Merge pull request #291835 from mbender-ms/avnm-screenshots-pt2

virtual network manager | screenshot cleanup | pt2

Author: AnnaMHuff

articles/virtual-network-manager/concept-security-admins.md

@@ -44,7 +44,7 @@ Security admin rules allow or deny traffic on specific ports, protocols, and sou
 To enforce security policies across multiple virtual networks, you [create and deploy a security admin configuration](how-to-block-network-traffic-portal.md). This configuration contains a set of rule collections, and each rule collection contains one or more security admin rules. Once created, you associate the rule collection with the network groups requiring security admin rules. The rules are then applied to all virtual networks contained in the network groups when the configuration is deployed. A single configuration provides a centralized and scalable enforcement of security policies across multiple virtual networks.
 
 > [!IMPORTANT]
-> Only one security admin configuration can be deployed to a region. However, multiple connectivity configurations can exist in a region. To deploy multiple security admin configurations to a region, you can [create multiple rule collections](how-to-block-network-traffic-portal.md#add-a-rule-collection) in a security configuration instead.
+> Only one security admin configuration can be deployed to a region. However, multiple connectivity configurations can exist in a region. To deploy multiple security admin configurations to a region, you can [create multiple rule collections](how-to-block-network-traffic-portal.md#add-a-rule-collection-and-security-rule) in a security configuration instead.
 
 ### How security admin rules and network security groups (NSGs) are evaluated
 

articles/virtual-network-manager/create-virtual-network-manager-template.md

@@ -77,10 +77,7 @@ The template defines multiple Azure resources:
     :::image type="content" source="media/create-virtual-network-manager-template/template-resources.png" alt-text="Screenshot of all deployed resources in Azure portal.":::
 
 1. Select the **avnm-EastUS** resource.
-1. In the **Network Groups** page,  select **Settings>NetworkGroups>ng-EastUS-static**.
-   
-   :::image type="content" source="media/create-virtual-network-manager-template/static-network-group.png" alt-text="Screenshot of deployed network groups in Azure portal.":::
-
+1. In the **Network Groups** page,  select **Settings** > **NetworkGroups** > **ng-EastUS-static**.
 1. On the **ng-EastUS-static** page, select **Settings>Group Members** and verify a set of virtual networks are deployed.
 
     :::image type="content" source="media/create-virtual-network-manager-template/mesh-group-members.png" alt-text="Screenshot of static members in network group for a static topology deployment.":::

articles/virtual-network-manager/faq.md

@@ -147,7 +147,7 @@ Normally, security admin rules are defined to block traffic across virtual netwo
 
 ### How can I deploy multiple security admin configurations to a region?
 
-You can deploy only one security admin configuration to a region. However, multiple connectivity configurations can exist in a region if you [create multiple rule collections](how-to-block-network-traffic-portal.md#add-a-rule-collection) in a security configuration.
+You can deploy only one security admin configuration to a region. However, multiple connectivity configurations can exist in a region if you [create multiple rule collections](how-to-block-network-traffic-portal.md#add-a-rule-collection-and-security-rule) in a security configuration.
 
 ### Do security admin rules apply to Azure private endpoints?
 

articles/virtual-network-manager/how-to-block-high-risk-ports.md

@@ -46,8 +46,6 @@ In this section, you deploy a Virtual Network Manager instance with the Security
 
 1. On the *Basics* tab, enter or select the information for your organization:
 
-    :::image type="content" source="media/how-to-block-high-risk-ports/network-manager-basics-thumb.png" alt-text="Screenshot of Create a network manager Basics page." lightbox="media/how-to-block-high-risk-ports/network-manager-basics.png":::
-
     | Setting | Value |
     | ------- | ----- |
     | Subscription | Select the subscription you want to deploy Azure Virtual Network Manager to. |
@@ -69,7 +67,6 @@ With your virtual network manager created, you now create a network group contai
 1. On the *Network groups* page, select the network group you created.
 1. Select **Add**, under **Static Membership** to manually add all the VNets.
 1. On the **Add static members** page, select all of the virtual networks you wish to include, and select **Add**.
-    :::image type="content" source="media/how-to-block-high-risk-ports/add-members-manual-network-group.png" alt-text="Screenshot of Add Static Members page showing manual selection of virtual networks.":::
 
