Merge pull request #214698 from ankitaduttaMSFT/14Oct-NWFixes

prmerger-automator[bot] · web-flow · commit b6177f9d6b84 · 2022-10-17T11:16:15.000Z
acrolinx suggested edits
diff --git a/articles/network-watcher/diagnose-vm-network-traffic-filtering-problem-cli.md b/articles/network-watcher/diagnose-vm-network-traffic-filtering-problem-cli.md
@@ -200,7 +200,7 @@ When you ran the `az network watcher test-ip-flow` command to test outbound comm
 }
 ```
 
-The rule lists **0.0.0.0/0** as the **destinationAddressPrefix**. The rule denies the outbound communication to 172.131.0.100, because the address is not within the **destinationAddressPrefix** of any of the other outbound rules in the output from the `az network nic list-effective-nsg` command. To allow the outbound communication, you could add a security rule with a higher priority, that allows outbound traffic to port 80 at 172.131.0.100.
+The rule lists **0.0.0.0/0** as the **destinationAddressPrefix**. The rule denies the outbound communication to 172.131.0.100 because the address is not within the **destinationAddressPrefix** of any of the other outbound rules in the output from the `az network nic list-effective-nsg` command. To allow the outbound communication, you could add a security rule with a higher priority, that allows outbound traffic to port 80 at 172.131.0.100.
 
 When you ran the `az network watcher test-ip-flow` command in [Use IP flow verify](#use-ip-flow-verify) to test inbound communication from 172.131.0.100, the output informed you that the **DenyAllInBound** rule denied the communication. The **DenyAllInBound** rule equates to the **DenyAllInBound** rule listed in the following output from the `az network nic list-effective-nsg` command:
 
@@ -235,7 +235,7 @@ When you ran the `az network watcher test-ip-flow` command in [Use IP flow verif
 
 The **DenyAllInBound** rule is applied because, as shown in the output, no other higher priority rule exists in the output from the `az network nic list-effective-nsg` command that allows port 80 inbound to the VM from 172.131.0.100. To allow the inbound communication, you could add a security rule with a higher priority that allows port 80 inbound from 172.131.0.100.
 
-The checks in this quickstart tested Azure configuration. If the checks return expected results and you still have network problems, ensure that you don't have a firewall between your VM and the endpoint you're communicating with and that the operating system in your VM doesn't have a firewall that is allowing or denying communication.
+The checks in this quickstart tested Azure configuration. If the checks return the expected results and you still have network problems, ensure that you don't have a firewall between your VM and the endpoint you're communicating with and that the operating system in your VM doesn't have a firewall that is allowing or denying communication.
 
 ## Clean up resources
 
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager.md b/articles/network-watcher/network-watcher-nsg-flow-logging-azure-resource-manager.md
@@ -107,11 +107,11 @@ Below are two examples of complete templates to set up NSG Flow Logs.
 ```
 
 > [!NOTE]
-> * The name of resource has the format "Parent Resource_Child resource". Here, the parent resource is the regional Network Watcher instance (Format: NetworkWatcher_RegionName. Example: NetworkWatcher_centraluseuap)
+> * The name of the resource has the format "Parent Resource_Child resource". Here, the parent resource is the regional Network Watcher instance (Format: NetworkWatcher_RegionName. Example: NetworkWatcher_centraluseuap)
 > * targetResourceId is the resource ID of the target NSG
 > * storageId is the resource ID of the destination storage account
 
-**Example 2**: The following templates enabling NSG Flow Logs (version 2) with a retention for 5 days. Enabling Traffic Analytics with a processing interval of 10 minutes.
+**Example 2**: The following templates enable NSG Flow Logs (version 2) with retention for 5 days. Enabling Traffic Analytics with a processing interval of 10 minutes.
 
 ```json
 {
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-cli.md b/articles/network-watcher/network-watcher-nsg-flow-logging-cli.md
@@ -20,13 +20,13 @@ ms.author: damendo
 > - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
 > - [REST API](network-watcher-nsg-flow-logging-rest.md)
 
-Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. These flow logs are written in json format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.
+Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. These flow logs are written in JSON format and show outbound and inbound flows on a per rule basis. The NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.
 
 To perform the steps in this article, you need to [install the Azure CLI](/cli/azure/install-azure-cli) for Windows, Linux, or macOS. The detailed specification of all flow logs commands can be found [here](/cli/azure/network/watcher/flow-log)
 
 ## Register Insights provider
 
-In order for flow logging to work successfully, the **Microsoft.Insights** provider must be registered. If you are not sure if the **Microsoft.Insights** provider is registered, run the following script.
+In order for flow logging to work successfully, the **Microsoft.Insights** provider must be registered. If you aren't sure if the **Microsoft.Insights** provider is registered, run the following script.
 
