Fix merge conflict

Author: sethmanheim

AKS-Arc/TOC.yml

@@ -199,6 +199,21 @@
       href: connectivity-troubleshoot.md
     - name: Cluster status stuck during upgrade
       href: cluster-upgrade-status.md
+  - name: Security
+    items:  
+    - name: Security book - recommendations and best practices
+      href: /azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+      displayName: security, best practices, recommendations
+    - name: Securing your platform
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-platform?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your workloads
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-workloads?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your operations
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-operations?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your data
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-data?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
+    - name: Securing your network
+      href: /azure/azure-arc/kubernetes/conceptual-secure-your-network?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json
   - name: Reference
     items:
     - name: Azure CLI

AKS-Arc/aksarc.yml

@@ -116,6 +116,30 @@ directCommands:
   - name: --vnet-ids
     summary: |-
       Azure Resource Manager resource ID(s) of the VNets.
+  globalParameters:
+  - name: --debug
+    summary: |-
+      Increase logging verbosity to show all debug logs.
+  - name: --help -h
+    summary: |-
+      Show this help message and exit.
+  - name: --only-show-errors
+    summary: |-
+      Only show errors, suppressing warnings.
+  - name: --output -o
+    defaultValue: "json"
+    acceptedValues: "json, jsonc, none, table, tsv, yaml, yamlc"
+    summary: |-
+      Output format.
+  - name: --query
+    summary: |-
+      JMESPath query string. See <a href="http://jmespath.org/">http://jmespath.org/</a> for more information and examples.
+  - name: --subscription
+    summary: |-
+      Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
+  - name: --verbose
+    summary: |-
+      Increase logging verbosity. Use --debug for full debug logs.
 - uid: az_aksarc_delete
   name: az aksarc delete
   summary: |-
@@ -151,6 +175,30 @@ directCommands:
     defaultValue: "False"
     summary: |-
       Do not prompt for confirmation.
+  globalParameters:
+  - name: --debug
+    summary: |-
+      Increase logging verbosity to show all debug logs.
+  - name: --help -h
+    summary: |-
+      Show this help message and exit.
+  - name: --only-show-errors
+    summary: |-
+      Only show errors, suppressing warnings.
+  - name: --output -o
+    defaultValue: "json"
+    acceptedValues: "json, jsonc, none, table, tsv, yaml, yamlc"
+    summary: |-
+      Output format.
+  - name: --query
+    summary: |-
+      JMESPath query string. See <a href="http://jmespath.org/">http://jmespath.org/</a> for more information and examples.
+  - name: --subscription
+    summary: |-
+      Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
+  - name: --verbose
+    summary: |-
+      Increase logging verbosity. Use --debug for full debug logs.
 - uid: az_aksarc_get-credentials
   name: az aksarc get-credentials
   summary: |-
@@ -198,6 +246,30 @@ directCommands:
     defaultValue: "False"
     summary: |-
       Overwrites any existing cluster entry with the same name.
+  globalParameters:
+  - name: --debug
+    summary: |-
+      Increase logging verbosity to show all debug logs.
+  - name: --help -h
+    summary: |-
+      Show this help message and exit.
+  - name: --only-show-errors
+    summary: |-
+      Only show errors, suppressing warnings.
+  - name: --output -o
+    defaultValue: "json"
+    acceptedValues: "json, jsonc, none, table, tsv, yaml, yamlc"
+    summary: |-
+      Output format.
+  - name: --query
+    summary: |-
+      JMESPath query string. See <a href="http://jmespath.org/">http://jmespath.org/</a> for more information and examples.
+  - name: --subscription
+    summary: |-
+      Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
+  - name: --verbose
+    summary: |-
+      Increase logging verbosity. Use --debug for full debug logs.
 - uid: az_aksarc_list
   name: az aksarc list
   summary: |-
@@ -218,6 +290,30 @@ directCommands:
   - name: --resource-group -g
     summary: |-
       Name of the resource group. You can configure the default group using `az configure --defaults group=<name>`.
+  globalParameters:
+  - name: --debug
+    summary: |-
+      Increase logging verbosity to show all debug logs.
+  - name: --help -h
+    summary: |-
+      Show this help message and exit.
+  - name: --only-show-errors
+    summary: |-
