Merge pull request #90579 from cherylmc/auto

update

Author: PRMerger7

articles/virtual-wan/virtual-wan-configure-automation-providers.md

@@ -6,7 +6,7 @@ author: cherylmc
 
 ms.service: virtual-wan
 ms.topic: conceptual
-ms.date: 09/30/2019
+ms.date: 10/03/2019
 ms.author: cherylmc
 #Customer intent: As a Virtual WAN software-defined connectivity provider, I want to set up a provisioning environment.
 ---
@@ -20,15 +20,24 @@ A branch device (a customer on-premises VPN device or SDWAN CPE) typically uses
 ## <a name ="before"></a>Before you begin automating
 
 * Verify that your device supports IPsec IKEv1/IKEv2. See [default policies](#default).
-* See the [REST APIs](https://docs.microsoft.com/rest/api/azure/) that you will use to automate connectivity to Azure Virtual WAN.
+* View the [REST APIs](#additional) that you use to automate connectivity to Azure Virtual WAN.
 * Test out the portal experience of Azure Virtual WAN.
 * Then, decide which part of the connectivity steps you would like to automate. At a minimum, we recommend automating:
 
   * Access Control
   * Upload of branch device information into Azure Virtual WAN
   * Downloading Azure configuration and setting up connectivity from branch device into Azure Virtual WAN
 
-* Understand the expected customer experience in conjunction with Azure Virtual WAN.
+### <a name ="additional"></a>Additional information
+
+* [REST API](https://docs.microsoft.com/rest/api/virtualwan/virtualhubs) to automate Virtual Hub creation
+* [REST API](https://docs.microsoft.com/rest/api/virtualwan/vpngateways) to automate Azure VPN gateway for Virtual WAN
+* [REST API](https://docs.microsoft.com/rest/api/virtualwan/vpnconnections) to connect a VPNSite to an Azure VPN Hub
+* [Default IPsec policies](#default)
+
+## <a name ="ae"></a>Customer experience
+
+Understand the expected customer experience in conjunction with Azure Virtual WAN.
 
   1. Typically, a virtual WAN user will start the process by creating a Virtual WAN resource.
   2. The user will set up a service principal-based resource group access for the on-premises system (your branch controller or VPN device provisioning software) to write branch info into Azure Virtual WAN.
@@ -38,8 +47,7 @@ A branch device (a customer on-premises VPN device or SDWAN CPE) typically uses
   6. At the end of this step in your solution, the user will have a seamless site-to-site connection between the branch device and virtual hub. You can also set up additional connections across other hubs. Each connection is an active-active tunnel. Your customer may choose to use a different ISP for each of the links for the tunnel.
   7. Consider providing troubleshooting and monitoring capabilities in the CPE management interface. Typical scenarios include "Customer not able to access Azure resources due to a CPE issue", "Show IPsec parameters at the CPE side" etc.
 
-## <a name ="understand"></a>Understand automation details
-
+## <a name ="understand"></a>Automation details
 
 ###  <a name="access"></a>Access control
 
@@ -52,19 +60,18 @@ Customers must be able to set up appropriate access control for Virtual WAN in t
 
 ###  <a name="branch"></a>Upload branch device information
 
-Design the user-experience to upload branch (on-premises site) information to Azure. [REST APIs](https://docs.microsoft.com/rest/api/virtualwan/vpnsites) for VPNSite can be used to create the site information in Virtual WAN. You can provide all branch SDWAN/VPN devices or select device customizations as appropriate.
-
+You should design the user experience to upload branch (on-premises site) information to Azure. You can use [REST APIs](https://docs.microsoft.com/rest/api/virtualwan/vpnsites) for VPNSite to create the site information in Virtual WAN. You can provide all branch SDWAN/VPN devices or select device customizations as appropriate.
 
 ### <a name="device"></a>Device configuration download and connectivity
 
-This step involves downloading Azure configuration and setting up connectivity from the branch device into Azure Virtual WAN. In this step, a customer that is not using a provider would manually download the Azure configuration and apply it to their on-premises SDWAN/VPN device. As a provider, you should automate this step. The device controller can call 'GetVpnConfiguration' REST API to download the Azure configuration, which will typically look similar to the following file.
+This step involves downloading Azure configuration and setting up connectivity from the branch device into Azure Virtual WAN. In this step, a customer that is not using a provider would manually download the Azure configuration and apply it to their on-premises SDWAN/VPN device. As a provider, you should automate this step. View the download [REST APIs](https://docs.microsoft.com/rest/api/virtualwan/vpnsitesconfiguration/download) for additional information. The device controller can call 'GetVpnConfiguration' REST API to download the Azure configuration.
 
 **Configuration notes**
 
   * If Azure VNets are attached to the virtual hub, they will appear as ConnectedSubnets.
   * VPN connectivity uses route-based configuration and supports both IKEv1, and IKEv2 protocols.
 
-#### Understanding the device configuration file
+## <a name="devicefile"></a>Device configuration file
 
 The device configuration file contains the settings to use when configuring your on-premises VPN device. When you view this file, notice the following information:
 
@@ -89,7 +96,7 @@ The device configuration file contains the settings to use when configuring your
         ```
     * **Vpngateway connection configuration details** such as BGP, pre-shared key etc. The PSK is the pre-shared key that is automatically generated for you. You can always edit the connection in the Overview page for a custom PSK.
   
-#### Example device configuration file
+**Example device configuration file**
 
   ```
   { 
@@ -194,11 +201,7 @@ The device configuration file contains the settings to use when configuring your
    }
   ```
 
-## <a name="default"></a>Default policies for IPsec connectivity
-
-[!INCLUDE [IPsec](../../includes/virtual-wan-ipsec-include.md)]
-
-### Does everything need to match between the virtual hub vpngateway policy and my on-premises SDWAN/VPN device or SD-WAN configuration?
+## <a name="default"></a>Connectivity details
 
 Your on-premises SDWAN/VPN device or SD-WAN configuration must match or contain the following algorithms and parameters, which you specify in the Azure IPsec/IKE policy.
 
@@ -209,6 +212,12 @@ Your on-premises SDWAN/VPN device or SD-WAN configuration must match or contain
 * IPsec integrity algorithm
 * PFS Group
 
+### <a name="default"></a>Default policies for IPsec connectivity 
+
+When working with Default policies, Azure can act as both initiator and responder during an IPsec tunnel setup. There is no support for Azure as a responder only.
+
+[!INCLUDE [IPsec](../../includes/virtual-wan-ipsec-include.md)]
+
 ## Next steps
 
 For more information about Virtual WAN, see [About Azure Virtual WAN](virtual-wan-about.md) and the [Azure Virtual WAN FAQ](virtual-wan-faq.md).