Updating tag based segmentation articles for Windows Server 2025

robinharwood · robinharwood · commit 7a163a9de531 · 2024-10-03T10:52:39.000+01:00
diff --git a/azure-stack/hci/manage/configure-network-security-groups-with-tags.md b/azure-stack/hci/manage/configure-network-security-groups-with-tags.md
@@ -5,18 +5,64 @@ ms.author: sethm
 ms.reviewer: anpaul
 ms.topic: article
 author: sethmanheim
-ms.date: 04/02/2024
+ms.subservice: core-os
+zone_pivot_groups: windows-os
+ms.date: 10/03/2024
 ---
 
 # Configure network security groups with tags in Windows Admin Center
 
+:::zone pivot="azure-stack-hci"
+
 [!INCLUDE [hci-applies-to-23h2-22h2](../../includes/hci-applies-to-23h2-22h2.md)]
 
+::: zone-end
+
+:::zone pivot="windows-server"
+
+>Applies to: Windows Server 2025 (preview)
+> [!IMPORTANT]
+> Tag based network security groups in Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
+::: zone-end
+
 This article describes how to configure network security groups with network security tags in Windows Admin Center.
 
 With network security tags, you can create custom user-defined tags, attach those tags to your virtual machine (VM) network interfaces, and apply network access policies (with network security groups) based on these tags.
 
-<!--Refactored the following section. Please review.-->
+## Prerequisites
+
+Complete the following prerequisites to use network security groups with tags:
+
+:::zone pivot="azure-stack-hci"
+
+- You have Azure Stack HCI 22H2 or later installed on your cluster. For more information, see how to [Install Azure Stack HCI](../deploy/install-azure-stack-hci.md).
+
+- You have Network Controller installed. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md).
+
+- You have created a logical network or a virtual network. For more information, see how to [Create a logical network](./tenant-logical-networks.md) or [Create a virtual network](./tenant-virtual-networks.md).
+
+TODO: check Arc or non-Arc VMs?
+- You have created a VM. For more information, see how to [Create Arc virtual machines on Azure Stack HCI](create-arc-virtual-machines.md).
+
+- FIXME: You have permissions to manage network access policies. For more information, see how to [Assign permissions to manage network access policies](./assign-permissions.md).
+
+::: zone-end
+
+:::zone pivot="windows-server"
+
+- You have Windows Server 2025 or later. For more information, see [Get started with Windows Server](/windows-server/get-started/get-started-with-windows-server).
+
+- You have Network Controller installed. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md?context=/windows-server/context/windows-server-edge-networking).
+
+- You have created a logical network or a virtual network. For more information, see how to [Create a logical network](./tenant-logical-networks.md?context=/windows-server/context/windows-server-failover-clustering) or [Create a virtual network](./tenant-virtual-networks.md?context=/windows-server/context/windows-server-failover-clustering).
+
+- You have created a VM. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
+
+- FIXME: You have permissions to manage network access policies. For more information, see how to [Assign permissions to manage network access policies](./assign-permissions.md).
+
+::: zone-end
+
 ## Simplify security with network security tags
 
 Network security groups allow you to configure access policies based on network constructs like network prefixes and subnets. For example, if you want to restrict communication between your Web Server VMs and database VMs, you must identify corresponding network subnets and create a policy to deny communication between those subnets. However, there are some limitations with this approach:
@@ -150,11 +196,23 @@ After you create a network security group, you're ready to create network securi
 
 You can apply a network security group to:
 
+:::zone pivot="azure-stack-hci"
+
 - [Virtual network subnet](use-datacenter-firewall-windows-admin-center.md#apply-a-network-security-group-to-a-virtual-network)
 - [Logical network subnet](use-datacenter-firewall-windows-admin-center.md#apply-a-network-security-group-to-a-logical-network)
 - [Specific network interface](use-datacenter-firewall-windows-admin-center.md#apply-a-network-security-group-to-a-network-interface)
 - [Network security tag](#apply-network-security-group-to-a-network-security-tag)
 
