Additional changes.

Author: roygara

articles/storage/elastic-san/elastic-san-configure-service-endpoints.md

@@ -218,7 +218,7 @@ All incoming requests for data over a service endpoint are blocked by default. O
 You can manage virtual network rules for volume groups through the Azure portal, PowerShell, or CLI.
 
 > [!IMPORTANT]
-> If you want to enable access to your storage account from a virtual network/subnet in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal does not show subnets in other Microsoft Entra tenants.
+> To enable access to your storage account from a virtual network/subnet in another Microsoft Entra tenant, you must use PowerShell or the Azure CLI. The Azure portal doesn't show subnets in other Microsoft Entra tenants.
 >
 > If you delete a subnet that has been included in a network rule, it will be removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group.
 

articles/storage/elastic-san/elastic-san-create.md

@@ -4,7 +4,7 @@ description: Learn how to deploy an Azure Elastic SAN with the Azure portal, Azu
 author: roygara
 ms.service: azure-elastic-san-storage
 ms.topic: how-to
-ms.date: 10/24/2024
+ms.date: 06/10/2025
 ms.author: rogarana
 ms.custom: references_regions, devx-track-azurepowershell, devx-track-azurecli
 ---
@@ -59,6 +59,7 @@ Use one of these sets of sample code to create an Elastic SAN that uses locally
 | `<UnusedSizeTiB>`                | The capacity (in TiB) on your Elastic SAN that you want to keep free and unused. If you use more space than this amount, the scale-up operation is automatically triggered, increasing the size of your SAN. This parameter is optional but is required to enable autoscaling. |
 |`<IncreaseCapacityUnitByTiB>`     | This parameter sets the TiB of additional capacity units that your SAN scales up by when autoscale gets triggered. This parameter is optional but is required to enable autoscaling. |
 |`<CapacityUnitScaleUpLimit>`      | This parameter sets the maximum capacity (size) that your SAN can grow to using autoscaling. Your SAN won't automatically scale past this size. This parameter is optional but is required to enable autoscaling. |
+|`<-PublicNetworkAccess>`          | This parameter allows or disallows public network access to ElasticSan. It's optional, but if passed in must be `Enabled` or `Disabled`. Enable if you're using service endpoints, disable if you're exclusively using private endpoints.|
 
 The following command creates an Elastic SAN that uses locally redundant storage without autoscaling enabled.
 
@@ -75,7 +76,7 @@ $Zone       = <Zone>
 Connect-AzAccount
 
 # Create the SAN.
-New-AzElasticSAN -ResourceGroupName $RgName -Name $EsanName -AvailabilityZone $Zone -Location $Location -BaseSizeTib 100 -ExtendedCapacitySizeTiB 20 -SkuName Premium_LRS
+New-AzElasticSAN -ResourceGroupName $RgName -Name $EsanName -AvailabilityZone $Zone -Location $Location -BaseSizeTib 100 -ExtendedCapacitySizeTiB 20 -SkuName Premium_LRS -PublicNetworkAccess Disabled
 ```
 
 The following command creates an Elastic SAN that uses locally redundant storage with autoscaling enabled.
@@ -97,7 +98,7 @@ $CapacityUnitScaleUpLimit = <CapacityUnitScaleUpLimit>
 Connect-AzAccount
 
 # Create the SAN.
-New-AzElasticSAN -ResourceGroupName $RgName -Name $EsanName -AvailabilityZone $Zone -Location $Location -BaseSizeTib 100 -ExtendedCapacitySizeTiB 20 -SkuName Premium_LRS -AutoScalePolicyEnforcement $AutoScalePolicyEnforcement -UnusedSizeTiB $UnusedSizeTiB -IncreaseCapacityUnitByTiB $IncreaseCapacityUnitByTiB -CapacityUnitScaleUpLimit $CapacityUnitScaleUpLimit
+New-AzElasticSAN -ResourceGroupName $RgName -Name $EsanName -AvailabilityZone $Zone -Location $Location -BaseSizeTib 100 -ExtendedCapacitySizeTiB 20 -SkuName Premium_LRS -AutoScalePolicyEnforcement $AutoScalePolicyEnforcement -UnusedSizeTiB $UnusedSizeTiB -IncreaseCapacityUnitByTiB $IncreaseCapacityUnitByTiB -CapacityUnitScaleUpLimit $CapacityUnitScaleUpLimit -PublicNetworkAccess Disabled
 ```
 
 The following command creates an Elastic SAN that uses zone-redundant storage, without enabling autoscale.
@@ -111,7 +112,7 @@ $VolumeName = "<VolumeName>"
 $Location   = "<Location>"
 