+      Only show errors, suppressing warnings.
+  - name: --output -o
+    defaultValue: "json"
+    acceptedValues: "json, jsonc, none, table, tsv, yaml, yamlc"
+    summary: |-
+      Output format.
+  - name: --query
+    summary: |-
+      JMESPath query string. See <a href="http://jmespath.org/">http://jmespath.org/</a> for more information and examples.
+  - name: --subscription
+    summary: |-
+      Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
+  - name: --verbose
+    summary: |-
+      Increase logging verbosity. Use --debug for full debug logs.
 - uid: az_aksarc_notice
   name: az aksarc notice
   summary: |-
@@ -236,6 +332,30 @@ directCommands:
     name: --output-filepath
     summary: |-
       Outputs filepath for NOTICE file.
+  globalParameters:
+  - name: --debug
+    summary: |-
+      Increase logging verbosity to show all debug logs.
+  - name: --help -h
+    summary: |-
+      Show this help message and exit.
+  - name: --only-show-errors
+    summary: |-
+      Only show errors, suppressing warnings.
+  - name: --output -o
+    defaultValue: "json"
+    acceptedValues: "json, jsonc, none, table, tsv, yaml, yamlc"
+    summary: |-
+      Output format.
+  - name: --query
+    summary: |-
+      JMESPath query string. See <a href="http://jmespath.org/">http://jmespath.org/</a> for more information and examples.
+  - name: --subscription
+    summary: |-
+      Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
+  - name: --verbose
+    summary: |-
+      Increase logging verbosity. Use --debug for full debug logs.
 - uid: az_aksarc_show
   name: az aksarc show
   summary: |-
@@ -260,6 +380,30 @@ directCommands:
     name: --resource-group -g
     summary: |-
       Name of the resource group. You can configure the default group using `az configure --defaults group=<name>`.
+  globalParameters:
+  - name: --debug
+    summary: |-
+      Increase logging verbosity to show all debug logs.
+  - name: --help -h
+    summary: |-
+      Show this help message and exit.
+  - name: --only-show-errors
+    summary: |-
+      Only show errors, suppressing warnings.
+  - name: --output -o
+    defaultValue: "json"
+    acceptedValues: "json, jsonc, none, table, tsv, yaml, yamlc"
+    summary: |-
+      Output format.
+  - name: --query
+    summary: |-
+      JMESPath query string. See <a href="http://jmespath.org/">http://jmespath.org/</a> for more information and examples.
+  - name: --subscription
+    summary: |-
+      Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
+  - name: --verbose
+    summary: |-
+      Increase logging verbosity. Use --debug for full debug logs.
 - uid: az_aksarc_update
   name: az aksarc update
   summary: |-
@@ -316,6 +460,30 @@ directCommands:
   - name: --tags
     summary: |-
       Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.commands:
+  globalParameters:
+  - name: --debug
+    summary: |-
+      Increase logging verbosity to show all debug logs.
+  - name: --help -h
+    summary: |-
+      Show this help message and exit.
+  - name: --only-show-errors
+    summary: |-
+      Only show errors, suppressing warnings.
+  - name: --output -o
+    defaultValue: "json"
+    acceptedValues: "json, jsonc, none, table, tsv, yaml, yamlc"
+    summary: |-
+      Output format.
+  - name: --query
+    summary: |-
+      JMESPath query string. See <a href="http://jmespath.org/">http://jmespath.org/</a> for more information and examples.
+  - name: --subscription
+    summary: |-
+      Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
+  - name: --verbose
+    summary: |-
+      Increase logging verbosity. Use --debug for full debug logs.
 commands:
 - az_aksarc_create
 - az_aksarc_delete
@@ -339,29 +507,5 @@ commands:
 - az_aksarc_vnet_delete
 - az_aksarc_vnet_list
 - az_aksarc_vnet_show
-globalParameters:
-- name: --debug
-  summary: |-
-    Increase logging verbosity to show all debug logs.
-- name: --help -h
-  summary: |-
-    Show this help message and exit.
-- name: --only-show-errors
-  summary: |-
-    Only show errors, suppressing warnings.
-- name: --output -o
-  defaultValue: "json"
-  parameterValueGroup: "json, jsonc, none, table, tsv, yaml, yamlc"
-  summary: |-
-    Output format.
-- name: --query
-  summary: |-
-    JMESPath query string. See <a href="http://jmespath.org/">http://jmespath.org/</a> for more information and examples.
-- name: --subscription
-  summary: |-
-    Name or ID of subscription. You can configure the default subscription using `az account set -s NAME_OR_ID`.
-- name: --verbose
-  summary: |-
-    Increase logging verbosity. Use --debug for full debug logs.
 metadata:
   description: Manage provisioned clusters.

