Merge pull request #204769 from JnHs/jh-arc-rbref722

JamesJBarnett · web-flow · commit dff3a0a1a588 · 2022-07-14T14:31:21.000-07:00
refresh overview
diff --git a/articles/azure-arc/resource-bridge/overview.md b/articles/azure-arc/resource-bridge/overview.md
@@ -1,62 +1,68 @@
 ---
 title: Azure Arc resource bridge (preview) overview
 description: Learn how to use Azure Arc resource bridge (preview) to support VM self-servicing on Azure Stack HCI, VMware, and System Center Virtual Machine Manager.
-ms.date: 11/08/2021
+ms.date: 07/14/2022
 ms.topic: overview
 ms.custom: references_regions 
 ---
 
 # What is Azure Arc resource bridge (preview)?
 
-Azure Arc resource bridge (preview) is part of the core Azure Arc platform, and is designed to host other Azure Arc services. In this release, the resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/overview) and VMware. The resource bridge is a packaged virtual machine, which hosts a *management* Kubernetes cluster that requires no user management. This virtual appliance delivers the following benefits:
+Azure Arc resource bridge (preview) is part of the core Azure Arc platform, and is designed to host other Azure Arc services. In this release, the resource bridge supports VM self-servicing and management from Azure, for virtualized Windows and Linux virtual machines hosted in an on-premises environment on [Azure Stack HCI](/azure-stack/hci/overview) and VMware.
 
-* Enables VM self-servicing from Azure without having to create and manage a Kubernetes cluster
-* It is fully supported by Microsoft, including update of core components.
+The resource bridge is a packaged virtual machine, which hosts a *management* Kubernetes cluster that requires no user management. This virtual appliance delivers the following benefits:
+
+* Enables VM self-servicing from Azure without having to create and manage a Kubernetes cluster.
+* Fully supported by Microsoft, including updates to core components.
 * Designed to recover from software failures.
 * Supports deployment to any private cloud hosted on Hyper-V or VMware from the Azure portal or using the Azure Command-Line Interface (CLI).
 
-All management operations are performed from Azure, no local configuration is required on the appliance.
+All management operations are performed from Azure, so no local configuration is required on the appliance.
 
 ## Overview
 
-Azure resource bridge (preview) hosts other components such as Custom Locations, cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports. This complex system is composed of three layers:
+Azure Arc resource bridge (preview) hosts other components such as [custom locations](..\platform\conceptual-custom-locations.md), cluster extensions, and other Azure Arc agents in order to deliver the level of functionality with the private cloud infrastructures it supports. This complex system is composed of three layers:
 
-* The base layer that represents the resource bridge and the Arc agents
-* The platform layer that includes the Custom Location and Cluster extension
+* The base layer that represents the resource bridge and the Arc agents.
+* The platform layer that includes the custom location and cluster extension.
 * The solution layer for each service supported by Arc resource bridge (that is, the different type of VMs).
 
 :::image type="content" source="media/overview/architecture-overview.png" alt-text="Azure Arc resource bridge architecture diagram." border="false":::
 
 Azure Arc resource bridge (preview) can host other Azure services or solutions running on-premises. For this preview, there are two objects hosted on the Arc resource bridge (preview):
 
-* Cluster extension: Is the Azure service deployed to run on-premises. For the preview release, it supports two services:
+* Cluster extension: The Azure service deployed to run on-premises. For the preview release, it supports two services:
 
-   - Azure Arc-enabled VMware
+  * Azure Arc-enabled VMware
 
-   - Azure Arc-enabled Azure Stack HCI
+  * Azure Arc-enabled Azure Stack HCI
 
-* Custom Locations: Is a deployment target, where you can create Azure resources. It maps to different resource for different Azure services. For example, for Arc-enabled VMware, the Custom Locations resource maps to an instance of vCenter, and for Arc-enabled Azure Stack HCI, it maps to an HCI cluster instance.
+* Custom locations: A deployment target where you can create Azure resources. It maps to different resource for different Azure services. For example, for Arc-enabled VMware, the custom locations resource maps to an instance of vCenter, and for Arc-enabled Azure Stack HCI, it maps to an HCI cluster instance.
 
