients on-premises, then a VPN or ExpressRoute connection from on-premises to your Azure network is required, with Azure Files exposed on your internal network using private endpoints.
 - If the required protocol is NFS, you can use either service endpoints or private endpoints to restrict the network to specified virtual networks. If you need a static IP address and/or your workload requires high availability, use a private endpoint. With service endpoints, a rare event such as a zonal outage could cause the underlying IP address of the storage account to change. While the data is still available on the file share, the client would require a remount of the share.
 
-
 To learn more about how to configure networking for Azure Files, see [Azure Files networking considerations](storage-files-networking-overview.md).
 
 In addition to directly connecting to the file share using the public endpoint or using a VPN/ExpressRoute connection with a private endpoint, SMB provides an additional client access strategy: SMB over QUIC. SMB over QUIC offers zero-config "SMB VPN" for SMB access over the QUIC transport protocol. Although Azure Files does not directly support SMB over QUIC, you can create a lightweight cache of your Azure file shares on a Windows Server 2022 Azure Edition VM using Azure File Sync. To learn more about this option, see [SMB over QUIC with Azure File Sync](storage-files-networking-overview.md#smb-over-quic).
@@ -101,9 +100,6 @@ Azure Files supports two different types of encryption:
 
 ### Encryption in transit
 
-> [!IMPORTANT]
-> This section covers encryption in transit details for SMB shares. For details regarding encryption in transit with NFS shares, see [Security and networking](files-nfs-protocol.md#security-and-networking).
-
 By default, all Azure storage accounts have encryption in transit enabled. This means that when you mount a file share over SMB or access it via the FileREST protocol (such as through the Azure portal, PowerShell/CLI, or Azure SDKs), Azure Files only allows the connection if it is made with SMB 3.x with encryption or HTTPS. Clients that don't support SMB 3.x or clients that support SMB 3.x but not SMB encryption won't be able to mount the Azure file share if encryption in transit is enabled. For more information about which operating systems support SMB 3.x with encryption, see our documentation for [Windows](storage-how-to-use-files-windows.md), [macOS](storage-how-to-use-files-mac.md), and [Linux](storage-how-to-use-files-linux.md). All current versions of the PowerShell, CLI, and SDKs support HTTPS.  
 
 You can disable encryption in transit for an Azure storage account. When encryption is disabled, Azure Files also allows SMB 2.1 and SMB 3.x without encryption, and unencrypted FileREST API calls over HTTP. The primary reason to disable encryption in transit is to support a legacy application that must be run on an older operating system, such as Windows Server 2008 R2 or an older Linux distribution. Azure Files only allows SMB 2.1 connections within the same Azure region as the Azure file share; an SMB 2.1 client outside of the Azure region of the Azure file share, such as on-premises or in a different Azure region, won't be able to access the file share.
@@ -113,6 +109,7 @@ We strongly recommend ensuring encryption of data in-transit is enabled.
 For more information about encryption in transit, see [requiring secure transfer in Azure storage](../common/storage-require-secure-transfer.md?toc=/azure/storage/files/toc.json).
 
 ### Encryption at rest
+
 [!INCLUDE [storage-files-encryption-at-rest](../../../includes/storage-files-encryption-at-rest.md)]
 
 ## Data protection
diff --git a/articles/storage/files/storage-files-quick-create-use-linux.md b/articles/storage/files/storage-files-quick-create-use-linux.md
@@ -1,6 +1,6 @@
 ---
 title: Create an NFS Azure file share and mount it on a Linux VM
-description: This tutorial covers how to use the Azure portal to deploy a Linux virtual machine (VM), create an Azure file share using the NFS protocol, and mount the file share.
+description: This article covers how to use the Azure portal to deploy a Linux virtual machine (VM), create an Azure file share using the NFS protocol, and mount the file share.
 author: khdownie
 ms.service: azure-file-storage
 ms.custom: linux-related-content
@@ -10,18 +10,9 @@ ms.author: kendownie
 #Customer intent: As an IT admin new to Azure Files, I want to try out Azure file share using NFS and Linux so I can determine whether I want to subscribe to the service.
 ---
 
-# Tutorial: Create an NFS Azure file share and mount it on a Linux VM using the Azure portal
+# Create an NFS Azure file share and mount it on a Linux VM using the Azure portal
 
-Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard [Server Message Block (SMB) protocol](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) or [Network File System (NFS) protocol](https://en.wikipedia.org/wiki/Network_File_System). Both NFS and SMB protocols are supported on Azure virtual machines (VMs) running Linux. This tutorial shows you how to create an Azure file share using the NFS protocol and connect it to a Linux VM.
-
-In this tutorial, you will:
-
-> [!div class="checklist"]
-> * Create a storage account
-> * Deploy a Linux VM
-> * Create an NFS file share
-> * Connect to your VM
-> * Mount the file share to your VM
+Azure Files offers fully managed file shares in the cloud that are accessible via the industry standard [Server Message Block (SMB) protocol](/windows/win32/fileio/microsoft-smb-protocol-and-cifs-protocol-overview) or [Network File System (NFS) protocol](https://en.wikipedia.org/wiki/Network_File_System). Both NFS and SMB protocols are supported on Azure virtual machines (VMs) running Linux. This article shows you how to create an Azure file share using the NFS protocol and connect it to a Linux VM.
 
