updated content

sushantjrao · sushantjrao · commit ad32ce18edf7 · 2025-02-26T11:43:35.000+05:30
diff --git a/articles/operator-nexus/TOC.yml b/articles/operator-nexus/TOC.yml
@@ -218,6 +218,10 @@
           href: howto-upgrade-os-of-terminal-server.md
         - name: How to restrict serial port access and set timeout on terminal-server
           href: howto-restrict-serial-port-access-and-set-timeout-on-terminal-server.md
+        - name: How to append a custom suffix to interface descriptions
+          href: howto-append-a-custom-suffix-to-interface-descriptions.md
+        - name: How to Configure NNF with Bring Your Own (BYO) Storage
+          href: howto-configure-bring-your-own-storage-network-fabric.md
     - name: Cluster
       expanded: false
       items:
@@ -271,8 +275,7 @@
           href: howto-kubernetes-cluster-features.md
         - name: How to reboot a Network Device in Azure Operator Nexus Network Fabric
           href: howto-reboot-a-network-device.md
-        - name: How to append a custom suffix to interface descriptions
-          href: howto-append-a-custom-suffix-to-interface-descriptions.md
+
     - name: Nexus Virtual Machine
       expanded: false
       items:
diff --git a/articles/operator-nexus/howto-configure-bring-your-own-storage-network-fabric.md b/articles/operator-nexus/howto-configure-bring-your-own-storage-network-fabric.md
@@ -0,0 +1,130 @@
+---
+title: "Azure Operator Nexus: Configure Bring-Your-Own (BYO) Storage for Network Fabric"
+description: Learn how to configure a customer-managed storage account and user-assigned managed identity (UAMI) for Network Fabric in Azure Operator Nexus.
+author: sushantjrao
+ms.author: sushrao
+ms.service: azure-operator-nexus
+ms.topic: how-to
+ms.date: 02/26/2025
+ms.custom: template-how-to, devx-track-azurecli
+---
+
+# How to configure NNF with Bring Your Own (BYO) Storage
+
+This guide provides step-by-step instructions for configuring Network Fabric (NNF) with a customer-managed storage account and User-Assigned Managed Identities (UAMI). Follow the steps below to ensure proper setup and integration.
+
+## Prerequisites
+
+Before proceeding, ensure you have:
+
+- Azure CLI Installed - Install or update the Azure CLI (Download).
+
+- Necessary Permissions - Ensure you have Contributor or Owner role on the storage account and permissions to assign RBAC roles.
+
+- User-Assigned Managed Identity (UAMI) - Created in the same subscription where NNF is deployed.
+
+- Storage Account - Created with the appropriate permissions for NNF operations.
+
+- NNF Resource Provider Registration - Ensure Microsoft.ManagedNetworkFabric is registered in your subscription.
+
+## Create user-assigned managed identity (UAMI)
+
+Create the UAMI(s) required for accessing the necessary resources.
+
+For more information on creating managed identities, refer to [Manage user-assigned managed](/entra/identity/managed-identities-azure-resources/how-manage-user-assigned-managed-identities.md)
+
+## Configure the storage account
+
+### Create or identify a storage account
+
+Create a new storage account or use an existing one. Refer to [Create an Azure storage account](/articles/storage/common/storage-account-create).
+
+### Assign the required role
+
+Assign the **Storage Blob Data Contributor** role to the users and UAMI needing access to the **runRO** and **cable validation command output**.
+
+For role assignment details, see [Assign an Azure role for access to blob data](/articles/storage/blobs/assign-azure-role-data-access.md).
+
+### 2.3 Restrict storage account access
+
+To limit access, configure Storage Firewalls and Virtual Networks:
+
+- Add all required users' IP addresses to the **Virtual Networks** and/or **Firewall** lists.
+
+- Follow instructions from [Configure Azure Storage firewalls and virtual networks](/articles/storage/common/storage-network-security.md).
+
+### Enable Trusted Services
+
+Ensure the option **Allow Azure services on the trusted services list to access this storage account** under **Exceptions** is selected.
+
+## Assign permissions to UAMI for Nexus Network Fabric Resource Provider
+
+When using UAMI to access a storage account, the NNF platform requires provisioning access. Specifically, the permission **Microsoft.ManagedIdentity/userAssignedIdentities/assign/action** must be granted to the UAMI for the **Managed Network Fabric RP** in Microsoft Entra ID.
+
+### Assign the Managed Identity Operator Role
+
+1. Open the **Azure Portal** and locate the **User-Assigned Identity**.
+
+2. Navigate to **Access control (IAM)** > **Add role assignment**.
+
+3. Select **Role: Managed Identity Operator**.
