Fix link; formatting

Author: kgremban

articles/iot-operations/deploy-iot-ops/concept-production-guidelines.md

@@ -24,7 +24,7 @@ Currently, K3s on Ubuntu 20.04 is the only generally available platform for depl
 
 Ensure that your hardware setup is sufficient for your scenario and that you begin with a secure environment.
 
-**System configuration**
+### System configuration
 
 Create an Arc-enabled K3s cluster that meets the system requirements.
 
@@ -34,67 +34,68 @@ Create an Arc-enabled K3s cluster that meets the system requirements.
 * [Turn off auto-upgrade for Azure Arc](/azure/azure-arc/kubernetes/agent-upgrade#toggle-automatic-upgrade-on-or-off-when-connecting-a-cluster-to-azure-arc) to have complete control over when new updates are applied to your cluster.
 * *For multi-node clusters*: [Configure clusters with Edge Volumes](./howto-prepare-cluster.md#configure-multi-node-clusters-for-azure-container-storage) to prepare for enabling fault tolerance during deployment.
 
-**Security**
+### Security
 
 Consider the following measures to ensure your cluster setup is secure before deployment.
 
 * [Validate images](../secure-iot-ops/howto-validate-images.md) to ensure they're signed by Microsoft.
 * When doing TLS encryption, [bring your own issuer](../secure-iot-ops/concept-default-root-ca.md#bring-your-own-issuer) and integrate with an enterprise PKI.
 * [Use secrets](../secure-iot-ops/howto-manage-secrets.md) for on-premises authentication.
 * Keep your cluster and Azure IoT Operations deployment up to date with the latest patches and minor releases to get all available security and bug fixes.
-* Use [user-assigned managed identities](./howto-enable-secure-settings.md#set-up-user-assigned-managed-identity-for-cloud-connections) for cloud connections.
+* Use [user-assigned managed identities](./howto-enable-secure-settings.md#set-up-a-user-assigned-managed-identity-for-cloud-connections) for cloud connections.
 
-**Networking**
+### Networking
 
 If you use enterprise firewalls or proxies, add the [Azure IoT Operations endpoints](./overview-deploy.md#azure-iot-operations-endpoints) to your allowlist.
 
-**Observability**
+### Observability
 
 For production deployments, [deploy observability resources](../configure-observability-monitoring/howto-configure-observability.md) on your cluster before deploying Azure IoT Operations. We also recommend setting up [Prometheus alerts in Azure Monitor](/azure/azure-monitor/alerts/prometheus-alerts).
 
-### Deployment
+## Deployment
 
 For a production-ready deployment, include the following configurations during the Azure IoT Operations deployment.
 
-**MQTT broker**
+### MQTT broker
 
 In the Azure portal deployment wizard, the broker resource is set up in the **Configuration** tab.
 
 * [Configure cardinality settings](../manage-mqtt-broker/howto-configure-availability-scale.md#configure-cardinality-directly) based on memory profile and needs for handling connections and messages. For example, the following settings could support a single-node or multi-node cluster:
 
   | Setting | Single node | Multi node |
   | ------- | ----------- | ---------- |
-  | **frontendReplicas** | 1 | 5 |
+  | **frontendReplicas** | 2 | 5 |
   | **frontendWorkers** | 4 | 8 |
   | **backendRedundancyFactor** | 2 | 2 |
   | **backendWorkers** | 1 | 4 |
   | **backendPartitions** | 1 | 5 |
   | [Memory profile](../manage-mqtt-broker/howto-configure-availability-scale.md#configure-memory-profile) | Low | High |
 
 * [Encrypt internal traffic](../manage-mqtt-broker/howto-encrypt-internal-traffic.md).
+
 * Set [disk-backed message buffer](../manage-mqtt-broker/howto-disk-backed-message-buffer.md) with a max size that prevents RAM overflow.
 
-**Schema registry and storage**
+### Schema registry and storage
 
 In the Azure portal deployment wizard, the schema registry and its required storage account are set up in the **Dependency management** tab.
 
 * The storage account must have public network access enabled.
 * The storage account must have hierarchical namespace enabled.
 * The schema registry's managed identity must have contributor permissions for the storage account.
 
-**Fault tolerance**
+### Fault tolerance
 
 *Multi-node clusters*: Fault tolerance can be enabled in the **Dependency management** tab of the Azure portal deployment wizard. It's only supported on multi-node clusters, and is recommended for production deployment.
 
-**Secure settings**
+### Secure settings
 
 During deployment, you have the option to use test settings or secure settings. For production deployments, choose secure settings. If you're upgrading an existing test settings deployment for production, follow the steps in [Enable secure settings](./howto-enable-secure-settings.md).
 
-### Post-deployment
+## Post-deployment
 
 After deploying Azure IoT Operations, have the following configurations in place for a production scenario.
 
-**MQTT broker**
+### MQTT broker
 
 After deployment, you can [edit BrokerListener resources](../manage-mqtt-broker/howto-configure-brokerlistener.md):
 
@@ -109,14 +110,14 @@ When you create a new resource, manage its authorization:
 
 * [Create a BrokerAuthorization resource](../manage-mqtt-broker/howto-configure-authorization.md) and provide the least privilege needed for the topic asset.
 
-**OPC UA broker**
+### OPC UA broker
 
 For connecting to assets at production, [configure OPC UA authentication](../discover-manage-assets/overview-opcua-broker-certificates-management.md):
 
 * Don't use no-auth. Connectivity to OPC UA servers isn't supported without authentication.
 * Set up a secure connection to OPC UA server. Use a production PKI and [configure application certificates](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md#configure-a-self-signed-application-instance-certificate) and [trust list](../discover-manage-assets/howto-configure-opcua-certificates-infrastructure.md#configure-the-trusted-certificates-list).
 
-**Dataflows**
+### Dataflows
 
 When using dataflows in production:
 

articles/iot-operations/deploy-iot-ops/howto-enable-secure-settings.md

@@ -156,7 +156,7 @@ Follow these steps to set up Secrets Management:
 
 Now that secret synchronization setup is complete, you can refer to [Manage Secrets](./howto-manage-secrets.md) to learn how to use secrets with Azure IoT Operations.
 
-## Set up user-assigned managed identity for cloud connections
+## Set up a user-assigned managed identity for cloud connections
 
 Some Azure IoT Operations components like dataflow endpoints use user-assigned managed identity for cloud connections. It's recommended to use a separate identity from the one used to set up Secrets Management.