+::: zone-end
+:::zone pivot="windows-server"
+
+- [Virtual network subnet](use-datacenter-firewall-windows-admin-center.md?context=/windows-server/context/windows-server-failover-clustering#apply-a-network-security-group-to-a-virtual-network)
+- [Logical network subnet](use-datacenter-firewall-windows-admin-center.md?context=/windows-server/context/windows-server-failover-clustering#apply-a-network-security-group-to-a-logical-network)
+- [Specific network interface](use-datacenter-firewall-windows-admin-center.md?context=/windows-server/context/windows-server-failover-clustering#apply-a-network-security-group-to-a-network-interface)
+- [Network security tag](#apply-network-security-group-to-a-network-security-tag)
+
+::: zone-end
+
 ### Apply network security group to a network security tag
 
 When you apply a network security group to a network security tag, the network security group rules apply to all VM network interfaces that are associated with that network security tag.
@@ -179,6 +237,17 @@ To apply a network security group to a network security tag via Windows Admin Ce
 
 For related information, see also:
 
+:::zone pivot="azure-stack-hci"
+
 - [What is Datacenter Firewall?](../concepts/datacenter-firewall-overview.md)
 - [Configure network security groups with Windows Admin Center](use-datacenter-firewall-windows-admin-center.md)
 - [Configure network security groups with PowerShell](use-datacenter-firewall-powershell.md)
+
+::: zone-end
+:::zone pivot="windows-server"
+
+- [What is Datacenter Firewall?](../concepts/datacenter-firewall-overview.md?context=/windows-server/context/windows-server-failover-clustering)
+- [Configure network security groups with Windows Admin Center](use-datacenter-firewall-windows-admin-center.md?context=/windows-server/context/windows-server-failover-clustering)
+- [Configure network security groups with PowerShell](use-datacenter-firewall-powershell.md?context=/windows-server/context/windows-server-failover-clustering)
+
+::: zone-end
diff --git a/azure-stack/hci/manage/manage-default-network-access-policies-virtual-machines-23h2.md b/azure-stack/hci/manage/manage-default-network-access-policies-virtual-machines-23h2.md
@@ -5,23 +5,66 @@ ms.author: alkohli
 ms.reviewer: anpaul
 ms.topic: article
 author: alkohli
-ms.date: 05/22/2024
+ms.subservice: core-os
+zone_pivot_groups: windows-os
+ms.date: 10/03/2024
 ---
 
 # Use default network access policies on virtual machines on Azure Stack HCI, version 23H2
 
+:::zone pivot="azure-stack-hci"
+
 [!INCLUDE [applies-to](../../includes/hci-applies-to-23h2.md)]
 
-This article describes how to enable default network access policies and assign these to virtual machines (VMs) running on Azure Stack HCI.
+::: zone-end
+
+:::zone pivot="windows-server"
+
+>Applies to: Windows Server 2025 (preview)
+> [!IMPORTANT]
+> Network access policies in Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
+::: zone-end
+
+This article describes how to enable default network access policies and assign these to virtual machines (VMs).
 
-Default network policies can be used to protect virtual machines running on your Azure Stack HCI from external unauthorized attacks. These policies block all inbound access to virtual machines on Azure Stack HCI (except the specified management ports you want enabled) while allowing all outbound access. Use these policies to ensure that your workload VMs have access to only required assets, thereby making it difficult for the threats to spread laterally.
+Default network policies can be used to protect virtual machines running from external unauthorized attacks. These policies block all inbound access to virtual machines (except the specified management ports you want enabled) while allowing all outbound access. Use these policies to ensure that your workload VMs have access to only required assets, thereby making it difficult for the threats to spread laterally.
 
 > [!NOTE]
 > In this release, you can enable and assign default network policies through the Windows Admin Center.
 
