Merge pull request #303383 from MicrosoftDocs/main

learn-build-service-prod[bot] · web-flow · commit ba7092dd110e · 2025-07-26T17:07:11.000Z
Auto Publish – main to live - 2025-07-26 17:00 UTC
diff --git a/articles/networking/foundations/network-foundations-overview.md b/articles/networking/foundations/network-foundations-overview.md
@@ -1,11 +1,11 @@
 ---
-title: Azure network foundation services overview
-description: Learn about Azure network foundation services.
+title: Azure Network Foundation Services Overview
+description: Learn how Azure Virtual Network, Private Link, and DNS work together to create secure, private cloud connectivity. Get started with Azure network foundation services today.
 services: dns
 author: asudbring
-ms.service: azure-dns
+ms.service: azure-virtual-network
 ms.topic: overview
-ms.date: 06/24/2025
+ms.date: 07/26/2025
 ms.author: allensu
 # Customer intent: As an administrator, I want to learn about Azure's foundation services.
 ---
@@ -16,19 +16,20 @@ Azure network foundation services provide core connectivity for your resources i
 
 The following diagram is an example of how these services can be used together in a basic Azure network.
 
-[ ![An animated conceptual diagram of Azure network foundation services.](media/animated-diagram.gif) ](media/animated-diagram.gif#lightbox)
+:::image type="content" source="media/animated-diagram.gif" alt-text="Screenshot of an animated conceptual diagram showing how Azure Virtual Network, Private Link, and DNS services work together to create secure cloud connectivity." lightbox="media/animated-diagram.gif":::
 
 This article provides a summary of each of these Azure foundational services, and illustrates how they work together. Links are also provided to more detailed guidance for each foundational service.
 
 ## Azure Virtual Network
 
 [Azure Virtual Network](/azure/virtual-network) enables you to create private networks in the cloud, securely connecting Azure resources, the Internet, and on-premises networks. 
 
-Two virtual networks are provisioned in the following example: 
+Two virtual networks are provisioned in the following example:
+
 - The hub virtual network is used to deploy Azure services and provide access to data resources. The hub is optionally connected to an on-premises network. 
 - The hub peers with a spoke network containing a business tier subnet with virtual machines to process user interactions, and an application subnet to handle data storage and transactions. 
 
-![A conceptual diagram of Azure Virtual Network.](media/azure-virtual-network.svg) 
+:::image type="content" source="media/azure-virtual-network.svg" alt-text="Screenshot of a conceptual diagram showing Azure Virtual Network with hub and spoke topology, including business tier and application subnets.":::
 
 For more information about designing virtual networks, see [Plan virtual networks](/azure/virtual-network/virtual-network-vnet-plan-design-arm). To create a virtual network, see [Use the Azure portal to create a virtual network](/azure/virtual-network/quick-create-portal).
 
@@ -40,16 +41,17 @@ In the following figure, a **private endpoint** is provisioned in the app subnet
 
 Private endpoints securely connect services within virtual networks.
 
-![A conceptual diagram that includes Azure Private Link.](media/azure-private-link.svg) 
+:::image type="content" source="media/azure-private-link.svg" alt-text="Screenshot of a conceptual diagram that includes Azure Private Link with private endpoint connectivity in a virtual network architecture.":::
 
 > [!NOTE]
-> When you create a private endpoint, you're given the choice of integrating with a private DNS zone. This configuration can be added, deleted, or modified later. In the example shown here, the option to integrate with a private DNS zone is selected. This basic DNS configuration is suitable for virtual network workloads that don't use an Azure DNS Private Resolver. For more information, see [Azure Private Endpoint DNS integration](/azure/private-link/private-endpoint-dns-integration).
+> Private endpoints offer DNS integration options during creation. You can choose to integrate with a private DNS zone, and this configuration remains flexible - you can add, remove, or modify it after deployment. The example demonstrates selecting private DNS zone integration, which provides a straightforward DNS setup ideal for virtual network workloads without an Azure DNS Private Resolver. For more information, see [Azure Private Endpoint DNS integration](/azure/private-link/private-endpoint-dns-integration).
 
 For an overview of private link and private endpoint, see [What is Azure Private Link service](/azure/private-link/private-link-service-overview) and [What is a private endpoint](/azure/private-link/private-endpoint-overview). To create a private endpoint, see [Create a private endpoint](/azure/private-link/create-private-endpoint-portal).
 
