Merge pull request #18269 from MicrosoftDocs/release-local-2506

Merge release-local-2506 to main for release

Author: sethmanheim

azure-local/TOC.yml

@@ -165,6 +165,106 @@ items:
     - name: Run SQL Server
       href: deploy/sql-server-23h2.md
 
+- name: Enable
+  items:
+  - name: SDN enabled by Azure Arc
+    items:
+    - name: Overview
+      href: concepts/sdn-overview.md
+    - name: Enable SDN integration
+      href: deploy/enable-sdn-integration.md
+    - name: Create Network Security Groups
+      href: manage/create-network-security-groups.md
+    - name: Manage Network Security Groups
+      href: manage/manage-network-security-groups.md
+    - name: Troubleshoot SDN
+      href: manage/sdn-troubleshooting.md
+    - name: SDN FAQ
+      href: concepts/sdn-frequently-asked-questions.yml
+
+  - name: SDN managed by on-premises tools
+    items:
+    - name: Overview
+      items:
+      - name: Software-defined networking overview
+        href: concepts/software-defined-networking-23h2.md
+      - name: Network Controller overview
+        href: concepts/network-controller-overview.md
+      - name: RAS Gateway overview
+        href: concepts/gateway-overview.md
+      - name: Load balancer overview
+        href: concepts/software-load-balancer.md
+      - name: Datacenter Firewall overview
+        href: concepts/datacenter-firewall-overview.md
+      - name: Route reflector overview
+        href: concepts/route-reflector-overview.md
+      - name: SDN Multisite overview
+        href: concepts/sdn-multisite-overview.md
+    - name: Plan 
+      items:
+      - name: Network Controller
+        href: concepts/plan-network-controller-deployment.md
+      - name: SDN infrastructure
+        href: concepts/plan-software-defined-networking-infrastructure-23h2.md
+    - name: Deploy
+      items:    
+      - name: Using Express scripts
+        href: deploy/sdn-express-23h2.md
+      - name: Using Windows Admin Center
+        href: deploy/sdn-wizard-23h2.md
+    - name: Manage
+      items:
+      - name: Update SDN infrastructure
+        href: manage/update-sdn.md
+      - name: Manage tenant logical networks
+        href: manage/tenant-logical-networks.md
+      - name: Manage tenant virtual networks
+        href: manage/tenant-virtual-networks.md
+      - name: Manage software load balancers
+        href: manage/load-balancers.md
+      - name: Manage gateway connections
+        href: manage/gateway-connections.md
+      - name: Manage default network access policies
+        href: manage/manage-default-network-access-policies-virtual-machines-23h2.md
+      - name: Configure network security groups with Windows Admin Center
+        href: manage/use-datacenter-firewall-windows-admin-center.md
+      - name: Configure network security groups with PowerShell
+        href: manage/use-datacenter-firewall-powershell.md
+      - name: Configure network security groups with tags
+        href: manage/configure-network-security-groups-with-tags.md
+      - name: Manage SDN Multisite
+        href: manage/manage-sdn-multisite.md
+      - name: Assign public IP address to a VM
+        href: manage/assign-public-ip-to-vm.md
+      - name: Configure load balancer for high availability ports
+        href: manage/configure-software-load-balancer.md
+      - name: Load balance multiple logical networks
+        href: manage/load-balance-multiple-networks.md
+      - name: Manage SDN security
+        items:
+        - name: Manage certificates for SDN
+          href: manage/sdn-manage-certs.md
+        - name: Update Network Controller certificates
+          href: manage/update-network-controller-certificates.md
+        - name: Update SDN infrastructure certificates
+          href: manage/update-sdn-infrastructure-certificates.md
+        - name: Secure the Network Controller
+          href: manage/nc-security.md
+        - name: Authenticate with Kerberos
+          href: manage/kerberos-with-spn.md
+        - name: SDN technical reference
+          href: manage/sdn-technical-reference.md
+    - name: Troubleshoot
+      items:
+      - name: Troubleshoot SDN deployment
+        href: manage/troubleshoot-sdn-deployment.md
+      - name: Collect SDN logs
+        href: manage/sdn-log-collection.md
+      - name: Troubleshoot common SDN issues
+        href: manage/troubleshoot-common-sdn-issues.md
+      - name: Troubleshoot Software Load Balancer for SDN
+        href: manage/troubleshoot-software-load-balancer.md
+
 - name: Update 
   items:
   - name: About Updates
@@ -376,46 +476,6 @@ items:
     - name: Repair a node
       href: manage/repair-server.md
 