 ```azurecli
 az provider register --namespace Microsoft.Insights
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-powershell.md b/articles/network-watcher/network-watcher-nsg-flow-logging-powershell.md
@@ -19,7 +19,7 @@ ms.custom: devx-track-azurepowershell
 > - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
 > - [REST API](network-watcher-nsg-flow-logging-rest.md)
 
-Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. These flow logs are written in json format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.
+Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. These flow logs are written in JSON format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.
 
 The detailed specification of all NSG flow logs commands for various versions of AzPowerShell can be found [here](/powershell/module/az.network/#network-watcher)
 
@@ -30,7 +30,7 @@ The detailed specification of all NSG flow logs commands for various versions of
 
 ## Register Insights provider
 
-In order for flow logging to work successfully, the **Microsoft.Insights** provider must be registered. If you are not sure if the **Microsoft.Insights** provider is registered, run the following script.
+In order for flow logging to work successfully, the **Microsoft.Insights** provider must be registered. If you aren't sure if the **Microsoft.Insights** provider is registered, run the following script.
 
 ```powershell
 Register-AzResourceProvider -ProviderNamespace Microsoft.Insights
@@ -64,7 +64,7 @@ Set-AzNetworkWatcherConfigFlowLog -NetworkWatcher $NW -TargetResourceId $nsg.Id
 Get-AzNetworkWatcherFlowLogStatus -NetworkWatcher $NW -TargetResourceId $nsg.Id
 ```
 
-The storage account you specify cannot have network rules configured for it that restrict network access to only Microsoft services or specific virtual networks. The storage account can be in the same, or a different Azure subscription, than the NSG that you enable the flow log for. If you use different subscriptions, they must both be associated to the same Azure Active Directory tenant. The account you use for each subscription must have the [necessary permissions](required-rbac-permissions.md).
+The storage account you specify cannot have network rules configured for it that restrict network access to only Microsoft services or specific virtual networks. The storage account can be in the same, or a different Azure subscription, than the NSG that you enable the flow log for. If you use different subscriptions, they must both be associated with the same Azure Active Directory tenant. The account you use for each subscription must have the [necessary permissions](required-rbac-permissions.md).
 
 ## Disable Traffic Analytics and Network Security Group Flow logs
 
@@ -92,6 +92,6 @@ For information about the structure of the log visit [Network Security Group Flo
 
 ## Next Steps
 
-Learn how to [Visualize your NSG flow logs with PowerBI](network-watcher-visualize-nsg-flow-logs-power-bi.md)
+Learn how to [Visualize your NSG flow logs with Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md)
 
 Learn how to [Visualize your NSG flow logs with open source tools](network-watcher-visualize-nsg-flow-logs-open-source-tools.md)
diff --git a/articles/network-watcher/network-watcher-nsg-flow-logging-rest.md b/articles/network-watcher/network-watcher-nsg-flow-logging-rest.md
@@ -23,13 +23,13 @@ ms.author: damendo
 > - [Azure CLI](network-watcher-nsg-flow-logging-cli.md)
 > - [REST API](network-watcher-nsg-flow-logging-rest.md)
 
-Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. These flow logs are written in json format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.
+Network Security Group flow logs are a feature of Network Watcher that allows you to view information about ingress and egress IP traffic through a Network Security Group. These flow logs are written in JSON format and show outbound and inbound flows on a per rule basis, the NIC the flow applies to, 5-tuple information about the flow (Source/Destination IP, Source/Destination Port, Protocol), and if the traffic was allowed or denied.
 