 ## Azure DNS
 
 [Azure DNS](/azure/dns) provides cloud-based public and private domain name hosting and resolution. It includes three services that provide public or private DNS resolution and hosting, and one load balancing service:
+
 * [Azure Public DNS](/azure/dns/public-dns-overview) provides high-availability hosting for public DNS domains.
 * [Azure Private DNS](/azure/dns/private-dns-overview) is a DNS naming and resolution service for virtual networks and the private services hosted inside those networks.
 * [Azure DNS Private Resolver](/azure/dns/dns-private-resolver-overview) is a fully managed high availability DNS service that enables you to query private DNS zones from an on-premises environment and vice versa without deploying VM based DNS servers.
@@ -61,7 +63,7 @@ In the following example, the private endpoint shown in the previous figure is a
 
 This zone is also configured with a virtual network link to the hub virtual network, enabling all resources in the hub network to resolve the zone using Azure-provided DNS (168.63.129.16) and providing access to the private endpoint using its fully qualified DNS name (FQDN).
 
-![A conceptual diagram that includes Azure DNS.](media/azure-dns.svg)
+:::image type="content" source="media/azure-dns.svg" alt-text="Screenshot of a conceptual diagram showing Azure DNS private zones and virtual network links for private endpoint resolution.":::
 
 By default, private endpoints can only be resolved from within Azure. To resolve the private-linked storage account from on-premises, or to resolve on-premises resources from within Azure, you can configure a **DNS private resolver** in the hub virtual network (not shown). 
 
@@ -73,7 +75,7 @@ For more information about configuring a DNS private resolver, see [Resolve Azur
 
 The Azure portal provides a centralized experience for [getting started with network foundation services](https://aka.ms/hubs/networkfoundation). Information and links are provided to help you create an isolated network, manage network services, secure access to resources, manage hybrid name resolution, and troubleshoot network issues.
 
-[ ![A screen capture of the portal overview for foundation services.](media/portal-overview.png) ](media/portal-overview-expanded.png#lightbox)
+:::image type="content" source="media/portal-overview.png" alt-text="Screenshot of the Azure portal interface showing the network foundation services overview page with navigation options and service links.":::
 
 Resource links are also provided in the left-hand service tree to help you understand, create, and view supporting components of the network foundation services.
 
@@ -85,3 +87,4 @@ Resource links are also provided in the left-hand service tree to help you under
 - [Azure network monitoring and management](/azure/networking/monitoring-management/)
 - [Azure Networking Fundamentals](/azure/networking/fundamentals/)
 - [Azure networking](/azure/networking)
+
diff --git a/articles/virtual-network/manage-network-security-group.md b/articles/virtual-network/manage-network-security-group.md
@@ -1,20 +1,20 @@
 ---
-title: Create, change, or delete an Azure network security group
+title: Create, Change, or Delete Azure Network Security Groups
 titlesuffix: Azure Virtual Network
-description: Learn how to create, change, or delete an Azure network security group (NSG).
+description: Learn to create, change, or delete Azure network security groups (NSGs) to control traffic flow and enhance network security with Portal, PowerShell, and CLI examples.
 services: virtual-network
 author: asudbring
 ms.service: azure-virtual-network
 ms.topic: how-to
-ms.date: 07/10/2025
+ms.date: 07/26/2025
 ms.author: allensu
 ms.custom: template-how-to, engagement-fy23, devx-track-azurepowershell, devx-track-azurecli
 # Customer intent: As a network administrator, I want to create, change, or delete network security groups so that I can control the flow of network traffic and enhance the security of my virtual networks.
 ---
 
 # Create, change, or delete a network security group
 
-Security rules in network security groups (NSGs) filter the type of network traffic that flows in and out of virtual network subnets and network interfaces (NICs). To learn more about NSGs, see [Network security group overview](./network-security-groups-overview.md). Next, complete the [Filter network traffic tutorial](tutorial-filter-network-traffic.md) to gain hands-on experience with NSGs.
+Network security groups (NSGs) control network traffic flow through security rules that filter traffic in and out of virtual network subnets and network interfaces. This guide shows you how to create, change, or delete network security groups to enhance your Azure virtual network security. Learn to manage NSG rules using the Azure portal, PowerShell, and Azure CLI. To learn more about NSGs, see [Network security group overview](./network-security-groups-overview.md). Next, complete the [Filter network traffic tutorial](tutorial-filter-network-traffic.md) to gain hands-on experience with NSGs.
 
