MicrosoftDocs
diff --git a/‎articles/iot-operations/manage-layered-network/howto-configure-aks-edge-essentials-layered-network.md
Lines changed: 15 additions & 11 deletions b/‎articles/iot-operations/manage-layered-network/howto-configure-aks-edge-essentials-layered-network.md
Lines changed: 15 additions & 11 deletions
diff --git a/‎articles/iot-operations/manage-layered-network/howto-configure-l3-cluster-layered-network.md
Lines changed: 6 additions & 37 deletions b/‎articles/iot-operations/manage-layered-network/howto-configure-l3-cluster-layered-network.md
Lines changed: 6 additions & 37 deletions
diff --git a/‎articles/iot-operations/manage-layered-network/howto-configure-l4-cluster-layered-network.md
Lines changed: 23 additions & 66 deletions b/‎articles/iot-operations/manage-layered-network/howto-configure-l4-cluster-layered-network.md
Lines changed: 23 additions & 66 deletions
@@ -7,22 +7,23 @@ ms.author: patricka
 ms.topic: how-to
 ms.custom:
   - ignite-2023
-ms.date: 10/22/2024
+ms.date: 12/12/2024
 
 #CustomerIntent: As an operator, I want to Azure Arc enable AKS Edge Essentials clusters using Layered Network Management so that I have secure isolate devices.
 ms.service: azure-iot-operations
 ---
 
 # Configure Layered Network Management (preview) to use Azure IoT Operations in an isolated network
 
-This walkthrough is an example of deploying Azure IoT Operations to a special environment that's different than the default [Azure IoT Operations scenario](../get-started-end-to-end-sample/quickstart-deploy.md). By default, Azure IoT Operations is deployed to an Arc-enabled cluster that has direct internet access. In this scenario, you deploy Azure IoT Operations to an isolated network environment. The hardware and cluster must meet the prerequisites of Azure IoT Operations and there are additional configurations for the network, host OS, and cluster. As a result, the Azure IoT Operations components run and connect to Arc through the Azure IoT Layered Network Management (preview) service.
+This walkthrough is an example of deploying Azure IoT Operations to a special environment that's different than the default [Azure IoT Operations scenario](../get-started-end-to-end-sample/quickstart-deploy.md). By default, Azure IoT Operations is deployed to an Arc-enabled cluster that has direct internet access. In this scenario, you deploy Azure IoT Operations to an isolated network environment. The hardware and cluster must meet the prerequisites of Azure IoT Operations and there are extra configurations for the network, host OS, and cluster. As a result, the Azure IoT Operations components run and connect to Arc through the Azure IoT Layered Network Management (preview) service.
 
 >[!IMPORTANT]
 > This is an advanced scenario for Azure IoT Operations. You should complete the following steps to get familiar with the basic concepts before you start this advanced scenario.
 > - [Deploy Azure IoT Layered Network Management to an AKS cluster](howto-deploy-aks-layered-network.md)
 > - [Deployment overview - Azure IoT Operations](../deploy-iot-ops/overview-deploy.md)
 > - [Prepare your Kubernetes cluster - Azure IoT Operations](../deploy-iot-ops/howto-prepare-cluster.md)
 > - [Deploy Azure IoT Operations to an Arc-enabled Kubernetes cluster - Azure IoT Operations](../deploy-iot-ops/howto-deploy-iot-operations.md)
+>     - You can reuse the cloud dependencies you create for this trial to reduce the complexity when setting up Azure IoT Operations in a Purdue Network environment. For example, **Key vault**, **Managed Identity**, and **Storage account**.
 >
 > You can't migrate a previously deployed Azure IoT Operations from its original network to an isolated network. For this scenario, follow the steps to begin with creating new clusters.
 