 ## Applies to
 | Management model | Billing model | Media tier | Redundancy | SMB | NFS |
@@ -50,7 +41,7 @@ Before you can work with an NFS file share, you have to create a storage account
 1. On the Azure portal menu, select **All services**. In the list of resources, type **Storage Accounts**. As you begin typing, the list filters based on your input. Select **Storage Accounts**.
 1. On the **Storage Accounts** window that appears, choose **+ Create**.
 1. Under **Project details**, select the subscription in which to create the storage account.
-1. Under the **Resource group** field, select **Create new** to create a new resource group to use for this tutorial. Or you can choose an existing resource group.
+1. Under the **Resource group** field, select **Create new** to create a new resource group. Or you can choose an existing resource group.
 1. Under **Instance details**, enter a name for your storage account. The name must be unique across Azure. The name also must be between 3 and 24 characters in length, and may include only numbers and lowercase letters.
 1. Select a region for your storage account, or use the default region. Azure supports NFS file shares in all the same [regions that support SSD file shares](redundancy-premium-file-shares.md).
 1. Under **Primary service**, select **Azure Files**.
@@ -125,7 +116,7 @@ Next, set up a private endpoint for your storage account. This gives your storag
 
 1. Select the file share *qsfileshare*. You should see a dialog that says *Connect to this NFS share from Linux*. Under **Network configuration**, select **Review options**
 
-    :::image type="content" source="media/storage-files-quick-create-use-linux/connect-from-linux.png" alt-text="Screenshot showing how to configure network and secure transfer settings to connect the N F S share from Linux." lightbox="media/storage-files-quick-create-use-linux/connect-from-linux.png" border="true":::
+    :::image type="content" source="media/storage-files-quick-create-use-linux/connect-from-linux.png" alt-text="Screenshot showing how to configure network settings to connect to the N F S share from Linux." lightbox="media/storage-files-quick-create-use-linux/connect-from-linux.png" border="true":::
 
 1. Next, select **Setup a private endpoint**.
 
@@ -159,7 +150,7 @@ Next, set up a private endpoint for your storage account. This gives your storag
 
 ### Disable secure transfer
 
-Azure Files doesn't currently support encryption-in-transit with the NFS protocol and relies instead on network-level security. Therefore, you'll need to disable secure transfer.
+Follow these steps to disable secure transfer on your storage account.
 
 1. Select **Home** and then **Storage accounts**.
 
@@ -181,7 +172,7 @@ Create an SSH connection with the VM.
 
 1. Select **Home** and then **Virtual machines**.
 
-1. Select the Linux VM you created for this tutorial and ensure that its status is **Running**. Take note of the VM's public IP address and copy it to your clipboard.
+1. Select the Linux VM you created and ensure that its status is **Running**. Take note of the VM's public IP address and copy it to your clipboard.
 
     :::image type="content" source="media/storage-files-quick-create-use-linux/connect-to-vm.png" alt-text="Screenshot showing how to confirm that the V M is running and find its public I P address." lightbox="media/storage-files-quick-create-use-linux/connect-to-vm.png" border="true":::
 
@@ -226,7 +217,7 @@ You have now mounted your NFS share, and it's ready to store files.
 When you're done, delete the resource group. Deleting the resource group deletes the storage account, the Azure file share, and any other resources that you deployed inside the resource group.
 
 1. Select **Home** and then **Resource groups**.
-1. Select the resource group you created for this tutorial.
+1. Select the resource group you created.
 1. Select **Delete resource group**. A window opens and displays a warning about the resources that will be deleted with the resource group.
 1. Enter the name of the resource group, and then select **Delete**.
 
diff --git a/includes/files-nfs-limitations.md b/includes/files-nfs-limitations.md
@@ -5,11 +5,10 @@ services: storage
 author: khdownie
 ms.service: azure-file-storage
 ms.topic: "include"
-ms.date: 10/18/2022
+ms.date: 05/12/2025
 ms.author: kendownie
 ms.custom: "include file"
 ---
-Currently, only NFS version 4.1 is supported. NFS 4.1 shares are only supported within the **FileStorage** storage account type (premium file shares only).
-
-NFS Azure file shares support most features from the 4.1 protocol specification. Some features such as delegations and callback of all kinds, Kerberos authentication, and encryption-in-transit aren't supported.
+Currently, only NFS version 4.1 is supported. NFSv4.1 shares are only supported within the **FileStorage** storage account type (premium file shares only).
 
+NFS Azure file shares support most features from the 4.1 protocol specification. Some features aren't supported, such as Kerberos authentication and delegations and callback of all kinds.