AKS-Arc/arc-gateway-aks-arc.md

@@ -2,25 +2,24 @@
 title: Simplify network configuration requirements with Azure Arc gateway (preview)
 description: Learn how to enable Arc gateway on AKS Arc clusters to simplify network configuration requirements
 ms.topic: how-to
-ms.date: 11/18/2024
+ms.date: 07/15/2025
 author: sethmanheim
-ms.author: sethm 
-ms.reviewer: abha
-ms.lastreviewed: 11/18/2024
-
+ms.author: sethm
+ms.reviewer: srikantsarwa
+ms.lastreviewed: 07/15/2025
 ---
 
 # Simplify network configuration requirements with Azure Arc gateway (preview)
 
 If you use enterprise proxies to manage outbound traffic, Azure Arc gateway can help simplify the process of enabling connectivity.
 
-The Azure Arc gateway (currently in preview) lets you:
+The AKS Arc gateway (currently in preview) lets you:
 
 - Connect to Azure Arc by opening public network access to only seven fully qualified domain names (FQDNs).
 - View and audit all traffic that the Arc agents send to Azure via the Arc gateway.
 
 > [!IMPORTANT]
-> Azure Arc gateway is currently in preview.
+> AKS Arc gateway is currently in preview.
 >
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
@@ -29,7 +28,7 @@ The Azure Arc gateway (currently in preview) lets you:
 The Arc gateway works by introducing two new components:
 
 - The **Arc gateway resource** is an Azure resource that serves as a common front end for Azure traffic. The gateway resource is served on a specific domain/URL. You must create this resource by following the steps described in this article. After you successfully create the gateway resource, this domain/URL is included in the success response.
-- The **Arc Proxy** is a new component that runs as its own pod (called *Azure Arc Proxy*). This component acts as a forward proxy used by Azure Arc agents and extensions. There is no configuration required on your part for the Azure Arc Proxy.
+- The **Arc Proxy** is a new component that runs as its own pod (called _Azure Arc Proxy_). This component acts as a forward proxy used by Azure Arc agents and extensions. There is no configuration required on your part for the Azure Arc Proxy.
 
 For more information, see [how the Azure Arc gateway works](/azure/azure-arc/kubernetes/arc-gateway-simplify-networking?tabs=azure-cli).
 
@@ -52,36 +51,36 @@ For more information, see [how the Azure Arc gateway works](/azure/azure-arc/kub
 
 ## Confirm access to required URLs
 
-Ensure your Arc gateway URL and all of the URLs below are allowed through your enterprise firewall:
+Ensure your Arc gateway URL and all of the following URLs are allowed through your enterprise firewall:
 
-|URL  |Purpose  |
-|---------|---------|
-|`[Your URL prefix].gw.arc.azure.com`       | Your gateway URL. You can obtain this URL by running `az arcgateway list` after you create the resource.         |
-|`management.azure.com`    |Azure Resource Manager endpoint, required for the Azure Resource Manager control channel.         |
-|`<region>.obo.arc.azure.com`     |Required when `az connectedk8s proxy` is used.         |
-|`login.microsoftonline.com`, `<region>.login.microsoft.com`     | Microsoft Entra ID endpoint, used for acquiring identity access tokens.         |
-|`gbl.his.arc.azure.com`, `<region>.his.arc.azure.com`   |The cloud service endpoint for communicating with Arc Agents. Uses short names; for example `eus` for East US.          |
-|`mcr.microsoft.com`, `*.data.mcr.microsoft.com`     |Required to pull container images for Azure Arc agents.         |
+| URL                                                         | Purpose                                                                                                        |
+| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
+| `[Your URL prefix].gw.arc.azure.com`                        | Your gateway URL. You can obtain this URL by running `az arcgateway list` after you create the resource.       |
+| `management.azure.com`                                      | Azure Resource Manager endpoint, required for the Azure Resource Manager control channel.                      |
+| `<region>.obo.arc.azure.com`                                | Required when `az connectedk8s proxy` is used.                                                                 |
+| `login.microsoftonline.com`, `<region>.login.microsoft.com` | Microsoft Entra ID endpoint, used for acquiring identity access tokens.                                        |
+| `gbl.his.arc.azure.com`, `<region>.his.arc.azure.com`       | The cloud service endpoint for communicating with Arc Agents. Uses short names; for example, `eus` for East US. |
+| `mcr.microsoft.com`, `*.data.mcr.microsoft.com`             | Required to pull container images for Azure Arc agents.                                                        |
 