-Custom Locations and cluster extension are both Azure resources, they are linked to the Azure Arc resource bridge (preview) resource in Azure Resource Manager. When you create an on-premises VM from Azure, you can select the custom location, and that routes that *create action* to the mapped vCenter or Azure Stack HCI cluster.
+Custom locations and cluster extension are both Azure resources, which are linked to the Azure Arc resource bridge (preview) resource in Azure Resource Manager. When you create an on-premises VM from Azure, you can select the custom location, and that routes that *create action* to the mapped vCenter or Azure Stack HCI cluster.
 
-There is a set of resources unique to the infrastructure. For example, vCenter has a resource pool, network, and template resources. During VM creation, these resources need to be specified. With Azure Stack HCI, you just need to select the custom location, network and template to create a VM.
+Some resources are unique to the infrastructure. For example, vCenter has a resource pool, network, and template resources. During VM creation, these resources need to be specified. With Azure Stack HCI, you just need to select the custom location, network and template to create a VM.
 
-To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource is not healthy, it can impact the health of the related resources. For example, if the Arc resource bridge (preview) has been deleted by accident, all the resources hosted in the Arc resource bridge (preview) are impacted. That is, the Custom Locations and cluster extensions are deleted as a result. The actual VMs are not impacted, as they are running on vCenter, but the management path to those VMs is interrupted. You won't be able to start/stop the VM from Azure. It is not recommended to manage or modify the Arc resource bridge (preview) using any on-premises applications directly.
+To summarize, the Azure resources are projections of the resources running in your on-premises private cloud. If the on-premises resource is not healthy, it can impact the health of the related resources. For example, if the Arc resource bridge (preview) has been deleted by accident, all the resources hosted in the Arc resource bridge (preview) are impacted. That is, the custom locations and cluster extensions are deleted as a result. The actual VMs are not impacted, as they are running on vCenter, but the management path to those VMs is interrupted, and you won't be able to start or stop the VM from Azure. It is not recommended to manage or modify the Arc resource bridge (preview) using any on-premises applications directly.
 
 ## Benefits of Azure Arc resource bridge (preview)
 
-Through the Azure Arc resource bridge (preview), you can accomplish the following for each private cloud infrastructure from Azure:
+Through Azure Arc resource bridge (preview), you can accomplish the following for each private cloud infrastructure from Azure:
+
+### VMware vSphere
 
-* VMware vSphere - By registering resource pools, networks, and VM templates in Azure you can represent a subset of your vCenter resources in Azure to enable self-service. Integration with Azure allows you to not only manage access to your vCenter resources in Azure to maintain a secure environment, but also to perform various operations on the VMware virtual machines that are enabled by Arc-enabled VMware vSphere:
+By registering resource pools, networks, and VM templates, you can represent a subset of your vCenter resources in Azure to enable self-service. Integration with Azure allows you to manage access to your vCenter resources in Azure to maintain a secure environment. You can also perform various operations on the VMware virtual machines that are enabled by Arc-enabled VMware vSphere:
 
-- Start, stop, and restart a virtual machine
-- Control access and add Azure tags
-- Add, remove, and update network interfaces
-- Add, remove, and update disks and update VM size (CPU cores and memory)
-- Enable guest management
-- Install extensions
+* Start, stop, and restart a virtual machine
+* Control access and add Azure tags
+* Add, remove, and update network interfaces
+* Add, remove, and update disks and update VM size (CPU cores and memory)
+* Enable guest management
+* Install extensions
 
-* Azure Stack HCI - You can provision and manage on-premises Windows and Linux virtual machines (VMs) running on Azure Stack HCI clusters.
+### Azure Stack HCI
+
+You can provision and manage on-premises Windows and Linux virtual machines (VMs) running on Azure Stack HCI clusters.
 