 # Create the SAN
-New-AzElasticSAN -ResourceGroupName $RgName -Name $EsanName -Location $Location -SkuName Premium_ZRS
+New-AzElasticSAN -ResourceGroupName $RgName -Name $EsanName -Location $Location -SkuName Premium_ZRS -PublicNetworkAccess Disabled
 ```
 
 # [Azure CLI](#tab/azure-cli)
@@ -133,7 +134,7 @@ Use one of these sets of sample code to create an Elastic SAN that uses locally
 |`<IncreaseCapacityUnitByTiB>`     | This parameter sets the TiB of additional capacity units that your SAN scales up by when autoscale gets triggered. This parameter is optional but is required to enable autoscaling. |
 |`<CapacityUnitScaleUpLimit>`      | This parameter sets the maximum capacity (size) that your SAN can grow to using autoscaling. Your SAN won't automatically scale past this size. This parameter is optional but is required to enable autoscaling. |
 |`<CapacityUnitScaleUpLimit>`      | This parameter sets the maximum capacity (size) that your SAN can grow to using autoscaling. Your SAN won't automatically scale past this size. This parameter is optional but is required to enable autoscaling. |
-|`<public-network-access>`         | This parameter allows or disallows public network access to ElasticSan. Optional, but if passed in must be `Enabled` or `Disabled`. Enable if you're using service endpoints, disable if you're only using private endpoints.|
+|`<public-network-access>`         | This parameter allows or disallows public network access to ElasticSan. It's optional, but if passed in must be `Enabled` or `Disabled`. Enable if you're using service endpoints, disable if you're exclusively using private endpoints.|
 
 The following command creates an Elastic SAN that uses locally redundant storage without autoscaling enabled.
 
@@ -198,24 +199,40 @@ Now that you've configured the basic settings and provisioned your storage, you
 
 1. Select **+ Create volume group** and name your volume group.
     - The name must be between 3 and 63 characters long. The name can only contain lowercase letters, numbers and hyphens, and must begin and end with a letter or a number. Each hyphen must be preceded and followed by an alphanumeric character. The volume group name can't be changed once created.
+1. Generally, you should enable **CRC Protection**, unless you're going to connect this volume group to Azure VMware Solution or are connecting to the volume group with clients using Fedora or its downstream Linux distributions such as RHEL, CentOS, etc.
+
+    > [!NOTE]
+    > CRC protection isn't currently available in North Europe and South Central US.
 
 1. Select **Next : Volumes**
 
+:::image type="content" source="media/elastic-san-networking/elastic-san-crc-protection-create-volume-group.png" alt-text="Screenshot of CRC protection enablement on new volume group." lightbox="media/elastic-san-networking/elastic-san-crc-protection-create-volume-group.png":::
+
 # [PowerShell](#tab/azure-powershell)
 
 The following sample command creates an Elastic SAN volume group in the Elastic SAN you created previously. Use the same variables and values you defined when you [created the Elastic SAN](#create-the-san).
 
+> [!IMPORTANT]
+> `-EnforceDataIntegrityCheckForIscsi` determines whether CRC protection is enabled or not. Generally, you should enable it, unless you're going to connect this volume group to Azure VMware Solution, or are connecting to the volume group with clients using Fedora or its downstream Linux distributions such as RHEL, CentOS, etc. The script has it disabled, set it to `$true` if you want to enable it.
+> 
+> CRC protection isn't currently available in North Europe and South Central US.
+
 ```azurepowershell
 # Create the volume group, this script only creates one.
-New-AzElasticSanVolumeGroup -ResourceGroupName $RgName -ElasticSANName $EsanName -Name $EsanVgName
+New-AzElasticSanVolumeGroup -ResourceGroupName $RgName -ElasticSANName $EsanName -Name $EsanVgName -EnforceDataIntegrityCheckForIscsi $false
 ```
 
 # [Azure CLI](#tab/azure-cli)
 
 The following sample command creates an Elastic SAN volume group in the Elastic SAN you created previously. Use the same variables and values you defined when you [created the Elastic SAN](#create-the-san).
 
+> [!IMPORTANT]
+> `--data-integrity-check` determines whether CRC protection is enabled or not. Generally, you should enable it, unless you're going to connect this volume group to Azure VMware Solution, or are connecting to the volume group with clients using Fedora or its downstream Linux distributions such as RHEL, CentOS, etc. The script has it disabled, set it to `true` if you want to enable it.
+> 
+> CRC protection isn't currently available in North Europe and South Central US.
+
 ```azurecli
-az elastic-san volume-group create --elastic-san-name $EsanName -g $RgName -n $EsanVgName 
+az elastic-san volume-group create --elastic-san-name $EsanName -g $RgName -n $EsanVgName --data-integrity-check false
 ```
 
 ---

articles/storage/elastic-san/elastic-san-networking-concepts.md

@@ -4,7 +4,7 @@ description: Learn about available Azure Elastic SAN networking options, includi
 author: roygara
 ms.service: azure-elastic-san-storage
 ms.topic: concept-article
-ms.date: 01/28/2025
+ms.date: 06/10/2025
 ms.author: rogarana
 ---
 
@@ -21,15 +21,15 @@ There are two types of virtual network endpoints you can configure to allow acce