@@ -60,18 +61,21 @@ The next step is to set up an Arc-enabled cluster in level 3 that's compatible f
 
 # [K3S Cluster](#tab/k3s)
 
-- Follow the [Prepare your Azure Arc-enabled Kubernetes cluster](../deploy-iot-ops/howto-prepare-cluster.md) to set up and Arc-enable your K3s cluster.
-  1. You can prepare your K3s cluster with internet access.
-  1. After install the required software components and set up the K3s cluster, you can restrict the internet access for this cluster and rely on the **custom DNS** that is prepared from earlier steps to direct the network traffic to the Layered Network Management component at level 4.
-      - If you choose to use CoreDNS instead of DNS server, you need to configure the [CoreDNS](howto-configure-layered-network.md#configure-custom-dns) after setup the K3S cluster.
-  1. Proceed to Arc-enable the cluster.
+Follow the [Prepare your Azure Arc-enabled Kubernetes cluster](../deploy-iot-ops/howto-prepare-cluster.md) to set up and Arc-enable your K3s cluster.
+
+1. Prepare your K3s cluster with internet access.
+1. It's recommended to install the kubectl client with [these steps](/azure/azure-arc/kubernetes/troubleshooting#azure-cli) to ensure kubectl client is installed properly for Arc-enablement.
+1. Proceed to Arc-enable the cluster.
+1. Before you disable internet access of your cluster, you also need to complete the [Prerequisites for deploying Azure IoT Operations](/azure/iot-operations/deploy-iot-ops/howto-deploy-iot-operations#prerequisites).
+1. After installing the required software components and setting up the K3s cluster, you can restrict the internet access for this cluster and configure the [CoreDNS](howto-configure-layered-network.md#configure-custom-dns) to redirect network traffic to your Layered Network Management service at level 4.
 
 # [AKS Edge Essentials](#tab/aksee)
 
-- Follow the [Prepare your Azure Arc-enabled Kubernetes cluster](../deploy-iot-ops/howto-prepare-cluster.md) to set up and Arc-enable your AKS Edge Essentials cluster.
-  1. You can prepare the AKS Edge Essentials with internet access.
-  1. For the step of **Get the `objectID`** you  run the command on a different machine that has internet access.
-  1. After setting up the AKS Edge Essentials cluster, you can restrict the internet access for this cluster and rely on the **DNS server** that is prepared from earlier steps to direct the network traffic to the Layered Network Management component at level 4. 
+Follow the [Prepare your Azure Arc-enabled Kubernetes cluster](../deploy-iot-ops/howto-prepare-cluster.md) to set up and Arc-enable your AKS Edge Essentials cluster.
+
+1. Prepare the AKS Edge Essentials with internet access.
+1. Before you disable internet access of your cluster, you also need to complete the [Prerequisites for deploying Azure IoT Operations](/azure/iot-operations/deploy-iot-ops/howto-deploy-iot-operations#prerequisites).
+1. After setting up the AKS Edge Essentials cluster, you can restrict the internet access for this cluster and rely on the **DNS server** that is prepared from earlier steps to redirect the network traffic to the Layered Network Management service at level 4. 
 
 ---
 
 
@@ -6,15 +6,15 @@ ms.subservice: layered-network-management
 ms.author: patricka
 ms.topic: how-to
 ms.custom: ignite-2023, devx-track-azurecli
-ms.date: 10/22/2024
+ms.date: 12/12/2024
 
 #CustomerIntent: As an operator, I want to configure Layered Network Management so that I have secure isolate devices.
 ms.service: azure-iot-operations
 ---
 
 # Configure level 3 cluster in an isolated network with Azure IoT Layered Network Management (preview)
 
-You can configure a special isolated network environment for deploying Azure IoT Operations. For example, level 3 or lower in the ISA-95 network architecture. In this article, you set up a Kubernetes cluster to meet all the prerequisites of Azure IoT Operations and Arc-enable the cluster through the Azure IoT Layered Network Management (preview) service in the upper level. Before you start this process, the Layered Network Management (preview) service has to be ready for accepting the connection request from this level.
+You can configure a special isolated network environment for deploying Azure IoT Operations. For example, level 3 or lower in the ISA-95 network architecture. In this article, you set up a Kubernetes cluster and Arc-enable it through the Azure IoT Layered Network Management (preview) service in the upper level. Before you start this process, the Layered Network Management (preview) service has to be ready for accepting the connection request from this level.
 
