Merge pull request #300018 from mbender-ms/nsp-update-docs-wording

network security perimeter | Major Update | Update docs for transition mode addition

Author: Stacyrch140

articles/private-link/network-security-perimeter-concepts.md

@@ -6,7 +6,7 @@ author: mbender-ms
 ms.author: mbender
 ms.service: azure-private-link
 ms.topic: overview
-ms.date: 01/06/2025
+ms.date: 05/16/2025
 ms.custom: references_regions, ignite-2024
 #CustomerIntent: As a network security administrator, I want to understand how to use Network Security Perimeter to control network access to Azure PaaS resources.
 ---
@@ -59,11 +59,11 @@ Administrators add PaaS resources to a perimeter by creating resource associatio
 
 | **Mode** | **Description** |
 |----------------|--------|
-| **Learning mode**  | - Default access mode.</br>- Helps network administrators to understand the existing access patterns of their PaaS resources.</br>- Advised mode of use before transitioning to enforced mode.|
+| **Transition mode (formerly Learning mode)**  | - Default access mode.</br>- Helps network administrators to understand the existing access patterns of their PaaS resources.</br>- Advised mode of use before transitioning to enforced mode.|
 | **Enforced mode**  | - Must be set by the administrator.</br>- By default, all traffic except intra perimeter traffic is denied in this mode unless an *Allow* access rule exists. |
 
 
-Learn more on transitioning from learning mode to enforced mode in [Transitioning to a network security perimeter](network-security-perimeter-transition.md) article.
+Learn more on move from transition mode (formerly learning mode) to enforced mode in [Transitioning to a network security perimeter](network-security-perimeter-transition.md) article.
 
 ## Why use a network security perimeter?
 

articles/private-link/network-security-perimeter-diagnostic-logs.md

@@ -6,7 +6,7 @@ author: mbender-ms
 ms.author: mbender
 ms.service: azure-private-link
 ms.topic: concept-article
-ms.date: 03/25/2025
+ms.date: 05/16/2025
 ms.custom: references_regions, ignite-2024
 #CustomerIntent: As a network administrator, I want to enable diagnostic logging for Network Security Perimeter, so that I can monitor and analyze the network traffic to and from my resources.
 ---
@@ -23,17 +23,20 @@ Access logs categories for a network security perimeter are based on the results
 
 | **Log category** | **Description** | **Applicable to Modes** |
 | --- | --- | --- |
-| **NspPublicInboundPerimeterRulesAllowed** | Inbound access is allowed based on network security perimeter access rules. | Learning/Enforced |
+| **NspPublicInboundPerimeterRulesAllowed** | Inbound access is allowed based on network security perimeter access rules. | Transition/Enforced |
 | **NspPublicInboundPerimeterRulesDenied** | Public inbound access denied by network security perimeter. | Enforced |
-| **NspPublicOutboundPerimeterRulesAllowed** | Outbound access is allowed based on network security perimeter access rules. | Learning/Enforced |
+| **NspPublicOutboundPerimeterRulesAllowed** | Outbound access is allowed based on network security perimeter access rules. | Transition/Enforced |
 | **NspPublicOutboundPerimeterRulesDenied** | Public outbound access denied by network security perimeter. | Enforced |
-| **NspOutboundAttempt** | Outbound attempt within network security perimeter. | Learning/Enforced |
-| **NspIntraPerimeterInboundAllowed** | Inbound access within perimeter is allowed. | Learning/Enforced |
-| **NspPublicInboundResourceRulesAllowed** | When network security perimeter rules deny, inbound access is allowed based on PaaS resource rules. | Learning |
-| **NspPublicInboundResourceRulesDenied** | When network security perimeter rules deny, inbound access denied by PaaS resource rules. | Learning |
-| **NspPublicOutboundResourceRulesAllowed** | When network security perimeter rules deny, outbound access allowed based on PaaS resource rules. | Learning |
-| **NspPublicOutboundResourceRulesDenied** | When network security perimeter rules deny, outbound access denied by PaaS resource rules. | Learning |
-| **NspPrivateInboundAllowed** | Private endpoint traffic is allowed. | Learning/Enforced |
+| **NspOutboundAttempt** | Outbound attempt within network security perimeter. | Transition/Enforced |
+| **NspIntraPerimeterInboundAllowed** | Inbound access within perimeter is allowed. | Transition/Enforced |
+| **NspPublicInboundResourceRulesAllowed** | When network security perimeter rules deny, inbound access is allowed based on PaaS resource rules. | Transition |
+| **NspPublicInboundResourceRulesDenied** | When network security perimeter rules deny, inbound access denied by PaaS resource rules. | Transition |
+| **NspPublicOutboundResourceRulesAllowed** | When network security perimeter rules deny, outbound access allowed based on PaaS resource rules. | Transition |
+| **NspPublicOutboundResourceRulesDenied** | When network security perimeter rules deny, outbound access denied by PaaS resource rules. | Transition |
+| **NspPrivateInboundAllowed** | Private endpoint traffic is allowed. | Transition/Enforced |
+
+> [!NOTE]
+> The available access modes for a network security perimeter are **Transition** and **Enforced**. The **Transition** mode was previously named **Learning** mode. You may continue to see references to **Learning** mode in some instances. 
 