 ## Prerequisites
 
@@ -70,9 +76,8 @@ If you are deploying on Azure Stack HCI, the x32 Azure CLI installer can be used
 
 Azure Arc resource bridge currently supports the following Azure regions:
 
-- East US
-
-- West Europe
+* East US
+* West Europe
 
 ### Regional resiliency
 
@@ -87,29 +92,16 @@ The following private cloud environments and their versions are officially suppo
 
 ### Required Azure permissions
 
-* To onboard the Arc resource bridge, you are a member of the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
-
-* To read, modify, and delete the resource bridge, you are a member of the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role in the resource group.
+* To onboard the Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.
+* To read, modify, and delete the Arc resource bridge, you must have the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) role for the resource group.
 
 ### Networking
 
 The Arc resource bridge communicates outbound securely to Azure Arc over TCP port 443. If the appliance needs to connect through a firewall or proxy server to communicate over the internet, it communicates outbound using the HTTPS protocol.
 
-If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked.
-
-URLS:
-
-| Agent resource | Description |
-|---------|---------|
-|`https://mcr.microsoft.com`|Microsoft container registry|
-|`https://*.his.arc.azure.com`|Azure Arc Identity service|
-|`https://*.dp.kubernetesconfiguration.azure.com`|Azure Arc configuration service|
-|`https://*.servicebus.windows.net`|Cluster connect|
-|`https://guestnotificationservice.azure.com` |Guest notification service|
-|`https://*.dp.prod.appliances.azure.com`|Resource bridge data plane service|
-|`https://ecpacr.azurecr.io` |Resource bridge container image download |
-|`.blob.core.windows.net`<br> `*.dl.delivery.mp.microsoft.com`<br> `*.do.dsp.mp.microsoft.com` |Resource bridge image download |
+You may need to allow specific URLs to [ensure outbound connectivity is not blocked](troubleshoot-resource-bridge.md#restricted-outbound-connectivity) by your firewall or proxy server.
 
 ## Next steps
 
-To learn more about how Azure Arc-enabled VMware vSphere extends Azure's governance and management capabilities to VMware vSphere infrastructure, see the following [Overview](../vmware-vsphere/overview.md) article.
+* Learn more about [how Azure Arc-enabled VMware vSphere extends Azure's governance and management capabilities to VMware vSphere infrastructure](../vmware-vsphere/overview.md).
+* Learn more about [provisioning and managing on-premises Windows and Linux VMs running on Azure Stack HCI clusters](/azure-stack/hci/manage/azure-arc-enabled-virtual-machines).
diff --git a/articles/azure-arc/resource-bridge/security-overview.md b/articles/azure-arc/resource-bridge/security-overview.md
@@ -2,7 +2,7 @@
 title: Azure Arc resource bridge (preview) security overview 
 description: Security information about Azure resource bridge (preview).
 ms.topic: conceptual
-ms.date: 11/08/2021
+ms.date: 07/14/2022
 ---
 
 # Azure Arc resource bridge (preview) security overview
@@ -11,22 +11,23 @@ This article describes the security configuration and considerations you should
 
 ## Using a managed identity
 
-By default, an Azure Active Directory system-assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) is created and assigned to the Azure Arc resource bridge (preview). Azure Arc resource bridge (preview) currently supports only a system-assigned identity. The `clusteridentityoperator` identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure.
+By default, an Azure Active Directory system-assigned [managed identity](../../active-directory/managed-identities-azure-resources/overview.md) is created and assigned to the Azure Arc resource bridge (preview). Azure Arc resource bridge currently supports only a system-assigned identity. The `clusteridentityoperator` identity initiates the first outbound communication and fetches the Managed Service Identity (MSI) certificate used by other agents for communication with Azure.
 
 ## Identity and access control
 
 Azure Arc resource bridge (preview) is represented as a resource in a resource group inside an Azure subscription. Access to this resource is controlled by standard [Azure role-based access control](../../role-based-access-control/overview.md). From the [**Access Control (IAM)**](../../role-based-access-control/role-assignments-portal.md) page in the Azure portal, you can verify who has access to your Azure Arc resource bridge (preview).
 