 ## Create a security admin configuration for all virtual networks
 
@@ -78,27 +75,16 @@ It’s time to construct our security admin rules within a configuration in orde
 1. Select **Configurations** under *Settings* and then select **+ Create**.
 1. Select **Security configuration** from the drop-down menu.
 1. On the **Basics** tab, enter a *Name* to identify this security configuration and select **Next: Rule collections**.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/security-configuration-name.png" alt-text="Screenshot of security configuration name field.":::
-
 1. Select **+ Add** from the *Add a security configuration page*.
-
 1. Enter a *Name* to identify this rule collection and then select the *Target network groups* you want to apply the set of rules to. The target group is the network group containing all of your virtual networks.
 
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/rule-collection-target.png" alt-text="Screenshot of rule collection name and target network groups.":::
-
 ## Add a security rule for denying high-risk network traffic
 
 In this section, you define the security rule to block high-risk network traffic to all virtual networks. When assigning priority, keep in mind future exception rules. Set the priority so that exception rules are applied over this rule.
 
 1. Select **+ Add** under **Security admin rules**.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/add-rule-button.png" alt-text="Screenshot of add a rule button.":::
-
 1. Enter the information needed to define your security rule, then select **Add** to add the rule to the rule collection.
 
-    :::image type="content" source="./media/how-to-block-high-risk-ports/add-deny-rule.png" alt-text="Screenshot of add a rule page.":::
-
     | Setting | Value |
     | ------- | ----- |
     | Name | Enter a rule name. |
@@ -119,25 +105,15 @@ In this section, you define the security rule to block high-risk network traffic
     | Destination port | Enter a single port number or a port range such as (1024-65535). When defining more than one port or port ranges, separate them using a comma. To specify any port, enter *. Enter **3389** for this example. |
 
 1. Repeat steps 1-3 again if you want to add more rules to the rule collection.
-
 1. Once you're satisfied with all the rules you wanted to create, select **Add** to add the rule collection to the security admin configuration.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/save-rule-collection.png" alt-text="Screenshot of a rule collection.":::
-
 1. Then select **Review + Create** and **Create** to complete the security configuration.
 
 ## Deploy a security admin configuration for blocking network traffic
 
 In this section, the rules created take effect when you deploy the security admin configuration.
 
 1. Select **Deployments** under *Settings*, then select **Deploy configuration**.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/deploy-configuration.png" alt-text="Screenshot of deploy a configuration button.":::
-
 1. Select the **Include security admin in your goal state** checkbox and choose the security configuration you created in the last section from the dropdown menu. Then choose the region(s) you would like to deploy this configuration to.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/deploy-security-configuration.png" alt-text="Screenshot of deploy a security configuration page.":::
-
 1. Select **Next** and **Deploy** to deploy the security admin configuration.
 
 ## Create a network group for traffic exception rule

articles/virtual-network-manager/how-to-block-network-traffic-portal.md

@@ -26,24 +26,12 @@ Before you start to configure security admin rules, confirm that you've done the
 1. Select **Security configuration** from the drop-down menu.
 1. On the **Basics** tab, enter a *Name* to identify this security configuration and select **Next: Rule collections**.
 
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/security-configuration-name.png" alt-text="Screenshot of security configuration name field.":::
-
-## Add a rule collection
+## Add a rule collection and security rule
 
 1. Enter a *Name* to identify this rule collection and then select the *Target network groups* you want to apply the set of rules to.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/rule-collection-target.png" alt-text="Screenshot of rule collection name and target network groups.":::
-
-## Add a security rule
-
 1. Select **+ Add** from the *Add a rule collection page*.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/add-rule-button.png" alt-text="Screenshot of add a rule button.":::
-
 1. Enter or select the following information, then select **Add** to add the rule to the rule collection.
 