 ## Logging destination options for access logs  
 

articles/private-link/network-security-perimeter-transition.md

@@ -1,63 +1,61 @@
 ---
-title: Transition to a network security perimeter in Azure
+title: Transition to a Network Security Perimeter in Azure
 titleSuffix: Azure Private Link
-description: Learn about the different access modes and how to transition to a network security perimeter in Azure.
+description: Learn how to transition to a network security perimeter in Azure, explore access modes, and secure your resources.
 author: mbender-ms
 ms.author: mbender
 ms.service: azure-private-link
-ms.custom:
-  - ignite-2024
 ms.topic: overview
-ms.date: 11/06/2024
+ms.date: 05/16/2025
 #CustomerIntent: As a network administrator, I want to understand the different access modes and how to transition to a network security perimeter in Azure.
 ---
 
 # Transition to a network security perimeter in Azure
 
-In this article, you learn about the different access modes and how to transition to a [network security perimeter](./network-security-perimeter-concepts.md) in Azure. Access modes control the resource's access and logging behavior.
+In this article, you learn about the different access modes and how to transition to a [network security perimeter](./network-security-perimeter-concepts.md) in Azure. Access modes control resource access and logging behavior, helping you secure your Azure resources.
 
 ## Access mode configuration point on resource associations 
 
 The **access mode** configuration point is part of a resource association on the perimeter and therefore can be set by the perimeter's administrator. 
 
 The property `accessMode` can be set in a resource association to control the resource's public network access. 
 
-The possible values of `accessMode` are currently **Enforced** and **Learning**. 
+The possible values of `accessMode` are currently **Enforced** and **Transition**. 
 
 | **Access Mode** | **Description** |
 |-------------|-------------|
-| **Learning** | This is the default access mode. Evaluation in this mode will use the network security perimeter configuration as a baseline, but in the case of not finding a matching rule, evaluation will fall back to the resource firewall configuration which can then approve access with existing settings. |
+| **Transition** | This is the default access mode. Evaluation in this mode uses the network security perimeter configuration as a baseline. When it doesn't find a matching rule, evaluation falls back to the resource firewall configuration which can then approve access with existing settings. |
 | **Enforced** | When explicitly set, the resource obeys **only** network security perimeter access rules. |
 
 ## Prevent connectivity disruptions while adopting network security perimeter
 
-### Enable Learning mode
+### Enable Transition mode
 
-To prevent undesired connectivity disruptions while adopting network security perimeter to existing PaaS resources and ensure a smooth transition to secure configurations, administrators can add PaaS resources to network security perimeter in Learning mode. While this step does not secure the PaaS resources, it will:
+To prevent undesired connectivity disruptions while adopting network security perimeter to existing PaaS resources and ensure a smooth transition to secure configurations, administrators can add PaaS resources to network security perimeter in Transition mode (formerly Learning mode). While this step doesn't secure the PaaS resources, it will:
 
 - Allow connections to be established in accordance with the network security perimeter configuration. Additionally, resources in this configuration fallback to honoring resource-defined firewall rules and trusted access behavior when connections aren't permitted by the network security perimeter access rules.
-- When diagnostic logs are enabled, generates logs detailing whether connections were approved based on network security perimeter configuration or the resource's configuration. Administrators can then analyse those logs to identify gaps in access rules, missing perimeter memberships, and undesired connections.
+- When diagnostic logs are enabled, generates logs detailing whether connections were approved based on network security perimeter configuration or the resource's configuration. Administrators can then analyze those logs to identify gaps in access rules, missing perimeter memberships, and undesired connections.
 
 
 > [!IMPORTANT]
-> Operating PaaS resources in **Learning** mode should serve only as a transitional step. Malicious actors may exploit unsecured resources to exfiltrate data. Therefore, it is crucial to transition to a fully secure configuration as soon as possible with the access mode set to **Enforced**.
+> Operating PaaS resources in **Transition (formerly Learning)** mode should serve only as a transitional step. Malicious actors may exploit unsecured resources to exfiltrate data. Therefore, it's crucial to transition to a fully secure configuration as soon as possible with the access mode set to **Enforced**.
 