 You'll complete the following tasks:
 - Set up the host system and install all the required software in an internet facing environment.
@@ -111,6 +111,10 @@ After the device is moved to your level 3 isolated network layer, it's required
     1. Open the **Wi-Fi Settings**.
     1. Select the setting of the current connection.
     1. In the IPv4 tab, disable the **Automatic** setting for DNS and enter the local IP of DNS server.
+    1. Restart the CoreDNS service.
+        ```bash
+        kubectl rollout restart -n kube-system deployment/coredns
+        ```
 
 # [AKS Edge Essentials](#tab/aksee)
 There are few limitations for setting up AKS Edge Essentials as the level 3 cluster.
@@ -129,9 +133,6 @@ If you're using VM to create your Windows 11 machines, use the [VM image](https:
 1. Download the [installer for the validated AKS Edge Essentials](https://aka.ms/aks-edge/msi-k3s-1.2.414.0) version.
 1. Install AKS Edge Essentials. Follow the steps in [Prepare your machines for AKS Edge Essentials](/azure/aks/hybrid/aks-edge-howto-setup-machine). Be sure to use the installer you downloaded in the previous step and not the most recent version.
 1. **Certificates:** For level 3 and lower, you ARC onboard the cluster that isn't connected to the internet. Therefore, you need to install certificates steps in [Prerequisites for AKS Edge Essentials offline installation](/azure/aks/hybrid/aks-edge-howto-offline-install).
-1. Install the following optional software if you plan to try Azure IoT Operations quickstarts or MQTT related scenarios.
-    - [MQTTUI](https://github.com/EdJoPaTo/mqttui/releases) or other MQTT client
-    - [Mosquitto](https://mosquitto.org/)
 1. Install Azure CLI. You can install the Azure CLI directly onto the level 3 machine or on another *developer* or *jumpbox* machine if you plan to access the level 3 cluster remotely. If you choose to access the Kubernetes cluster remotely to keep the cluster host clean, you run the *kubectl* and *az* related commands from the developer machine for the rest of the steps in this article.
     The *AKS Edge Essentials - Single machine deployment* does not support accessing Kubernetes remotely. If you want to enable remote kubectl access, you will need to create the [Full Kubernetes Deployment](/azure/aks/hybrid/aks-edge-howto-multi-node-deployment) instead. Additional configurations are needed when creating this type of Kubernetes cluster.
     - Install Azure CLI. Follow the steps in [Install Azure CLI on Windows](/cli/azure/install-azure-cli-windows).
@@ -150,25 +151,6 @@ To create the AKS Edge Essentials cluster that's compatible with Azure IoT Opera
 1. Complete the steps in [Create a single machine deployment](/azure/aks/hybrid/aks-edge-howto-single-node-deployment).
     Create a [Full Kubernetes Deployment](/azure/aks/hybrid/aks-edge-howto-multi-node-deployment) instead if you plan to remotely access the kubernetes from another machine.
 
-    At the end of [Step 1: single machine configuration parameters](/azure/aks/hybrid/aks-edge-howto-single-node-deployment#step-1-single-machine-configuration-parameters), modify the following values in the *aksedge-config.json* file as follows:
-
-    - `Init.ServiceIPRangeSize` = 10
-    - `LinuxNode.DataSizeInGB` = 30
-    - `LinuxNode.MemoryInMB` = 8192
-
-    In the **Network** section, set the `SkipDnsCheck` property to **true**. Add and set the `DnsServers` to the address of the DNS server in the subnet.
-
-    ```json
-    "DnsServers": ["<IP ADDRESS OF THE DNS SERVER IN SUBNET>"],
-    "SkipDnsCheck": true,
-    ```
-
-1. Install **local-path** storage in the cluster by running the following command:
-
-    ```cmd
-    kubectl apply -f https://raw.githubusercontent.com/Azure/AKS-Edge/main/samples/storage/local-path-provisioner/local-path-storage.yaml
-    ```
-
 ## Move the device to level 3 isolated network
 