-  - name: SDN
-    items:
-    - name: Update SDN infrastructure
-      href: manage/update-sdn.md
-    - name: Manage tenant logical networks
-      href: manage/tenant-logical-networks.md
-    - name: Manage tenant virtual networks
-      href: manage/tenant-virtual-networks.md
-    - name: Manage software load balancers
-      href: manage/load-balancers.md
-    - name: Manage gateway connections
-      href: manage/gateway-connections.md
-    - name: Manage default network access policies
-      href: manage/manage-default-network-access-policies-virtual-machines-23h2.md
-    - name: Configure network security groups with Windows Admin Center
-      href: manage/use-datacenter-firewall-windows-admin-center.md
-    - name: Configure network security groups with PowerShell
-      href: manage/use-datacenter-firewall-powershell.md
-    - name: Configure network security groups with tags
-      href: manage/configure-network-security-groups-with-tags.md
-    - name: Manage SDN Multisite
-      href: manage/manage-sdn-multisite.md
-    - name: Assign public IP address to a VM
-      href: manage/assign-public-ip-to-vm.md
-    - name: Configure load balancer for high availability ports
-      href: manage/configure-software-load-balancer.md
-    - name: Load balance multiple logical networks
-      href: manage/load-balance-multiple-networks.md
-    - name: Manage SDN security
-      items:
-      - name: Manage certificates for SDN
-        href: manage/sdn-manage-certs.md
-      - name: Update Network Controller certificates
-        href: manage/update-network-controller-certificates.md
-      - name: Update SDN infrastructure certificates
-        href: manage/update-sdn-infrastructure-certificates.md
-      - name: Secure the Network Controller
-        href: manage/nc-security.md
-      - name: Authenticate with Kerberos
-        href: manage/kerberos-with-spn.md
   - name: Billing
     items:
     - name: Azure Hybrid Benefit
@@ -477,16 +537,7 @@ items:
     href: manage/get-support.md
   - name: Get remote support
     href: manage/get-remote-support.md
-  - name: Troubleshoot SDN
-    items:
-    - name: Troubleshoot SDN deployment
-      href: manage/troubleshoot-sdn-deployment.md
-    - name: Collect SDN logs
-      href: manage/sdn-log-collection.md
-    - name: Troubleshoot common SDN issues
-      href: manage/troubleshoot-common-sdn-issues.md
-    - name: Troubleshoot Software Load Balancer for SDN
-      href: manage/troubleshoot-software-load-balancer.md
+
 
 - name: Migrate
   items:
@@ -553,28 +604,9 @@ items:
     items:
     - name: Network ATC overview
       href: concepts/network-atc-overview.md?pivots=azure-local
-  - name: SDN
-    items:
-    - name: SDN technical reference
-      href: manage/sdn-technical-reference.md
-    - name: SDN overview
-      href: concepts/software-defined-networking-23h2.md
-    - name: Plan an SDN infrastructure
-      href: concepts/plan-software-defined-networking-infrastructure-23h2.md
-    - name: Network Controller overview
-      href: concepts/network-controller-overview.md
-    - name: Plan Network Controller
-      href: concepts/plan-network-controller-deployment.md
-    - name: Software Load Balancer overview
-      href: concepts/software-load-balancer.md
-    - name: Datacenter Firewall overview
-      href: concepts/datacenter-firewall-overview.md
-    - name: RAS Gateway overview
-      href: concepts/gateway-overview.md
-    - name: Route Reflector overview
-      href: concepts/route-reflector-overview.md
-    - name: SDN Multisite overview
-      href: concepts/sdn-multisite-overview.md
+
+
+
 - name: Reference
   items:
   - name: For Azure Local VM management
@@ -647,4 +679,4 @@ items:
     href: https://azure.com/hci
   - name: Pricing
     href: https://azure.microsoft.com/products/local/#Pricing
-  
+  

azure-local/concepts/media/sdn-overview/custom-configuration-disaggregated-networking.png

