add clean-up steps

Author: cephalin

articles/app-service/tutorial-connect-msi-keyvault.md

@@ -58,6 +58,9 @@ Prepare your environment for the Azure CLI.
     csKey1=$(az cognitiveservices account keys list --resource-group $groupName --name $csResourceName --query key1 --output tsv)
     ```
 
+    > [!NOTE]
+    > `--sku F0` creates a free tier Cognitive Services resource. Each subscription is limited to a quota of one free-tier `TextAnalytics` resource. If you're already over the quota, use `--sku S` instead.
+
 1. Clone the sample repository locally and deploy the sample application to App Service. Replace *\<app-name>* with a unique name.
 
     ### [.NET 5](#tab/dotnet)
@@ -70,7 +73,7 @@ Prepare your environment for the Azure CLI.
     git clone https://github.com/Azure-Samples/app-service-language-detector.git
     cd app-service-language-detector/dotnet
     
-    az webapp up --sku F1 --resource-group $groupName --name $appName --location $region
+    az webapp up --sku F1 --resource-group $groupName --name $appName --plan $appName --location $region
     ```
 
     ### [PHP](#tab/php)
@@ -132,7 +135,7 @@ At the moment, connection secrets are stored as app settings in your App Service
     az webapp identity assign --resource-group $groupName --name $appName --scope $vaultResourceId --role  "Key Vault Secrets User"
     ```
 
-1. Add the Cognitive Services resource name and subscription key as secrets to the vault, and save their IDs as environment variables.
+1. Add the Cognitive Services resource name and subscription key as secrets to the vault, and save their IDs as environment variables for the next step.
 
     ```azurecli-interactive
     csResourceKVUri=$(az keyvault secret set --vault-name $vaultName --name csresource --value $csResourceName --query id --output tsv)
@@ -149,6 +152,16 @@ At the moment, connection secrets are stored as app settings in your App Service
 
 Congratulations, your app is now connecting to Cognitive Services using secrets kept in your key vault, and you've done this without any changes to your application code.
 
+## Clean up resources
+
+In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:
+
+```azurecli-interactive
+az group delete --name $groupName
+```
+
+This command may take a minute to run.
+
 ## Next steps
 
 - [Tutorial: Isolate back-end communication with Virtual Network integration](tutorial-networking-isolate-vnet.md)

articles/app-service/tutorial-networking-isolate-vnet.md

@@ -130,7 +130,11 @@ Because your Key Vault and Cognitive Services resources will sit behind [private
     > [!TIP]
     > `$csResourceName` is set in the [prerequisite](#prerequisites) tutorial (in [Create app with connectivity to Cognitive Services](tutorial-connect-msi-keyvault.md#create-app-with-connectivity-to-Cognitive-Services)).
 
-Now, all traffic to the key vault and the Cognitive Services resource is blocked. If you try out the language detection page now, you'll get an HTTP 500 error. These two endpoints are only accessible to clients inside the VNet you created. You can't even access Key Vault secrets through the Azure portal, because the portal accesses them through the public internet (see [Manage the locked down resources](#manage-the-locked-down-resources)).
+It may take some time for the setting to take effect, but all traffic to the key vault and the Cognitive Services resource are now blocked. If you try out the language detection page now, you'll get an HTTP 500 error. 
+
+<!-- TODO - This seems to take a long time to take effect. -->
+
+These two endpoints are only accessible to clients inside the VNet you created. You can't even access the secrets in the key vault through **Secrets** page in the Azure portal, because the portal accesses them through the public internet (see [Manage the locked down resources](#manage-the-locked-down-resources)).
 
 ## Configure VNet integration in your app
 
@@ -154,7 +158,9 @@ Now, all traffic to the key vault and the Cognitive Services resource is blocked
     
     VNet integration allows outbound traffic to flow directly into the VNet. By default, only local IP traffic defined in [RFC-1918](https://tools.ietf.org/html/rfc1918#section-3) is routed to the VNet, which is what you need for the private endpoints. To route all your traffic to the VNet, set the [`WEBSITE_VNET_ROUTE_ALL` app setting](reference-app-settings.md#networking). Routing all traffic can also be used if you want to route internet traffic through your VNet e.g. through an [Azure VNet NAT](../virtual-network/nat-gateway/nat-overview.md) or an [Azure Firewall](../firewall/overview.md).
 
-1. In the browser, navigate to `<app-name>.azurewebsites.net` again and wait for the app to restart. If you get detection results back, then you're connecting to the Cognitive Services endpoint with key vault references.
+1. In the browser, navigate to `<app-name>.azurewebsites.net` again and wait for the integration to take effect. If you get detection results back, then you're connecting to the Cognitive Services endpoint with key vault references. If you get an HTTP 500 error, wait a few minutes and try again.
+
+<!-- TODO - This seems to take a long time to take effect. -->
 
 ## Manage the locked down resources
 
@@ -165,6 +171,16 @@ Depending on your scenarios, you may not be able to manage the private endpoint
 - Manage the private endpoint protected resources from a [jump server](https://wikipedia.org/wiki/Jump_server) in the VNet.
 - [Deploy Cloud Shell into the VNet](../cloud-shell/private-vnet.md).
 
+## Clean up resources
+
+In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:
+
+```azurecli-interactive
+az group delete --name $groupName
+```
+
+This command may take a minute to run.
+
 ## Next steps
 
 - [Integrate your app with an Azure virtual network](overview-vnet-integration.md)