 ### Transition to enforced mode for existing resources 
 
-To fully secure your public access, it is essential to move to enforced mode in network security perimeter. Things to consider before moving to enforced mode are the impact on public, private, trusted, and perimeter access. When in enforced mode, the behavior of network access on associated PaaS resources across different types of PaaS resources can be summarised as follows:
+To fully secure your public access, it's essential to move to enforced mode in network security perimeter. Things to consider before moving to enforced mode are the impact on public, private, trusted, and perimeter access. When in enforced mode, the behavior of network access on associated PaaS resources across different types of PaaS resources can be summarized as follows:
 
 - **Public access:** Public access refers to inbound or outbound requests made through public networks. PaaS resources secured by a network security perimeter have their inbound and outbound public access disabled by default, but network security perimeter access rules  can be used to selectively allow public traffic that matches them.
 - **Perimeter access:** Perimeter access refers to inbound or outbound requests between the resources part of the same network security perimeter. To prevent data infiltration and exfiltration, such perimeter traffic will never cross perimeter boundaries unless explicitly approved as public traffic at both source and destination in enforced mode. Manged identity needs to be assigned on resources for perimeter access. 
-- **Trusted access:** Trusted service access refers to a feature few Azure services that enables access through public networks when its origin is specific Azure services that are considered trusted. Since network security perimeter provides more granular control than trusted access, Trusted access is not supported in enforced mode. 
-- **Private access:** Access via Private Links is not impacted by network security perimeter.
+- **Trusted access:** Trusted service access refers to a feature few Azure services that enables access through public networks when its origin is specific Azure services that are considered trusted. Since network security perimeter provides more granular control than trusted access, Trusted access isn't supported in enforced mode. 
+- **Private access:** Access via Private Links isn't impacted by network security perimeter.
 
 ## Moving new resources into network security perimeter  
 
 Network security perimeter supports secure by default behavior by introducing a new property under `publicNetworkAccess` called `SecuredbyPerimeter`. When set, it locks down public access and prevents PaaS resources from being exposed to public networks.
 
 On resource creation, if `publicNetworkAccess` is set to `SecuredByPerimeter`, the resource is created in the lockdown mode even when not associated with a perimeter. Only private link traffic will be allowed if configured. Once associated to a perimeter, network security perimeter governs the resource access behavior. The following table summarizes access behavior in various modes and public network access configuration: 
 
-| **Association access mode** | **Not associated** | **Learning mode** | **Enforced mode** |
+| **Association access mode** | **Not associated** | **Transition mode** | **Enforced mode** |
 |-----------------|-------------------|-----------------|-----------------|
 | **Public network access** |   |  |   |
 | **Enabled** | **Inbound:** Resource rules</br></br>**Outbound** Allowed | **Inbound:** Network security perimeter + Resource rules</br>**Outbound** Network security perimeter rules + Allowed | **Inbound:** Network security perimeter rules</br>**Outbound** Network security perimeter rules |

includes/network-security-perimeter-limits.md

@@ -29,6 +29,7 @@ Network security perimeter has other limitations as follows:
 |-----------------|-------------|
 | **Resource group move operation cannot be performed if multiple network security perimeters are present** | If there are multiple network security perimeters present in the same resource group, then the network security perimeter cannot be moved across resource groups/subscriptions. |
 | **Associations must be removed before deleting network security perimeter** | Forced delete option is currently unavailable. Thus all associations must be removed before deleting a network security perimeter. Only remove associations after taking precautions for allowing access previously controlled by network security perimeter. |
+| **Association creations through SDK fails with permission issue** | Status: 403 (Forbidden) ; ErrorCode: AuthorizationFailed, might be received while performing action 'Microsoft.Network/locations/networkSecurityPerimeterOperationStatuses/read' over scope '/subscriptions/xyz/providers/Microsoft.Network/locations/xyz/networkSecurityPerimeterOperationStatuses/xyz'.  <br> <br> Until the fix, use permission 'Microsoft.Network/locations/*/read' or use WaitUntil.Started in CreateOrUpdateAsync SDK API for association creations. |
 | **Resource names cannot be longer than 44 characters to support network security perimeter** | The network security perimeter resource association created from the Azure portal has the format `{resourceName}-{perimeter-guid}`. To align with the requirement name field can't have more than 80 characters, resources names would have to be limited to 44 characters. |
 | **Service endpoint traffic is not supported.** | It's recommended to use private endpoints for IaaS to PaaS communication. Currently, service endpoint traffic can be denied even when an inbound rule allows 0.0.0.0/0. |