 In your isolated network layer, the DNS server was configured in a prerequisite step using [Create sample network environment](./howto-configure-layered-network.md). Complete the step if you haven't done so.
@@ -256,19 +238,6 @@ login.microsoftonline.com. 0    IN      A       100.104.0.165
     ```
     > [!TIP]
     > If the `connectedk8s` commands fail, try using the cmdlets in [Connect your AKS Edge Essentials cluster to Arc](/azure/aks/hybrid/aks-edge-howto-connect-to-arc).
-1. Fetch the `objectId` or `id` of the Microsoft Entra ID application that the Azure Arc service uses.  Run the following command exactly as written, without changing the GUID value. The command you use depends on your version of Azure CLI:
-    ```powershell
-    # If you're using an Azure CLI version lower than 2.37.0, use the following command:
-    az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query objectId -o tsv
-    ```
-    ```powershell
-    # If you're using Azure CLI version 2.37.0 or higher, use the following command:
-    az ad sp show --id bc313c14-388c-4e7d-a58e-70017303ee3b --query id -o tsv
-    ```
-1. Use the [az connectedk8s enable-features](/cli/azure/connectedk8s#az-connectedk8s-enable-features) command to enable custom location support on your cluster. Use the `objectId` or `id` value from the previous command to enable custom locations on the cluster:
-   ```bash
-   az connectedk8s enable-features -n $CLUSTER_NAME -g $RESOURCE_GROUP --custom-locations-oid <objectId/id> --features cluster-connect custom-locations
-   ```
 
 ### Configure cluster network
 
 
@@ -6,7 +6,7 @@ ms.subservice: layered-network-management
 ms.author: patricka
 ms.topic: how-to
 ms.custom: ignite-2023, devx-track-azurecli
-ms.date: 10/22/2024
+ms.date: 12/12/2024
 
 #CustomerIntent: As an operator, I want to configure Layered Network Management so that I have secure isolate devices.
 ms.service: azure-iot-operations
@@ -182,6 +182,8 @@ Once your Kubernetes cluster is Arc-enabled, you can deploy the Layered Network
 Create the Layered Network Management custom resource.
 
 1. Create a `lnm-cr.yaml` file as specified:
+    - For debugging or experimentation, you can change the value of **loglevel** parameter to **debug**.
+    - For more detail about the endpoints, see [Azure IoT Operations endpoints](/azure/iot-operations/deploy-iot-ops/overview-deploy#azure-iot-operations-endpoints).
 