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/add-rule.png" alt-text="Screenshot of add a rule page.":::
-
     | Setting | Value |
     | ------- | ----- |
     | Name | Enter the name **Deny_RDP** for the rule name. |
@@ -66,9 +54,6 @@ Before you start to configure security admin rules, confirm that you've done the
 1. Repeat steps 1-3 again if you want to add more rules to the rule collection.
 
 1. Once you're satisfied with all the rules you wanted to create, select **Add** to add the rule collection to the security admin configuration.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/save-rule-collection.png" alt-text="Screenshot of a rule collection.":::
-
 1. Then select **Review + Create** and **Create** to complete the security configuration.
 
 
@@ -77,13 +62,7 @@ Before you start to configure security admin rules, confirm that you've done the
 If you just created a new security admin configuration, make sure to deploy this configuration to apply to virtual networks in the network group.
 
 1. Select **Deployments** under *Settings*, then select **Deploy configuration**.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/deploy-configuration.png" alt-text="Screenshot of deploy a configuration button.":::
-
 1. Select the **Include security admin in your goal state** checkbox and choose the security configuration you created in the last section from the dropdown menu. Then choose the region(s) you would like to deploy this configuration to.
-
-    :::image type="content" source="./media/how-to-block-network-traffic-portal/deploy-security-configuration.png" alt-text="Screenshot of deploy a security configuration page.":::
-
 1. Select **Next** and **Deploy** to deploy the security admin configuration.
 
 ## Update existing security admin configuration

articles/virtual-network-manager/how-to-configure-cross-tenant-portal.md

@@ -37,12 +37,10 @@ In this task, you set up a scope connection to add a subscription from a target
 1. Log in to the Azure portal on the central management tenant.
 1. Search for **Virtual network managers** and select your network manager from the list.
 1. Under **Settings**, select **Cross-tenant connections**, and then select **Create cross-tenant connection**.
-
-   :::image type="content" source="media/how-to-configure-cross-tenant-portal/create-cross-tenant-connection.png" alt-text="Screenshot of cross-tenant connections in a network manager.":::
-
 1. On the **Create a connection** page, enter the connection name and target tenant information, and then select **Create**.
 
    :::image type="content" source="media/how-to-configure-cross-tenant-portal/create-connection-settings.png" alt-text="Screenshot of settings entered to create a connection.":::
+
 1. Verify that the scope connection is listed under **Cross-tenant connections** and the status is **Pending**.
 
 ## Create a network manager connection on a subscription in another tenant
@@ -51,13 +49,7 @@ After you create the scope connection, switch to the target managed tenant. Conn
 
 1. In the target tenant, search for **Virtual network manager** and select **Virtual Network Managers**.
 1. Under **Virtual Network Manager**, select **Cross-tenant connections**.
-
-   :::image type="content" source="media/how-to-configure-cross-tenant-portal/virtual-network-manager-overview.png" alt-text="Screenshot of network managers in Virtual Network Manager on a target tenant.":::
-
 1. Select **+ Create** or **Create a connection**.
-
-   :::image type="content" source="media/how-to-configure-cross-tenant-portal/create-connection-target.png" alt-text="Screenshot of the pane for cross-tenant connections.":::
-
 1. On the **Create a connection** page, enter the information for your central management tenant, and then select **Create**.
 