@@ -0,0 +1,46 @@
+### YamlMime:FAQ
+metadata:
+  title: Frequently Asked Questions (FAQ) for Software-Defined Networking (SDN) on Azure Local
+  description: This FAQ provides information about SDN enabled by Azure Arc on Azure Local.
+  ms.topic: faq
+  author: alkohli
+  ms.author: alkohli
+  ms.service: azure-local
+  ms.date: 07/02/2025
+title: FAQ - SDN enabled by Azure Arc on Azure Local 
+summary: This FAQ provides information about Software-Defined Networking (SDN) enabled by Azure Arc on your Azure Local VMs. This feature is available in Azure Local version 2506 and later.
+
+sections:
+  - name: Ignored
+    questions:
+      - question: Which version of Azure Local supports SDN enabled by Azure Arc?
+        answer: |
+          SDN enabled by Azure Arc is available in Azure Local version 2506 running OS version 26100.xxxx and later. 
+
+      - question: Will I have downtime for my Azure Local VMs when I enable Network Controller via the PowerShell cmdlet?
+        answer: |
+          Yes. When you enable Network Controller, Azure Local VMs use a null port profile to set up network connectivity. Because this process affects all VMs, you experience brief downtime until configuration finishes.
+
+          Because this operation is disruptive, plan a maintenance window if you're running in a production environment.
+
+      - question: Why am I experiencing network connectivity issues for my unmanaged VMs on Azure Local after I enabled SDN enabled by Azure Arc?
+        answer: |
+          You can experience network connectivity issues if you enable Network Controller and create unmanaged VMs outside Azure interfaces like Azure CLI, Azure portal, Azure PowerShell, and Azure Resource Manager APIs. To fix these issues, see how to [unblock and configure the null port profile for unmanaged VMs]().
+
+      - question: Why can't I connect to my Azure Local VMs, if I associate an NSG with the VM network interface or its logical network?
+        answer: |
+          If you set up an empty NSG with no security rules on your VM's network interface or the logical network, Azure Local blocks all inbound traffic by default and allows all outbound traffic. Add specific inbound network security rules to let traffic into the VM.
+          
+      - question: Can I modify Azure Local VM resources such as VMs, virtual switches, and network interfaces directly using Network Controller APIs, Windows Admin Center, or SDN Express PowerShell scripts for my Azure Local VMs?  
+        answer: |
+          No. Don't do this, as it's unsupported and can cause your resources to enter bad or unrecoverable states.
+
+      - question: Can I configure static network interfaces after the Azure Local VM is provisioned on an Azure Local instance with SDN enabled by Azure Arc?
+        answer: |
+          No. You can't add a secondary network interface to a VM after provisioning. This setup causes both interfaces to act as the default gateway, which leads to asymmetric networking, packet loss, and unpredictable networking. Set up all needed static network interfaces during VM provisioning when using SDN enabled by Azure Arc.
+      - question: Why am I seeing unexpected traffic drop or blocks for my Azure Local VMs?
+        answer: |
+          If logical networks and VM network interfaces on your Azure Local VMs have NSGs with conflicting allow or deny rules, you can see unexpected traffic drops or blocks.
+
+          When an inbound packet arrives, Azure Local checks the logical network NSG first, then the network interface NSG. For outbound traffic, Azure Local checks the network interface NSG first, then the logical network NSG. If the first NSG has a **Deny** rule and the next has an **Allow** rule, Azure Local drops the packet.
+