 ## Before you begin
 
 ARMclient is used to call the REST API using PowerShell. ARMClient is found on chocolatey at [ARMClient on Chocolatey](https://chocolatey.org/packages/ARMClient). The detailed specifications of NSG flow logs REST API can be found [here](/rest/api/network-watcher/flowlogs) 
 
-This scenario assumes you have already followed the steps in [Create a Network Watcher](network-watcher-create.md) to create a Network Watcher.
+This scenario assumes you've already followed the steps in [Create a Network Watcher](network-watcher-create.md) to create a Network Watcher.
 
 > [!Important]
 > For Network Watcher REST API calls the resource group name in the request URI is the resource group that contains the Network Watcher, not the resources you are performing the diagnostic actions on.
@@ -54,7 +54,7 @@ armclient login
 
 ## Register Insights provider
 
-In order for flow logging to work successfully, the **Microsoft.Insights** provider must be registered. If you are not sure if the **Microsoft.Insights** provider is registered, run the following script.
+In order for flow logging to work successfully, the **Microsoft.Insights** provider must be registered. If you aren't sure if the **Microsoft.Insights** provider is registered, run the following script.
 
 ```powershell
 $subscriptionId = "00000000-0000-0000-0000-000000000000"
@@ -63,7 +63,7 @@ armclient post "https://management.azure.com//subscriptions/${subscriptionId}/pr
 
 ## Enable Network Security Group flow logs
 
-The command to enable flow logs version 2 is shown in the following example. For version 1 replace the 'version' field with '1':
+The command to enable flow logs version 2 is shown in the following example. For version 1, replace the 'version' field with '1':
 
 ```powershell
 $subscriptionId = "00000000-0000-0000-0000-000000000000"
@@ -112,8 +112,8 @@ The response returned from the preceding example is as follows:
 }
 ```
 > [!NOTE]
-> - The api [Network Watchers - Set Flow Log Configuration](/rest/api/network-watcher/network-watchers/set-flow-log-configuration) used above is old and may soon be deprecated.
-> - It is recommended to use the new [Flow Logs - Create Or Update](/rest/api/network-watcher/flow-logs/create-or-update) rest api instead.
+> - The API [Network Watchers - Set Flow Log Configuration](/rest/api/network-watcher/network-watchers/set-flow-log-configuration) used above is old and may soon be deprecated.
+> - It is recommended to use the new [Flow Logs - Create Or Update](/rest/api/network-watcher/flow-logs/create-or-update) rest API instead.
 
 ## Disable Network Security Group flow logs
 
@@ -188,7 +188,7 @@ $requestBody = @"
 armclient post "https://management.azure.com/subscriptions/${subscriptionId}/ResourceGroups/${resourceGroupName}/providers/Microsoft.Network/networkWatchers/${networkWatcherName}/queryFlowLogStatus?api-version=2016-12-01" $requestBody
 ```
 