 ## Prerequisites
 
@@ -94,7 +94,7 @@ az network nsg create \
 
 In the search box at the top of the portal, enter **Network security group**. Select **Network security groups** in the search results to see the list of NSGs in your subscription.
 
-:::image type="content" source="./media/manage-network-security-group/view-network-security-groups.png" alt-text="Screenshot that shows the Network security groups list in the Azure portal.":::
+:::image type="content" source="./media/manage-network-security-group/view-network-security-groups.png" alt-text="Screenshot of the Network security groups list in the Azure portal.":::
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -127,7 +127,7 @@ az network nsg list --out table
    
    - In **Help**, view **Effective security rules**. For more information, see [Diagnose a virtual machine (VM) network traffic filter problem](diagnose-network-traffic-filter-problem.md).
 
-   :::image type="content" source="./media/manage-network-security-group/network-security-group-details-inline.png" alt-text="Screenshot that shows the Network security group page in the Azure portal." lightbox="./media/manage-network-security-group/network-security-group-details-expanded.png":::
+   :::image type="content" source="./media/manage-network-security-group/network-security-group-details-inline.png" alt-text="Screenshot of the Network security group page in the Azure portal." lightbox="./media/manage-network-security-group/network-security-group-details-expanded.png":::
 
 To learn more about the common Azure settings that are listed, see the following articles:
 
@@ -213,11 +213,11 @@ For more information about the association and dissociation of an NSG, see [Asso
 
    - To associate an NSG to the subnet, select **+ Associate**. Then select your virtual network and the subnet to which you want to associate the NSG. Select **OK**.
 
-     :::image type="content" source="./media/manage-network-security-group/associate-subnet-network-security-group.png" alt-text="Screenshot that shows associating a network security group to a subnet in the Azure portal.":::
+     :::image type="content" source="./media/manage-network-security-group/associate-subnet-network-security-group.png" alt-text="Screenshot of associating a network security group to a subnet in the Azure portal.":::
 
    - To dissociate an NSG from the subnet, select the three dots next to the subnet from which you want to dissociate the NSG, and then select **Dissociate**. Select **Yes**.
 
-     :::image type="content" source="./media/manage-network-security-group/dissociate-subnet-network-security-group.png" alt-text="Screenshot that shows dissociating an NSG from a subnet in the Azure portal.":::
+     :::image type="content" source="./media/manage-network-security-group/dissociate-subnet-network-security-group.png" alt-text="Screenshot of dissociating an NSG from a subnet in the Azure portal.":::
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -270,7 +270,7 @@ If an NSG is associated with any subnets or network interfaces, you can't delete
 
 1. Select **Delete**, and then select **Yes** in the confirmation dialog box.
 
-    :::image type="content" source="./media/manage-network-security-group/delete-network-security-group.png" alt-text="Screenshot that shows deleting a network security group in the Azure portal.":::
+    :::image type="content" source="./media/manage-network-security-group/delete-network-security-group.png" alt-text="Screenshot of deleting a network security group in the Azure portal.":::
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -338,7 +338,7 @@ To learn more, see [Azure subscription and service limits, quotas, and constrain
     | **Name** | A unique name for the rule within the NSG | The name can be up to 80 characters. It must begin with a letter or number, and it must end with a letter, number, or underscore. The name can contain only letters, numbers, underscores, periods, or hyphens. |
     | **Description** | A text description | You can optionally specify a text description for the security rule. The description can't be longer than 140 characters. |
 
-    :::image type="content" source="./media/manage-network-security-group/add-security-rule.png" alt-text="Screenshot that shows adding a security rule to a network security group in the Azure portal.":::
+    :::image type="content" source="./media/manage-network-security-group/add-security-rule.png" alt-text="Screenshot of adding a security rule to a network security group in the Azure portal.":::
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -425,7 +425,7 @@ An NSG can contain multiple security rules. To learn more about the list of info
 
     The list contains any rules that you created and the [default security rules](./network-security-groups-overview.md#default-security-rules) of your NSG.
 
-    :::image type="content" source="./media/manage-network-security-group/view-security-rules.png" alt-text="Screenshot that shows inbound security rules of a network security group in the Azure portal.":::
+    :::image type="content" source="./media/manage-network-security-group/view-security-rules.png" alt-text="Screenshot of inbound security rules of a network security group in the Azure portal.":::
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -471,7 +471,7 @@ az network nsg rule list \
    > [!NOTE]
    > This procedure applies only to a custom security rule. It doesn't work if you choose a default security rule.
 