 - [Storage service endpoints](#storage-service-endpoints)
 - [Private endpoints](#private-endpoints)
 
-Generally, you should use private endpoints instead of service endpoints since they offer better capabilities. For more information, see [Azure Private Link](../../private-link/private-endpoint-overview.md). For more details on the differences between the two, see [Compare Private Endpoints and Service Endpoints](../../virtual-network/vnet-integration-for-azure-services.md#compare-private-endpoints-and-service-endpoints). 
+Generally, you should use private endpoints instead of service endpoints since they offer better capabilities. For more information, see [Azure Private Link](../../private-link/private-endpoint-overview.md). For more details on the differences between the two, see [Compare private endpoints and service endpoints](../../virtual-network/vnet-integration-for-azure-services.md#compare-private-endpoints-and-service-endpoints). 
 
 After configuring endpoints, you can configure network rules to further control access to your Elastic SAN volume group. Once the endpoints and network rules have been configured, clients can connect to volumes in the group to process their workloads.
 
 ## Private endpoints
 
 Azure [Private Link](../../private-link/private-link-overview.md) lets you access an Elastic SAN volume group securely over a [private endpoint](../../private-link/private-endpoint-overview.md) from a virtual network subnet. Traffic between your virtual network and the service traverses the Microsoft backbone network, eliminating the risk of exposing your service to the public internet. An Elastic SAN private endpoint uses a set of IP addresses from the subnet address space for each volume group. The maximum number used per endpoint is 20.
 
-Private endpoints have several advantages over service endpoints. For a complete comparison of private endpoints to service endpoints, see [Compare Private Endpoints and Service Endpoints](../../virtual-network/vnet-integration-for-azure-services.md#compare-private-endpoints-and-service-endpoints).
+Private endpoints have several advantages over service endpoints. For a complete comparison of private endpoints to service endpoints, see [Compare private endpoints and service endpoints](../../virtual-network/vnet-integration-for-azure-services.md#compare-private-endpoints-and-service-endpoints).
 
 ### How it works
 
@@ -56,12 +56,9 @@ When you create a SAN, you can enable or disable public internet access to your
 
 To further secure access to your Elastic SAN volumes, you can create virtual network rules for volume groups configured with service endpoints to allow access from specific subnets. You don't need network rules to allow traffic from a private endpoint since the storage firewall only controls access through public endpoints.
 
-Each volume group supports up to 200 virtual network rules. If you delete a subnet that has been included in a network rule, it's removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group.
-
-Clients granted access via these network rules must also be granted the appropriate permissions to the Elastic SAN to volume group.
-
-To learn how to define network rules, see [Managing virtual network rules](elastic-san-networking.md#configure-virtual-network-rules).
+Each volume group supports up to 200 virtual network rules. If you delete a subnet that has been included in a network rule, it's removed from the network rules for the volume group. If you create a new subnet with the same name, it won't have access to the volume group. To allow access, you must explicitly authorize the new subnet in the network rules for the volume group. Clients granted access via these network rules must also be granted the appropriate permissions to the Elastic SAN to volume group. To learn how to define network rules, see [Managing virtual network rules](elastic-san-networking.md#configure-virtual-network-rules).
 
+Network rules only apply to the public endpoints of a volume group, not private endpoints. Approving the creation of a private endpoint grants implicit access to traffic from the subnet that hosts the private endpoint. To refine access rules and control traffic over private endpoints, use [Network Policies](../../private-link/disable-private-endpoint-network-policy.md).
 
 ## Data Integrity
 
@@ -79,7 +76,7 @@ After you have enabled the desired endpoints and granted access in your network
 iSCSI sessions can periodically disconnect and reconnect over the course of the day. These disconnects and reconnects are part of regular maintenance or the result of network fluctuations. You shouldn't experience any performance degradation as a result of these disconnects and reconnects, and the connections should re-establish by themselves. If a connection doesn't re-establish itself, or you're experiencing performance degradation, raise a support ticket.
 
 > [!NOTE]
-> If a connection between a virtual machine (VM) and an Elastic SAN volume is lost, the connection will retry for 90 seconds until terminating. Losing a connection to an Elastic SAN volume won't cause the VM to restart.
+> If a connection between a virtual machine (VM) and an Elastic SAN volume is lost, the connection retries for 90 seconds until terminating. Losing a connection to an Elastic SAN volume won't cause the VM to restart.
 
 ## Next steps