Merge pull request #266504 from joemarshallmsft/joe/nexus-npb

NPB documentation.

Author: v-ccolin

articles/operator-nexus/TOC.yml

@@ -45,6 +45,8 @@
       href: concepts-nexus-route-policies-overview.md
     - name: Availability
       href: concepts-nexus-availability.md
+    - name: Network Packet Broker
+      href: concepts-nexus-network-packet-broker.md
 - name: Quickstarts
   items:
     - name: Before you start workload deployment
@@ -230,6 +232,8 @@
       href: reference-near-edge-storage.md
     - name: Limits & quotas
       href: reference-limits-and-quotas.md
+    - name: Neighbor Group Configuration Overview
+      href: reference-neighbor-group-configuration.md
     - name: Route Policy
       expanded: false
       items:

articles/operator-nexus/concepts-nexus-network-packet-broker.md

@@ -0,0 +1,77 @@
+---
+title: "Azure Operator Nexus Network Packet Broker Overview"
+description: Overview of Network Packet Broker for Azure Operator Nexus.
+author: joemarshallmsft
+ms.author: joemarshall
+ms.service: azure-operator-nexus
+ms.topic: conceptual
+ms.date: 02/16/2024
+ms.custom: template-concept
+---
+
+# Network Packet Broker Overview
+
+The Network Packet Broker (NPB) allows operators to monitor service traffic flows by tapping into the network and sending copies of the network packets to special probe applications. These applications provide the operations team with network-level visibility to help with service planning and troubleshooting.
+
+NPB enables packet filtering and forwarding based on user-defined rules. NPB can perform various actions on the matched packets, such as dropping, counting, redirecting, mirroring, and logging. NPB supports both static and dynamic match conditions, which can be based on various L2/L3 parameters, such as VLAN, IP, port, protocol, or encapsulation type. NPB also supports GTPv1 encapsulation for matching packets in mobile networks.
+
+## Key benefits of the Network Packet Broker
+
+-   **Improved Network Visibility:** NPB provides a centralized management interface for configuring and controlling the flow of network traffic to monitoring tools (vProbes). It provides visibility into network traffic, allowing operators to monitor, analyze, troubleshoot, and identify potential security threats. 
+
+-   **Improved Network Troubleshooting:** NPB facilitates network troubleshooting by capturing and presenting packet-level data for analysis. Operators can use an NPB to inspect packets in detail and identify the source of the problem quickly. 
+
+-   **Network Performance Optimization:** NPB provides insights into network traffic patterns and performance metrics, helping to identify network bottlenecks and congestion points, and to design better networks.
+
+-   **Filtering and Packet Manipulation:** NPB can filter out irrelevant or redundant traffic, reducing the volume of data sent to monitoring tools. It can also manipulate packets, enabling actions like packet slicing and timestamping, which further enhance the efficiency of monitoring and analysis. 
+
+-   **Compliance and Regulatory Requirements:** NPB helps organizations meet compliance and regulatory requirements by ensuring proper monitoring of network activities and data traffic. 
+
+## Key capabilities of the Network Packet Broker
+
+-   **Mirroring & Aggregation**
+
+    -   Mirroring network traffic from multiple distributed applications in the Azure Operator Network (AON) instance. 
+
+    -   Processing the entire network traffic of the AON instance. 
+
+    -   Providing designated endpoint definitions via scalable resource models. 
+
+-   **Filtering & Forwarding**
+
+    -   Advanced matching and filtering capabilities based on L3 parameters. 
+
+    -   On demand changes to filtering and forwarding criteria.
+
+    -   Secure and scalable forwarding of filtered traffic to designated external and internal networks and devices.  
+
+## Resources
+
+To use NPB, you need to create and manage the following resources:
+
+-   **Network TAP Rule**: A set of matching configurations and actions that define the packet brokering logic. You can create a network TAP rule either inline or via a file. The inline method allows you to enter the values using AzCli, Resource Manager, or the portal. The file-based method allows you to upload a file that contains the network TAP rule content from a storage URL. The file can be updated periodically using a pull or push mechanism.
+
+-   **Neighbor Group**: A logical grouping of destinations where you want to send the network traffic. A neighbor group can include network interfaces, load balancers, or network virtual appliances.
+
+-   **Network TAP**: A resource that references the network TAP rule and the neighbor group that you created. A network TAP also specifies the source network interface from which the traffic is captured. You can create a network TAP using AzCli, Resource Manager, or the portal. You can also enable or disable a network TAP to start or stop the packet brokering process.
+
+
+## Using an NPB
+
+This section describes the steps you need to follow to use an NPB.
+
+First, create the prerequisite resources:
+
+-   A bootstrapped Network Fabric Instance.
+
+-   A Layer 3 isolation domain and an internal network with the NPB extension flag set (only required if the isolation domain is being used to reach vProbes).
+
+Then follow these steps:
+
+1.   Create a network TAP rule that defines the match configuration for the network traffic that you want to capture and forward. You can use the `az networkfabric taprule` command to create, update, delete, or show a network TAP rule.
+
+1.  Create a neighbor group that defines the destinations for the network traffic that you want to send to. You can use the `az networkfabric neighborgroup` command to create, update, delete, or show a neighbor group.
+
+1.  Create a network TAP that references the network TAP rule and the neighbor group that you created. A network TAP also specifies the source network interface from which the traffic is captured. You can use the `az networkfabric tap` command to create, update, delete, or show a network TAP.
+
+1. Enable the network TAP to start the packet brokering process. You can use the `az networkfabric tap update-admin-state` command to enable or disable a network TAP.

