update

Author: msmbaldwin

articles/payment-hsm/deployment-scenarios.md

@@ -40,8 +40,6 @@ This scenario caters to regional-level failure. The usual strategy is to complet
 
 ## Next steps
 
-## Next steps
-
 - [What is Azure Payment HSM?](overview.md)
 - [Azure Payment HSM solution design](solution-design.md)
 - [Azure Payment HSM traffic inspection](traffic-inspection.md)

articles/payment-hsm/inspect-traffic.md

@@ -1,6 +1,6 @@
 ---
-title: Access the payShield manager for your Azure Payment HSM
-description: Access the payShield manager for your Azure Payment HSM
+title: Azure Payment HSM traffic inspection
+description: Azure Payment HSM traffic inspection
 services: payment-hsm
 ms.service: payment-hsm
 author: msmbaldwin
@@ -9,53 +9,33 @@ ms.topic: quickstart
 ms.date: 04/06/2023
 ---
 
-# How to inspect Azure Payment HSM traffic
+# Azure Payment HSM traffic inspection
 
-Intent of this article is to explain how to inspect traffic to Azure Payment HSM.
-
-Payment Hardware Security Module (Payment HSM or PHSM) is a [bare-metal service](overview.md) providing cryptographic key operations for real-time and critical payment transactions in the Azure cloud. 
-
-Payment HSM devices are a variation of Dedicated HSM devices with more advanced cryptographic modules and features: a Payment HSM never decrypts the PIN value in transit for example.
-
-The Azure Payment HSM solution uses hardware from [Thales](https://cpl.thalesgroup.com/encryption/hardware-security-modules/payment-hsms/payshield-10k) as a vendor. Customers have [full control and exclusive access](overview.md#customer-managed-hsm-in-azure) to the Payment HSM.
-
-## Azure Payment HSM - Networking
+Azure Payment Hardware Security Module (Payment HSM or PHSM) is a [bare-metal service](overview.md) providing cryptographic key operations for real-time and critical payment transactions in the Azure cloud. For more information, see [What is Azure Payment HSM?](overview.md).
 
 When Payment HSM is deployed, it comes with a host network interface and a management network interface. There are several deployment scenarios:
+
 1. [With host and management ports in same VNet](create-payment-hsm.md?tabs=azure-cli)
 2. [With host and management ports in different VNets](create-different-vnet.md?tabs=azure-cli)
 3. [With host and management port with IP addresses in different VNets](create-different-ip-addresses.md?tabs=azure-cli)
 
 In all of the above scenarios, Payment HSM is a VNet-injected service in a delegated subnet: `hsmSubnet` and `managementHsmSubnet` must be delegated to `Microsoft.HardwareSecurityModules/dedicatedHSMs` service.
 
-## FastPathEnabled feature flag & fastpathenabled VNet tag
-
-In addition, the `FastPathEnabled` **feature** must be [registered and approved](https://learn.microsoft.com/en-us/azure/payment-hsm/register-payment-hsm-resource-providers?tabs=azure-cli#register-the-resource-providers-and-features) on all subscriptions that need access to Payment HSM.
-
-A second step consists in enabling the `fastpathenabled` **tag** on the VNet hosting the Payment HSM delegated subnet and on every peered VNet requiring [connectivity to the Payment HSM devices](https://learn.microsoft.com/en-us/azure/payment-hsm/peer-vnets?tabs=azure-cli). This operation must be done via CLI.
-
-For the `fastpathenabled` VNet tag to be valid, the `FastPathEnabled` feature needs to be enabled on the subscription where that VNet is deployed: make sure to complete both steps to enable resources to connect to the Payment HSM devices. 
-
-Adding the `FastPathEnabled` feature and enabling the `fastpathenabled` tag don't cause any downtime.
-
-The public documentation related to these 2 settings is now available [here](fastpathenabled.md).
- 
-## Azure Payment HSM - Networking limitations
-
 Payment HSM comes with some policy [restrictions](solution-design.md#constraints) on these subnets: **Network Security Groups (NSGs) and User-Defined Routes (UDRs) are currently not supported**.
 
-> Note: PHSM is not compatible with vWAN topologies or cross region VNet peering, as listed in the [topology supported](solution-design.md#supported-topologies).
+> [!IMPORTANT]
+> The `FastPathEnabled` **feature** must be [registered and approved](register-payment-hsm-resource-providers.md?tabs=azure-cli#register-the-resource-providers-and-features) on all subscriptions that need access to Payment HSM.  For more information, see [FastPathEnabled](fastpathenabled.md).
+
+PHSM is not compatible with vWAN topologies or cross region VNet peering, as listed in the [topology supported](solution-design.md#supported-topologies).
 
 This article present two ways to inspect traffic destined to a Payment HSM: a firewall with source network address translation (SNAT), and a firewall with reverse proxy
 
-# Firewall with source network address translation (SNAT)
+## Firewall with source network address translation (SNAT)
 
-This design is inspired by the [Dedicated HSM solution architecture](networking.md#solution-architecture).
+This design is inspired by the [Dedicated HSM solution architecture](../dedicated-hsm/networking.md#solution-architecture).
 
 The firewall **SNATs the client IP address** before forwarding traffic to the PHSM NIC, guaranteeing that the return traffic will automatically be directed back to the Firewall. Either an Azure Firewall or a 3rd party FW NVA can be used in this design.
 
-![image](docs/solution1fp.png)
-
 :::image type="content" source="./media/firewall-snat-architecture-diagram.png" alt-text="Architecture diagram of the firewall with SNAT":::
 
 Route tables required:
@@ -117,4 +97,11 @@ Results:
 - Filtering rules that cannot be enforced using NSGs on the PHSM subnet can be configured on the Firewall and/or on NSGs applied to the reverse proxy subnet.
 - Both Spoke traffic and On-Prem traffic to the PHSM environment are secured.
 
-## Next steps
+## Next steps
+
+- [What is Azure Payment HSM?](overview.md)
+- [Azure Payment HSM solution design](solution-design.md)
+- [Azure Payment HSM deployment scenarios](deployment-scenarios.md)
+- [Get started with Azure Payment HSM](getting-started.md)
+- [Create a payment HSM](create-payment-hsm.md)
+- [Frequently asked questions](faq.yml)