Merge pull request #208752 from JnHs/jh-arck8-ccmref

tamarakhader · web-flow · commit c339144ec4d4 · 2022-08-22T17:16:20.000-04:00
refresh info
diff --git a/articles/azure-arc/kubernetes/conceptual-connectivity-modes.md b/articles/azure-arc/kubernetes/conceptual-connectivity-modes.md
@@ -2,37 +2,38 @@
 title: "Azure Arc-enabled Kubernetes connectivity modes"
 services: azure-arc
 ms.service: azure-arc
-ms.date: 11/23/2021
+ms.date: 08/22/2022
 ms.topic: conceptual
 description: "This article provides an overview of the connectivity modes supported by Azure Arc-enabled Kubernetes"
 keywords: "Kubernetes, Arc, Azure, containers"
 ---
 
 # Azure Arc-enabled Kubernetes connectivity modes
 
-Azure Arc-enabled Kubernetes requires deployment of Azure Arc agents on your Kubernetes clusters using which capabilities like configurations (GitOps), extensions, Cluster Connect and Custom Location are made available on the cluster. Kubernetes clusters deployed on the edge may not have constant network connectivity and as a result the agents may not be able to always reach the Azure Arc services. This semi-connected mode however is a supported scenario. To support semi-connected modes of deployment, for features like configurations and extensions, agents rely on pulling of desired state specification from the Arc services and later realizing this state on the cluster.
+Azure Arc-enabled Kubernetes requires deployment of Azure Arc agents on your Kubernetes clusters so that capabilities such as configurations (GitOps), extensions, Cluster Connect and Custom Location are made available on the cluster. Kubernetes clusters deployed on the edge may not have constant network connectivity, and as a result, in a semi-connected mode the agents may not always be able to reach the Azure Arc services. This topic explains how Azure Arc features can be used with semi-connected modes of deployment.
 
 ## Understand connectivity modes
 
-| Connectivity mode | Description |
-| ----------------- | ----------- |
-| Fully connected | Agents can consistently communicate with Azure with little delay in propagating GitOps configurations, enforcing Azure Policy and Gatekeeper policies, and collecting workload metrics and logs in Azure Monitor. |
-| Semi-connected | The managed identity certificate pulled down by the `clusteridentityoperator` is valid for up to 90 days before the certificate expires. Upon expiration, the Azure Arc-enabled Kubernetes resource stops working. To reactivate all Azure Arc features on the cluster, delete, and recreate the Azure Arc-enabled Kubernetes resource and agents. During the 90 days, connect the cluster at least once every 30 days. |
-| Disconnected | Kubernetes clusters in disconnected environments unable to access Azure are currently unsupported by Azure Arc-enabled Kubernetes. If this capability is of interest to you, submit or up-vote an idea on [Azure Arc's UserVoice forum](https://feedback.azure.com/d365community/forum/5c778dec-0625-ec11-b6e6-000d3a4f0858).
+When working with Azure Arc-enabled Kubernetes clusters, it's important to understand how network connectivity modes impact your operations.
 
+- **Fully connected**: With ongoing network connectivity, agents can consistently communicate with Azure. In this mode, there is typically little delay with tasks such as propagating GitOps configurations, enforcing Azure Policy and Gatekeeper policies, or collecting workload metrics and logs in Azure Monitor.
+- **Semi-connected**:  Azure Arc agents can pull desired state specification from the Arc services, then later realize this state on the cluster.
+  > [!IMPORTANT]
+  > The managed identity certificate pulled down by the `clusteridentityoperator` is valid for up to 90 days before it expires. The agents will try to renew the certificate during this time period; however, if there is no network connectivity, the certificate may expire, and the Azure Arc-enabled Kubernetes resource will stop working. Because of this, we recommend ensuring that the connected cluster has network connectivity at least once every 30 days. If the certificate expires, you'll need to delete and then recreate the Azure Arc-enabled Kubernetes resource and agents in order to reactivate Azure Arc features on the cluster.
+- **Disconnected**: Kubernetes clusters in disconnected environments that are unable to access Azure are not currently supported by Azure Arc-enabled Kubernetes.
 