-The following is an example of the response returned:
+The following example shows the response returned:
 
 ```json
 {
@@ -224,6 +224,6 @@ https://{storageAccountName}.blob.core.windows.net/insights-logs-networksecurity
 
 ## Next steps
 
-Learn how to [Visualize your NSG flow logs with PowerBI](network-watcher-visualize-nsg-flow-logs-power-bi.md)
+Learn how to [Visualize your NSG flow logs with Power BI](network-watcher-visualize-nsg-flow-logs-power-bi.md)
 
 Learn how to [Visualize your NSG flow logs with open source tools](network-watcher-visualize-nsg-flow-logs-open-source-tools.md)
diff --git a/articles/network-watcher/nsg-flow-logs-policy-portal.md b/articles/network-watcher/nsg-flow-logs-policy-portal.md
@@ -19,17 +19,20 @@ ms.author: damendo
 # QuickStart: Deploy and manage NSG Flow Logs using Azure Policy 
 
 ## Overview
-Azure Policy helps to enforce organizational standards and to assess compliance at-scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. In this article, we will use two built-in policies available for NSG Flow Logs to manage your flow logs setup. The first policy  flags any NSGs without flow logs enabled. The second policy automatically deploys Flow logs for NSGs without Flow logs enabled. 
+
+Azure Policy helps to enforce organizational standards and to assess compliance at scale. Common use cases for Azure Policy include implementing governance for resource consistency, regulatory compliance, security, cost, and management. In this article, we will use two built-in policies available for NSG Flow Logs to manage your flow logs setup. The first policy  flags any NSGs without flow logs enabled. The second policy automatically deploys Flow logs for NSGs without Flow logs enabled. 
 
 If you are creating an Azure Policy definition for the first time, you can read through: 
 - [Azure Policy overview](../governance/policy/overview.md) 
 - [Tutorial for creating an Azure Policy assignment](../governance/policy/assign-policy-portal.md#create-a-policy-assignment).
 
 
 ## Locate the policies
+
 1. Go to the Azure portal – [portal.azure.com](https://portal.azure.com) 
 
-Navigate to Azure Policy page by searching for Policy in the top search bar 
+Navigate to the Azure Policy page by searching for Policy in the top search bar 
+
 ![Policy Home Page](./media/network-watcher-builtin-policy/1_policy-search.png)
 
 2. Head over to the **Assignments** tab from the left pane
@@ -66,13 +69,13 @@ If you want to see the full definition of the policy, you can visit the [Definit
 
 1. Fill in your policy details
 
-- Scope: A subscription is the common choice, you can also choose a management group or resource group as relevant to you.  
+- Scope: A subscription is a common choice, you can also choose a management group or resource group as relevant to you.  
 - Policy Definition: Should be chosen as shown in the "Locate the policies" section.
 - AssignmentName: Choose a descriptive name 
 
 2. Click on "Review + Create" to review your assignment
 
-The policy does not require any parameters. As you are assigning an audit policy, you do not need to fill the details in the "Remediation" tab.  
+The policy does not require any parameters. As you are assigning an audit policy, you do not need to fill in the details in the "Remediation" tab.  
 
 ![Audit Policy Review](./media/network-watcher-builtin-policy/5_1_audit-policy-review.png)
 
@@ -95,7 +98,7 @@ If you want to see the full definition of the policy, you can visit the [Definit
 
 1. Fill in your policy details
 
-- Scope: A subscription is the common choice, you can also choose a management group or resource group as relevant to you.  
+- Scope: A subscription is a common choice, you can also choose a management group or resource group as relevant to you.  
 - Policy Definition: Should be chosen as shown in the "Locate the policies" section.
 - AssignmentName: Choose a descriptive name 
 
@@ -104,17 +107,17 @@ If you want to see the full definition of the policy, you can visit the [Definit
 The Network Watcher service is a regional service. These parameters allow the policy action of deploying flow logs to be executed. 
 - NSG Region: Azure regions at which the policy is targeted
 - Storage ID: Full resource ID of the storage account. Note: This storage account should be in the same region as the NSG. 
-- Network Watchers RG: Name of the resource group containing your Network Watcher resource. If you have not renamed it, you can enter 'NetworkWatcherRG' which is the default.
+- Network Watchers RG: Name of the resource group containing your Network Watcher resource. If you have not renamed it, you can enter `NetworkWatcherRG` which is the default.
 - Network Watcher name: Name of the regional network watcher service. Format: NetworkWatcher_RegionName. Example: NetworkWatcher_centralus. See the full list.
 
 ![DINE Policy parameters](./media/network-watcher-builtin-policy/5_2_1_dine-policy-details-alt.png)
 
 3. Add Remediation details
 
-- Check mark on "Create Remediation task" if you want the policy to affect existing resources 
-- "Create a Managed Identity" should be already checked
-- Selected the same location as previous for your Managed Identity 
-- You will need Contributor or Owner permissions to use this policy. If you have these permissions, you should not see any errors.
+- Check mark on **Create Remediation task** if you want the policy to affect existing resources 
+- **Create a Managed Identity** should be already checked
+- Select the same location as previous for your Managed Identity 
+- You will need Contributor or Owner permission to use this policy. If you have these permissions, you should not see any errors.
 
 ![DINE Policy remediation](./media/network-watcher-builtin-policy/5_2_2_dine-remediation.png) 
 
@@ -127,7 +130,7 @@ You should see something similar to the following screenshot.
 ### Results
 
 To check the results, open the Compliance tab and search for the name of your Assignment.
-You should see something like following screenshot once your policy. In case your policy hasn't run, wait for some time.
+You should see something like the following screenshot once your policy. In case your policy hasn't run, wait for some time.
 
 ![DINE Policy results](./media/network-watcher-builtin-policy/7_2_dine-policy-results.png)  
 