     ```yaml
     apiVersion: layerednetworkmgmt.iotoperations.azure.com/v1beta1
@@ -201,104 +203,59 @@ Create the Layered Network Management custom resource.
       allowList:
         enableArcDomains: true
         domains:
-        - destinationUrl: "*.arc.azure.net"
-          destinationType: external
-        - destinationUrl: "*.data.mcr.microsoft.com"
+        - destinationUrl: "management.azure.com"
           destinationType: external
         - destinationUrl: "*.dp.kubernetesconfiguration.azure.com"
           destinationType: external
-        - destinationUrl: "*.guestnotificationservice.azure.com"
-          destinationType: external
-        - destinationUrl: "*.his.arc.azure.com"
+        - destinationUrl: "login.microsoftonline.com"
           destinationType: external
         - destinationUrl: "*.login.microsoft.com"
           destinationType: external
-        - destinationUrl: "*.login.microsoftonline.com"
-          destinationType: external
-        - destinationUrl: "*.obo.arc.azure.com"
-          destinationType: external
-        - destinationUrl: "*.servicebus.windows.net"
-          destinationType: external
-        - destinationUrl: "graph.microsoft.com"
-          destinationType: external
         - destinationUrl: "login.windows.net"
           destinationType: external
-        - destinationUrl: "management.azure.com"
-          destinationType: external
         - destinationUrl: "mcr.microsoft.com"
           destinationType: external
-        - destinationUrl: "sts.windows.net"
-          destinationType: external
-        - destinationUrl: "*.ods.opinsights.azure.com"
-          destinationType: external
-        - destinationUrl: "graph.windows.net"
-          destinationType: external
-        - destinationUrl: "msit-onelake.pbidedicated.windows.net"
-          destinationType: external
-        - destinationUrl: "*.azurecr.io"
+        - destinationUrl: "*.data.mcr.microsoft.com"
           destinationType: external
-        - destinationUrl: "*.azureedge.net"
+        - destinationUrl: "gbl.his.arc.azure.com"
           destinationType: external
-        - destinationUrl: "*.blob.core.windows.net"
+        - destinationUrl: "*.his.arc.azure.com"
           destinationType: external
-        - destinationUrl: "*.prod.hot.ingestion.msftcloudes.com"
+        - destinationUrl: "k8connecthelm.azureedge.net"
           destinationType: external
-        - destinationUrl: "*.prod.microsoftmetrics.com"
+        - destinationUrl: "guestnotificationservice.azure.com"
           destinationType: external
-        - destinationUrl: "adhs.events.data.microsoft.com"
+        - destinationUrl: "*.guestnotificationservice.azure.com"
           destinationType: external
-        - destinationUrl: "dc.services.visualstudio.com"
+        - destinationUrl: "sts.windows.net"
           destinationType: external
-        - destinationUrl: "go.microsoft.com"
+        - destinationUrl: "k8sconnectcsp.azureedge.net"
           destinationType: external
-        - destinationUrl: "packages.microsoft.com"
+        - destinationUrl: "*.servicebus.windows.net"
           destinationType: external
-        - destinationUrl: "www.powershellgallery.com"
+        - destinationUrl: "graph.microsoft.com"
           destinationType: external
-        - destinationUrl: "*.gw.arc.azure.com"
+        - destinationUrl: "*.arc.azure.net"
           destinationType: external
-        - destinationUrl: "*.gcs.prod.monitoring.core.windows.net"
+        - destinationUrl: "*.obo.arc.azure.com"
           destinationType: external
-        - destinationUrl: "*.prod.warm.ingest.monitor.core.windows.net"
+        - destinationUrl: "linuxgeneva-microsoft.azurecr.io"
           destinationType: external
-        - destinationUrl: "*.prod.hot.ingest.monitor.core.windows.net"
+        - destinationUrl: "graph.windows.net"
           destinationType: external
-        - destinationUrl: "azure.archive.ubuntu.com"
+        - destinationUrl: "*.azurecr.io"
           destinationType: external
-        - destinationUrl: "crl.microsoft.com"
+        - destinationUrl: "*.blob.core.windows.net"
           destinationType: external
-        - destinationUrl: "*.table.core.windows.net"
+        - destinationUrl: "*.vault.azure.net"
           destinationType: external
         - destinationUrl: "*.blob.storage.azure.net"
           destinationType: external
-        - destinationUrl: "*.docker.com"
-          destinationType: external
-        - destinationUrl: "*.docker.io"
-          destinationType: external
-        - destinationUrl: "*.googleapis.com"
-          destinationType: external
-        - destinationUrl: "github.com"
-          destinationType: external
-        - destinationUrl: "collect.traefik.io"
-          destinationType: external
-        - destinationUrl: "contracts.canonical.com"
-          destinationType: external
-        - destinationUrl: "database.clamav.net"
-          destinationType: external
-        - destinationUrl: "esm.ubuntu.com"
-          destinationType: external
-        - destinationUrl: "livepatch.canonical.com"
-          destinationType: external
-        - destinationUrl: "motd.ubuntu.com"
-          destinationType: external
-        - destinationUrl: "update.traefik.io"
-          destinationType: external
         sourceIpRange:
         - addressPrefix: "0.0.0.0"
           prefixLen: 0
     ```
 
-    For debugging or experimentation, you can change the value of **loglevel** parameter to **debug**.
 
 1. Create the Custom Resource to create a Layered Network Management instance.
 
@@ -309,7 +266,7 @@ Create the Layered Network Management custom resource.
 1. View the Layered Network Management Kubernetes service:
 
     ```bash
-    kubectl get services -n azure-iot-operations
+    kubectl get services
     ```
 
     ```output