    :::image type="content" source="media/how-to-configure-cross-tenant-portal/create-connection-settings-target.png" alt-text="Screenshot of settings for creating a cross-tenant connection.":::
@@ -81,9 +73,6 @@ Now, add virtual networks from both tenants into a network group for static memb
 1. From your network manager, add a network group if needed.
 1. Select your network group, and then select **Add virtual networks** under **Manually add members**.
 1. On the **Manually add members** page, select **Tenant:...** next to the search box, select the linked tenant from the list, and then select **Apply**.
-
-   :::image type="content" source="media/how-to-configure-cross-tenant-portal/select-target-tenant-network-group.png" alt-text="Screenshot of available tenants to choose for static network group membership.":::
-
 1. To view the available virtual networks from the target managed tenant, select **Authenticate** and proceed through the authentication process. If you have multiple Azure accounts, select the one you're currently signed in with that has permissions to the target managed tenant.
 1. Select the virtual networks to include in the network group, and then select **Add**.
 

articles/virtual-network-manager/how-to-configure-event-logs.md

@@ -5,7 +5,7 @@ author: mbender-ms
 ms.author: mbender
 ms.topic: how-to
 ms.service: azure-virtual-network-manager
-ms.date: 05/07/2024
+ms.date: 12/11/2024
 ---
 
 # Configure event logs for Azure Virtual Network Manager
@@ -57,12 +57,11 @@ A storage account is another option for storing event logs. In this task, you co
 
 In this task, you access the event logs for your Azure Virtual Network Manager instance.
 
-1. Under the **Monitoring** in the left pane, select the **Logs**.
-1. In the **Diagnostics** window, select **Run** or **Load to editor** under **Get recent Network Group Membership Changes** or any other preloaded query available from your selected schema(s).
-
-    :::image type="content" source="media/how-to-configure-event-logging/run-query.png" alt-text="Screenshot of Run and Load to editor buttons in the diagnostics window.":::
+### Run a query in Log Analytics workspace
 
-1. If you choose **Run**, the **Results** tab displays the event logs, and you can expand each log to view the details.
+1. Under the **Monitoring** in the left pane, select the **Logs**.
+1. In the **Diagnostics** window, select **Run** under **Get recent Network Group Membership Changes** or any other preloaded query available from your selected schema(s).
+1. When choosing **Run**, the **Results** tab displays the event logs, and you can expand each log to view the details.
 
     :::image type="content" source="media/how-to-configure-event-logging/workspace-log-details.png" alt-text="Screenshot of the event log details from the defined query.":::
 
@@ -71,9 +70,14 @@ In this task, you access the event logs for your Azure Virtual Network Manager i
     > [!NOTE]
     > When you close the **Query editor** window, you will be returned to the **Azure Home** page. If you need to return to the **Logs** page, browse to your virtual network manager instance, and select **Logs** under the **Monitoring** in the left pane.
 
-1. If you choose **Load to editor**, the **Query editor** window displays the query. Choose **Run** to display the event logs and you can expand each log to view the details.
+### Run a query in Log Analytics workspace with preloaded queries
+
+1. Under the **Monitoring** in the left pane, select the **Logs**.
+1. In the **Diagnostics** window, select **Load to editor** under **Get recent Network Group Membership Changes** or any other preloaded query available from your selected schema(s).
+1. When choosing **Load to editor**, the **Query editor** window displays the query. Choose **Run** to display the event logs and you can expand each log to view the details.
 
     :::image type="content" source="media/how-to-configure-event-logging/workspace-log-details.png" alt-text="Screenshot of log details.":::
+
 1. Close the window and select **ok** to discard changes.
 
 ## Next steps

articles/virtual-network-manager/how-to-create-security-admin-rule-network-group.md

@@ -41,9 +41,6 @@ To create a security admin configuration, follow these steps:
 1. Select **Configuration** under **Settings** on the left side of the portal window.
 
 1. In the **Configurations** window, select the **Create security admin configuration** button or **+ Create > Security admin configuration** from the drop-down menu.
-
-    :::image type="content" source="media/how-to-create-security-admin-rules-network-groups/create-security-admin-configuration.png" alt-text="Screenshot of creation of security admin configuration in Configurations of a network manager.":::
-
 1. In the **Basics** tab of the **Create security admin configuration** windows, enter the following settings:
 
     | **Setting** | **Value** |