 ## Connectivity status
 
 The connectivity status of a cluster is determined by the time of the latest heartbeat received from the Arc agents deployed on the cluster:
 
 | Status | Description |
 | ------ | ----------- |
-| Connecting | Azure Arc-enabled Kubernetes resource is created in Azure Resource Manager, but service hasn't received the agent heartbeat yet. |
-| Connected | Azure Arc-enabled Kubernetes service received an agent heartbeat sometime within the previous 15 minutes. |
-| Offline | Azure Arc-enabled Kubernetes resource was previously connected, but the service hasn't received any agent heartbeat for 15 minutes. |
-| Expired | Managed identity certificate of the cluster has an expiration window of 90 days after it is issued. Once this certificate expires, the resource is considered `Expired` and all features such as configuration, monitoring, and policy stop working on this cluster. More information on how to address expired Azure Arc-enabled Kubernetes resources can be found [in the FAQ article](./faq.md#how-do-i-address-expired-azure-arc-enabled-kubernetes-resources). |
+| Connecting | The Azure Arc-enabled Kubernetes resource has been created in Azure, but the service hasn't received the agent heartbeat yet. |
+| Connected | The Azure Arc-enabled Kubernetes service received an agent heartbeat within the previous 15 minutes. |
+| Offline | The Azure Arc-enabled Kubernetes resource was previously connected, but the service hasn't received any agent heartbeat for 15 minutes. |
+| Expired | The managed identity certificate of the cluster has expired. In this state, Azure Arc features will no longer work on the cluster. For more information on how to address expired Azure Arc-enabled Kubernetes resources, see the [FAQ](./faq.md#how-do-i-address-expired-azure-arc-enabled-kubernetes-resources). |
 
 ## Next steps
 
-* Walk through our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
-* Learn more about the creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc-enabled Kubernetes](./conceptual-configurations.md).
+- Walk through our quickstart to [connect a Kubernetes cluster to Azure Arc](./quickstart-connect-cluster.md).
+- Learn more about creating connections between your cluster and a Git repository as a [configuration resource with Azure Arc-enabled Kubernetes](./conceptual-configurations.md).
diff --git a/articles/azure-arc/kubernetes/faq.md b/articles/azure-arc/kubernetes/faq.md
@@ -2,7 +2,7 @@
 title: "Azure Arc-enabled Kubernetes and GitOps frequently asked questions"
 services: azure-arc
 ms.service: azure-arc
-ms.date: 04/06/2022
+ms.date: 08/22/2022
 ms.topic: conceptual
 description: "This article contains a list of frequently asked questions related to Azure Arc-enabled Kubernetes and Azure GitOps"
 keywords: "Kubernetes, Arc, Azure, containers, configuration, GitOps, faq"
@@ -33,19 +33,21 @@ If the Azure Arc-enabled Kubernetes cluster is on Azure Stack Edge, AKS on Azure
 
 ## How do I address expired Azure Arc-enabled Kubernetes resources?
 
-The system assigned managed identity associated with your Azure Arc-enabled Kubernetes cluster is only used by the Azure Arc agents to communicate with the Azure Arc services. The certificate associated with this system assigned managed identity has an expiration window of 90 days, and the agents will attempt to renew this certificate between Day 46 to Day 90. Once this certificate expires, the resource is considered `Expired` and all features (such as configuration, monitoring, and policy) stop working on this cluster and you'll then need to delete and connect the cluster to Azure Arc once again. It is thus advisable to have the cluster come online at least once between Day 46 to Day 90 time window to ensure renewal of the managed identity certificate.
+The system-assigned managed identity associated with your Azure Arc-enabled Kubernetes cluster is only used by the Azure Arc agents to communicate with the Azure Arc services. The certificate associated with this system assigned managed identity has an expiration window of 90 days, and the agents will attempt to renew this certificate between Day 46 to Day 90. To avoid having your managed identity certificate expire, be sure that the cluster comes online at least once between Day 46 and Day 90 so that the certificate can be renewed.
 
-To check when the certificate is about to expire for any given cluster, run the following command:
+If the managed identity certificate expires, the resource is considered `Expired` and all Azure Arc features (such as configuration, monitoring, and policy) will stop working on the cluster.
+
+To check when the managed identity certificate will expire for a given cluster, run the following command:
 
 ```azurecli
 az connectedk8s show -n <name> -g <resource-group>
 ```
 
-In the output, the value of the `managedIdentityCertificateExpirationTime` indicates when the managed identity certificate will expire (90D mark for that certificate). 
+In the output, the value of the `managedIdentityCertificateExpirationTime` indicates when the managed identity certificate will expire (90D mark for that certificate).
 
 If the value of `managedIdentityCertificateExpirationTime` indicates a timestamp from the past, then the `connectivityStatus` field in the above output will be set to `Expired`. In such cases, to get your Kubernetes cluster working with Azure Arc again:
 
-1. Delete Azure Arc-enabled Kubernetes resource and agents on the cluster. 
+1. Delete the Azure Arc-enabled Kubernetes resource and agents on the cluster.
 
     ```azurecli
     az connectedk8s delete -n <name> -g <resource-group>