articles/operator-nexus/reference-neighbor-group-configuration.md

@@ -0,0 +1,116 @@
+---
+title: Azure Operator Nexus neighbor group configuration
+description: Configuration details and examples for Azure Operator Nexus neighbor groups.
+author: joemarshallmsft
+ms.author: joemarshall
+ms.service: azure-operator-nexus
+ms.topic: reference
+ms.date: 02/19/2024
+ms.custom: template-reference
+---
+
+# Neighbor Group Configuration Overview
+
+A neighbor group allows you to group endpoints (either IPv4 or IPv6) under a single logical resource. A neighbor group can be used to send load-balanced filtered traffic across different probe endpoints. You can use the same Neighbor group across different Network TAPs & Network Tap rules.
+
+## Parameters for a Neighbor Group
+
+| Parameter  | Description | Example | Required |
+|--|--|--|--|
+| resource-group | The resource group that contains the neighbor group. | ResourceGroupName | True         |
+| resource-name  | The name of the neighbor group. | example-Neighbor  | True         |
+| location       | The Azure region that contains the neighbor group.                          | eastus            | True         |
+| destination    | List of Ipv4 or Ipv6 destinations to forward traffic.                       | 10.10.10.10       | True         |
+
+## Creating a Neighbor Group
+
+The following command creates a neighbor group:
+
+```azurecli
+az networkfabric neighborgroup create \
+    --resource-group "example-rg" \
+    --location "westus3" \
+    --resource-name "example-neighborgroup" \
+    --destination "{ipv4Addresses:['10.10.10.10']}"
+```
+
+Expected output:
+
+```
+{
+  "properties": {
+    "networkTapIds": [
+    ],
+    "networkTapRuleIds": [
+    ],
+    "destination": {
+      "ipv4Addresses": [
+        "10.10.10.10",
+      ]
+    },
+    "provisioningState": "Succeeded",
+    "annotation": "annotation"
+  },
+  "tags": {
+    "keyID": "KeyValue"
+  },
+  "location": "eastus",
+  "id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
+  "name": "example-neighborGroup",
+  "type": "microsoft.managednetworkfabric/neighborGroups",
+  "systemData": {
+    "createdBy": "[email protected]",
+    "createdByType": "User",
+    "createdAt": "2023-05-23T05:49:59.193Z",
+    "lastModifiedBy": "[email protected]",
+    "lastModifiedByType": "User",
+    "lastModifiedAt": "2023-05-23T05:49:59.194Z"
+  }
+}
+```
+
+
+## Show a Neighbor Group
+
+This command displays an IP extended community resource:
+
+```azcli
+az networkfabric neighborgroup show \
+    --resource-group "example-rg" \
+    --resource-name "example-neighborgroup"
+```
+
+Expected output:
+
+```
+{
+  "properties": {
+    "networkTapIds": [
+    ],
+    "networkTapRuleIds": [
+    ],
+    "destination": {
+      "ipv4Addresses": [
+        "10.10.10.10",
+      ]
+    },
+    "provisioningState": "Succeeded",
+    "annotation": "annotation"
+  },
+  "tags": {
+    "keyID": "KeyValue"
+  },
+  "location": "eastus",
+  "id": "/subscriptions/subscriptionId/resourceGroups/example-rg/providers/Microsoft.ManagedNetworkFabric/neighborGroups/example-neighborGroup",
+  "name": "example-neighborGroup",
+  "type": "microsoft.managednetworkfabric/neighborGroups",
+  "systemData": {
+    "createdBy": "[email protected]",
+    "createdByType": "User",
+    "createdAt": "2023-05-23T05:49:59.193Z",
+    "lastModifiedBy": "[email protected]",
+    "lastModifiedByType": "User",
+    "lastModifiedAt": "2023-05-23T05:49:59.194Z"
+  }
+}
+```