Merge pull request #205696 from johnmarco/jm-private-link-update

Update to private link scope procedure

Author: 19BMG00

articles/azure-arc/servers/media/private-link-security/create-private-link-scope.png

@@ -114,23 +114,34 @@ See the visual diagram under the section [How it works](#how-it-works) for the n
 
 1. Go to **Create a resource** in the Azure portal and search for **Azure Arc Private Link Scope**. Or you can use the following link to open the [Azure Arc Private Link Scope](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.HybridCompute%2FprivateLinkScopes) page in the portal.
 
-    :::image type="content" source="./media/private-link-security/find-scope.png" alt-text="Find Private Link Scope" border="true":::
+    :::image type="content" source="./media/private-link-security/private-scope-home.png" lightbox="./media/private-link-security/private-scope-home.png" alt-text="Screenshot of private scope home page with Create button." border="true":::
 
 1. Select **Create**.
 
-1. Pick a Subscription and Resource Group.
+1. In the **Basics** tab, select a Subscription and Resource Group.
 
-1. Give the Azure Arc Private Link Scope a name. It's best to use a meaningful and clear name.
+1. Enter a name for the Azure Arc Private Link Scope. It's best to use a meaningful and clear name.
 
-   You can optionally require every Azure Arc-enabled machine or server associated with this Azure Arc Private Link Scope to send data to the service through the private endpoint. If you select **Enable public network access**, machines or servers associated with this Azure Arc Private Link Scope can communicate with the service over both private or public networks. You can change this setting after creating the scope if you change your mind.
+   Optionally, you can require every Azure Arc-enabled machine or server associated with this Azure Arc Private Link Scope to send data to the service through the private endpoint. To do so, check the box for **Allow public network access** so machines or servers associated with this Azure Arc Private Link Scope can communicate with the service over both private or public networks. You can change this setting after creating the scope if you change your mind.
+
+1. Select the **Private endpoint** tab, then select **Create**.
+1. In the **Create private endpoint** window:
+    1. Enter a **Name** for the endpoint.
+
+    1. Choose **Yes** for **Integrate with private DNS zone**, and let it automatically create a new Private DNS Zone.
+    
+         > [!NOTE]
+         > If you choose **No** and prefer to manage DNS records manually, first complete setting up your Private Link - including this Private Endpoint and the Private Scope configuration. Then, configure your DNS according to the instructions in [Azure Private Endpoint DNS configuration](../../private-link/private-endpoint-dns.md). Make sure not to create empty records as preparation for your Private Link setup. The DNS records you create can override existing settings and impact your connectivity with Azure Arc-enabled servers.
+
+    1. Select **OK**.
 
 1. Select **Review + Create**.
 
-    :::image type="content" source="./media/private-link-security/create-private-link-scope.png" alt-text="Create Private Link Scope" border="true":::
+    :::image type="content" source="./media/private-link-security/create-private-link-scope.png" alt-text="Screenshot showing the Create Private Link Scope window" border="true":::
 
 1. Let the validation pass, and then select **Create**.
 
-## Create a private endpoint
+<!--## Create a private endpoint
 
 Once your Azure Arc Private Link Scope is created, you need to connect it with one or more virtual networks using a private endpoint. The private endpoint exposes access to the Azure Arc services on a private IP in your virtual network address space.
 
@@ -167,7 +178,7 @@ Once your Azure Arc Private Link Scope is created, you need to connect it with o
 
    d.    Let validation pass.
 
-   e.    Select **Create**.
+   e.    Select **Create**.-->
 
 ## Configure on-premises DNS forwarding
 
@@ -189,7 +200,7 @@ If you opted out of using Azure private DNS zones during private endpoint creati
 
 1. From the left-hand pane, select **DNS configuration** to see a list of the DNS records and corresponding IP addresses you'll need to set up on your DNS server. The FQDNs and IP addresses will change based on the region you selected for your private endpoint and the available IP addresses in your subnet.
 
-    :::image type="content" source="./media/private-link-security/dns-configuration.png" alt-text="DNS configuration details" border="true":::
+    :::image type="content" source="./media/private-link-security/dns-configuration.png" lightbox="./media/private-link-security/dns-configuration.png" alt-text="DNS configuration details" border="true":::
 
 1. Follow the guidance from your DNS server vendor to add the necessary DNS zones and A records to match the table in the portal. Ensure that you select a DNS server that is appropriately scoped for your network. Every machine or server that uses this DNS server now resolves the private endpoint IP addresses and must be associated with the Azure Arc Private Link Scope, or the connection will be refused.
 
@@ -275,7 +286,7 @@ For Azure Arc-enabled servers that were set up prior to your private link scope,
     > [!NOTE]
     > Only Azure Arc-enabled servers in the same subscription and region as your Private Link Scope is shown.
 
-    :::image type="content" source="./media/private-link-security/select-servers-private-link-scope.png" alt-text="Selecting Azure Arc resources" border="true":::
+    :::image type="content" source="./media/private-link-security/select-servers-private-link-scope.png" lightbox="./media/private-link-security/select-servers-private-link-scope.png" alt-text="Selecting Azure Arc resources" border="true":::
 
 It may take up to 15 minutes for the Private Link Scope to accept connections from the recently associated server(s).