-Users and applications granted [contributor](../../role-based-access-control/built-in-roles.md#contributor) or administrator role access to the resource can make changes to the resource, including deploying or deleting cluster extensions.
+Users and applications who are granted the [Contributor](../../role-based-access-control/built-in-roles.md#contributor) or Administrator role to the resource group can make changes to the resource bridge, including deploying or deleting cluster extensions.
 
 ## Data encryption at rest
 
-The Azure Arc resource bridge stores the resource information in the Cosmos DB, and as described in the [Encryption at rest in Azure Cosmos DB](../../cosmos-db/database-encryption-at-rest.md) article, all the data is encrypted at rest.
+The Azure Arc resource bridge stores resource information in Azure Cosmos DB. As described in  [Encryption at rest in Azure Cosmos DB](../../cosmos-db/database-encryption-at-rest.md), all the data is encrypted at rest.
 
 ## Security audit logs
 
-The Activity log is a platform log in Azure that provides insight into subscription-level events. This includes such information as when the Azure Arc resource bridge is modified, deleted, or added. You can view the Activity log in the Azure portal or retrieve entries with PowerShell and CLI. See [View the Activity log](../../azure-monitor/essentials/activity-log.md#view-the-activity-log) for details. See [retention of the Activity log](../../azure-monitor/essentials/activity-log.md#retention-period) for details.
+The [activity log](../../azure-monitor/essentials/activity-log.md) is a platform log in Azure that provides insight into subscription-level events. This includes tracking when the Azure Arc resource bridge is modified, deleted, or added. You can [view the activity log](../../azure-monitor/essentials/activity-log.md#view-the-activity-log) in the Azure portal or retrieve entries with PowerShell and Azure CLI. By default, activity log events are [retained for 90 days](../../azure-monitor/essentials/activity-log.md#retention-period) and then deleted.
 
 ## Next steps
 
-Before evaluating or enabling Azure Arc-enabled vSphere or Azure Stack HCI, review the Azure Arc resource bridge (preview) [overview](overview.md) to understand requirements and technical details.
+- Review the [Azure Arc resource bridge (preview) overview](overview.md) to understand more about requirements and technical details.
+- Learn more about [Azure Arc](../overview.md).
diff --git a/articles/azure-arc/resource-bridge/troubleshoot-resource-bridge.md b/articles/azure-arc/resource-bridge/troubleshoot-resource-bridge.md
@@ -1,7 +1,7 @@
 ---
 title: Troubleshoot Azure Arc resource bridge (preview) issues
 description: This article tells how to troubleshoot and resolve issues with the Azure Arc resource bridge (preview) when trying to deploy or connect to the service.
-ms.date: 06/27/2022
+ms.date: 07/14/2022
 ms.topic: conceptual
 ---
 
@@ -120,6 +120,23 @@ When the appliance is deployed to a host resource pool, there is no high availab
 
 ## Networking issues
 
+### Restricted outbound connectivity
+
+If outbound connectivity is restricted by your firewall or proxy server, make sure the URLs listed below are not blocked.
+
+URLS:
+
+| Agent resource | Description |
+|---------|---------|
+|`https://mcr.microsoft.com`|Microsoft container registry|
+|`https://*.his.arc.azure.com`|Azure Arc Identity service|
+|`https://*.dp.kubernetesconfiguration.azure.com`|Azure Arc configuration service|
+|`https://*.servicebus.windows.net`|Cluster connect|
+|`https://guestnotificationservice.azure.com` |Guest notification service|
+|`https://*.dp.prod.appliances.azure.com`|Resource bridge data plane service|
+|`https://ecpacr.azurecr.io` |Resource bridge container image download |
+|`.blob.core.windows.net`<br> `*.dl.delivery.mp.microsoft.com`<br> `*.do.dsp.mp.microsoft.com` |Resource bridge image download |
+
 ### Azure Arc resource bridge is unreachable
 
 Azure Arc resource bridge (preview) runs a Kubernetes cluster, and its control plane requires a static IP address. The IP address is specified in the `infra.yaml` file. If the IP address is assigned from a DHCP server, the address can change if not reserved. Rebooting the Azure Arc resource bridge (preview) or VM can trigger an IP address change, resulting in failing services.