-## Create an AKS Arc cluster with Arc gateway enabled
+## Create an AKS Arc cluster with AKS Arc gateway enabled
 
-Run the following command to create an AKS Arc cluster with the Arc gateway enabled:
+Run the following command to create an AKS Arc cluster with the AKS Arc gateway enabled:
 
 ```azurecli
 az aksarc create -n $clusterName -g $resourceGroup --custom-location $customlocationID --vnet-ids $arcVmLogNetId --aad-admin-group-object-ids $aadGroupID --gateway-id $gatewayId --generate-ssh-keys
 ```
 
-## Update an AKS Arc cluster and enable Arc gateway
+## Update an AKS Arc cluster and enable the AKS Arc gateway
 
-Run the following command to update an AKS Arc cluster to enable Arc gateway:
+Run the following command to update an AKS Arc cluster to enable the AKS Arc gateway:
 
 ```azurecli
 az aksarc update -n $clusterName -g $resourceGroup --gateway-id $gatewayId
 ```
 
-## Disable Arc gateway on an AKS Arc cluster
+## Disable the AKS Arc gateway on an AKS Arc cluster
 
-Run the following command to disable Arc gateway:
+Run the following command to disable the AKS Arc gateway:
 
 ```azurecli
 az aksarc update -n $clusterName -g $resourceGroup --disable-gateway
@@ -92,7 +91,7 @@ az aksarc update -n $clusterName -g $resourceGroup --disable-gateway
 To audit your gateway traffic, view the gateway router logs:
 
 1. Run `kubectl get pods -n azure-arc`.
-1. Identify the Arc Proxy pod (its name will begin with `arc-proxy-`).
+1. Identify the Arc Proxy pod (its name begins with `arc-proxy-`).
 1. Run `kubectl logs -n azure-arc <Arc Proxy pod name>`.
 
 ## Other scenarios

AKS-Arc/azure-rbac-local.md

@@ -222,3 +222,4 @@ az role definition delete -n "AKS Arc Deployment Reader"
 - [Access and identity options](concepts-security-access-identity.md) for AKS enabled by Azure Arc
 - [Create an Azure service principal with Azure CLI](/cli/azure/azure-cli-sp-tutorial-1)
 - Available Azure permissions for [Hybrid + Multicloud](/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).

AKS-Arc/concepts-security-access-identity.md

@@ -154,3 +154,4 @@ The following table contains a summary of how users can authenticate to Kubernet
 
 - To get started with Kubernetes RBAC for Kubernetes authorization, see [Control access using Microsoft Entra ID and Kubernetes RBAC](kubernetes-rbac-local.md)
 - To get started with Azure RBAC for Kubernetes authorization, see [Use Azure RBAC for Kubernetes Authorization](azure-rbac-local.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).

AKS-Arc/configure-ssh-keys.md

@@ -80,3 +80,4 @@ For information about error messages that can occur when you create and deploy a
 - [Connect to Windows or Linux worker nodes with SSH](ssh-connect-to-windows-and-linux-worker-nodes.md)
 - [Restrict SSH access to specific IP addresses](restrict-ssh-access.md)
 - [Get on-demand logs for troubleshooting](get-on-demand-logs.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).

AKS-Arc/enable-authentication-microsoft-entra-id.md

@@ -75,3 +75,4 @@ Enable Microsoft Entra authentication on your existing Kubernetes cluster using
 - [Access and identity options for AKS enabled by Azure Arc](concepts-security-access-identity.md)
 - [Microsoft Entra integration with Kubernetes RBAC](kubernetes-rbac-local.md)
 - [Use Azure role-based access control (RBAC) for Kubernetes authorization](azure-rbac-local.md)
+- Help to protect your cluster in other ways by following the guidance in the [security book for AKS enabled by Azure Arc](/azure/azure-arc/kubernetes/conceptual-security-book?toc=/azure/aks/aksarc/toc.json&bc=/azure/aks/aksarc/breadcrumb/toc.json).