+
+4. Under **Assign access to**, select **User, group, or service principal**.
+
+5. Choose **Member: Managed Network Fabric RP** application.
+
+6. Click **Review and assign**.
+
+> [!Note]
+> When using a User-Assigned Managed Identity (UAMI) to access a Storage account, it is essential to provision access to that identity for the NNF platform. Specifically, the Microsoft.ManagedIdentity/userAssignedIdentities/assign/action permission needs to be added to the User-assigned identity for the Managed Network Fabric RP Microsoft Entra ID. This permission ensures that the UAMI can be properly assigned and utilized within the NNF platform. It is a known limitation of the platform that this specific permission assignment is required. However, this limitation will be addressed in a future release (NNF 9.0).
+
+## Update Cluster with UAMI and Storage Account configuration
+
+When creating or updating an NNF instance, both the User-Assigned Managed Identity and Storage Account must be supplied together.
+
+### Storage account configuration format
+
+Use the `--storage-account-configuration` parameter to define the storage location for command outputs:
+
+```json
+{
+  "storageAccountId": "<storage_account_id>",
+  "storageAccountIdentity": {
+    "identityType": "UserAssignedIdentity",
+    "userAssignedIdentityResourceId": "<uami_resource_id>"
+  }
+}
+```
+
+## Create a new fabric instance
+
+Use the following command to create a new fabric instance with BYO storage:
+
+```azurecli
+az networkfabric fabric create --resource-name <fabricname> \
+    -g <fabricresourcegroup> \
+    <other_params_for_create> \
+    --storage-account-config "{storageAccountId:'/subscriptions/<subscriptionid>/resourceGroups/<resourcegroupname>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>',storageAccountIdentity:{identityType:'UserAssignedIdentity',userAssignedIdentityResourceId:'/subscriptions/<uamisubscription>/resourceGroups/<uamiresourcegroupname>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<uaminame>'}}" \
+    --mi-user-assigned "/subscriptions/<uamisubscriptionid>/resourceGroups/<uamiresourcegroupname>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<uaminame>"
+```
+
+## Update an existing fabric instance
+
+For existing deployments, update the fabric with the required parameters:
+
+```azurecli
+az networkfabric fabric update --resource-name <fabricname> \
+    -g <fabricresourcegroup> \
+    --storage-account-config "{storageAccountId:'/subscriptions/<subscriptionid>/resourceGroups/<resourcegroupname>/providers/Microsoft.Storage/storageAccounts/<storageaccountname>',storageAccountIdentity:{identityType:'UserAssignedIdentity',userAssignedIdentityResourceId:'/subscriptions/<uamisubscription>/resourceGroups/<uamiresourcegroupname>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<uaminame>'}}" \
+    --mi-user-assigned "/subscriptions/<uamisubscriptionid>/resourceGroups/<uamiresourcegroupname>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<uaminame>"
+```
+
+### Commit configuration changes
+
+Once updated, commit the changes:
+
+```azurecli
+az networkfabric fabric commit-configuration --resource-group <rgname> --resource-name <nfname>
+```
+
+
diff --git a/articles/operator-nexus/howto-configure-network-fabric-controller.md b/articles/operator-nexus/howto-configure-network-fabric-controller.md
@@ -29,7 +29,7 @@ With the latest update, all new NFC Cluster deployments will use the `Standard_D
 This change is required due to the limited availability of `Standard_Ds4_v2` in several Azure regions.
 
 > [!Note]
-> Existing NFC Clusters will continue to run on `Standard_Ds4_v2`.
+> Existing NFC Clusters will continue to run on `Standard_Ds4_v2.
 
 ### Minimum vCPU requirement
 
diff --git a/articles/operator-nexus/howto-reboot-a-network-device.md b/articles/operator-nexus/howto-reboot-a-network-device.md
@@ -25,7 +25,7 @@ A **graceful reboot** ensures a stable restart process by temporarily placing th
 
 - The device enters **maintenance mode** before the reboot.
 
-- The reboot uses the **last known good configuration** stored on the device.
+- The reboot uses the **last saved configuration** stored on the device.
 
 - Upon successful restart, the device **exits maintenance mode** automatically.  
 
@@ -56,7 +56,7 @@ An **ungraceful reboot** is a faster restart option that **does not** place the
 
 #### How it works
 
-- The device **immediately reboots** using the **last known good configuration**.
+- The device **immediately reboots** using the **last saved configuration**.
 
 - Unlike the graceful reboot, the device **remains operational** without entering maintenance mode.
 