-    :::image type="content" source="./media/manage-network-security-group/view-security-rule-details.png" alt-text="Screenshot that shows the details of an inbound security rule of a network security group in the Azure portal.":::
+    :::image type="content" source="./media/manage-network-security-group/view-security-rule-details.png" alt-text="Screenshot of the details of an inbound security rule of a network security group in the Azure portal.":::
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -526,7 +526,7 @@ az network nsg rule show \
 
 1. Change the rule's settings as needed, then select **Save**. For an explanation of all settings, see [Security rule settings](#security-rule-settings).
 
-    :::image type="content" source="./media/manage-network-security-group/change-security-rule.png" alt-text="Screenshot that shows changing the inbound security rule details of a network security group in the Azure portal.":::
+    :::image type="content" source="./media/manage-network-security-group/change-security-rule.png" alt-text="Screenshot of changing the inbound security rule details of a network security group in the Azure portal.":::
 
     > [!NOTE]
     > This procedure applies only to a custom security rule. You aren't allowed to change a default security rule.
@@ -593,11 +593,11 @@ az network nsg rule update \
 
 1. Select **Inbound security rules** or **Outbound security rules**.
 
-1. Select the rule that you want to delete. You may select more than one rule to delete at a time.
+1. Select the rule that you want to delete. You can select more than one rule to delete at a time.
 
 1. Select **Delete**, then select **Yes**.
 
-    :::image type="content" source="./media/manage-network-security-group/delete-security-rule.png" alt-text="Screenshot that shows deleting an inbound security rule of a network security group in the Azure portal.":::
+    :::image type="content" source="./media/manage-network-security-group/delete-security-rule.png" alt-text="Screenshot of deleting an inbound security rule of a network security group in the Azure portal.":::
 
     > [!NOTE]
     > This procedure applies only to a custom security rule. You aren't allowed to delete a default security rule.
@@ -706,7 +706,7 @@ az network asg create \
 
 In the search box at the top of the portal, enter **Application security group**. Then select **Application security groups** in the search results. A list of your application security groups appears in the Azure portal.
 
-:::image type="content" source="./media/manage-network-security-group/view-application-security-groups.png" alt-text="Screenshot that shows existing application security groups in the Azure portal.":::
+:::image type="content" source="./media/manage-network-security-group/view-application-security-groups.png" alt-text="Screenshot of existing application security groups in the Azure portal.":::
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -766,12 +766,12 @@ az network asg show \
 
    - Select **edit** next to **Tags** to add or remove tags. To learn more, see [Use tags to organize your Azure resources and management hierarchy](../azure-resource-manager/management/tag-resources.md).
 
-     :::image type="content" source="./media/manage-network-security-group/change-application-security-group.png" alt-text="Screenshot that shows changing an application security group in the Azure portal.":::
+     :::image type="content" source="./media/manage-network-security-group/change-application-security-group.png" alt-text="Screenshot of changing an application security group in the Azure portal.":::
 
      > [!NOTE]
      > You can't change the location of an application security group.
 
-   - Navigate to the **Access control (IAM)** blade to assign or remove permissions to the application security group.
+   - Navigate to the **Access control (IAM)** section to assign or remove permissions to the application security group.
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -815,7 +815,7 @@ You can't delete an application security group if it contains any network interf
 
 1. Select **Delete**, and then select **Yes** to delete the application security group.
 
-    :::image type="content" source="./media/manage-network-security-group/delete-application-security-group.png" alt-text="Screenshot that shows deleting an application security group in the Azure portal.":::
+    :::image type="content" source="./media/manage-network-security-group/delete-application-security-group.png" alt-text="Screenshot of deleting an application security group in the Azure portal.":::
 
 # [**PowerShell**](#tab/network-security-group-powershell)
 
@@ -884,4 +884,4 @@ To manage NSGs, security rules, and application security groups, your account mu
 
 - Add or remove [a network interface to or from an application security group](./virtual-network-network-interface.md?tabs=network-interface-portal#add-or-remove-from-application-security-groups).
 
-- Create and assign [Azure Policy definitions](./policy-reference.md) for virtual networks.
+- Create and assign [Azure Policy definitions](./policy-reference.md) for virtual networks.