-## Enable default network access policies
+## Prerequisites
+
+Complete the following prerequisites to use network access policies:
+
+:::zone pivot="azure-stack-hci"
+
+- You have Azure Stack HCI 23H2 or later installed on your cluster. For more information, see how to [Install Azure Stack HCI](../deploy/install-azure-stack-hci.md).
+
+- You have Network Controller installed. Network Controller enforces the default network policies. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md).
+
+- You have created a logical network or a virtual network. For more information, see how to [Create a logical network](./tenant-logical-networks.md) or [Create a virtual network](./tenant-virtual-networks.md).
+
+TODO: check Arc or non-Arc VMs?
+- You have created a VM. For more information, see how to [Create Arc virtual machines on Azure Stack HCI](create-arc-virtual-machines.md).
+
+- FIXME: You have permissions to manage network access policies. For more information, see how to [Assign permissions to manage network access policies](./assign-permissions.md).
+
+::: zone-end
+
+:::zone pivot="windows-server"
+
+- You have Windows Server 2025 or later. For more information, see [Get started with Windows Server](/windows-server/get-started/get-started-with-windows-server).
+
+- You have Network Controller installed. Network Controller enforces the default network policies. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md?context=/windows-server/context/windows-server-edge-networking).
+
+- You have created a logical network or a virtual network. For more information, see how to [Create a logical network](./tenant-logical-networks.md?context=/windows-server/context/windows-server-failover-clustering) or [Create a virtual network](./tenant-virtual-networks.md?context=/windows-server/context/windows-server-failover-clustering).
+
+- You have created a VM. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
 
-To enable default network access policies, you need to install Network Controller (NC). Network Controller enforces the default network policies and is deployed in the virtual machines. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md).
+- FIXME: You have permissions to manage network access policies. For more information, see how to [Assign permissions to manage network access policies](./assign-permissions.md).
+
+::: zone-end
 
 ## Assign default network policies to a VM
 
@@ -42,10 +85,21 @@ Depending on the type of network you want to attach your VM to, steps may be dif
 
 After you have created a logical network in Windows Admin Center, you can create a VM in Windows Admin Center and attach it to the logical network. As part of VM creation, select the **Isolation Mode** as **Logical Network**, select the appropriate **Logical Subnet** under the Logical Network, and provide an IP address for the VM.
 
+:::zone pivot="azure-stack-hci"
+
 > [!NOTE]
 > Unlike in 22H2, you can no longer connect a VM directly to a VLAN using Windows Admin Center. Instead, you must create a logical network representing the VLAN, create a logical network subnet with the VLAN, and then attach the VM to the logical network subnet.
 
-Here's an example that explains how you can attach your VM directly to a VLAN with Azure Stack HCI 22H2 when Network Controller is installed. In this example, we demonstrate how to connect your VM to VLAN 5:
+::: zone-end
+
+:::zone pivot="windows-server"
+
+> [!NOTE]
+> You must create a logical network representing the VLAN, create a logical network subnet with the VLAN, and then attach the VM to the logical network subnet.
+
+::: zone-end
+
+Here's an example that explains how you can attach your VM directly to a VLAN when Network Controller is installed. In this example, we demonstrate how to connect your VM to VLAN 5:
 
 1. Create a logical network with any name. Ensure that Network Virtualization is disabled.
 
@@ -79,15 +133,15 @@ You have three options:
 
 ## VMs created outside of Windows Admin Center
 
-If you're using alternate mechanisms (for example, Hyper-V UI or New-VM PowerShell cmdlet) to create VMs on your Azure Stack HCI, and you have enabled default network access policies, you might encounter these two issues:
+If you're using alternate mechanisms (for example, Hyper-V UI or New-VM PowerShell cmdlet) to create VMs, and you have enabled default network access policies, you might encounter these two issues:
 
 - The VMs may not have network connectivity. This happens since the VM is being managed by a Hyper-V switch extension called Virtual Filtering Platform (VFP) and by default, the Hyper-V port connected to the VM is in blocked state.
 
     To unblock the port, run the following commands from a PowerShell session on a Hyper-V host where the VM is located:
 
     1. Run PowerShell as an administrator.
     1. Download and install the [SdnDiagnostics](https://www.powershellgallery.com/packages/SdnDiagnostics) module. Run the following command:
-    
+
         ```azurepowershell
         Install-Module -Name SdnDiagnostics
         ```
@@ -107,17 +161,26 @@ If you're using alternate mechanisms (for example, Hyper-V UI or New-VM PowerShe
         ```
 
         Ensure that VFP port profile information is returned for the adapter. If not, then proceed with associating a port profile.
- 
+
     1. Specify the ports to be unblocked on the VM.
-    
+
         ```azurepowershell
         Set-SdnVMNetworkAdapterPortProfile -VMName <VMName> -MacAddress <MACAddress> -ProfileId ([guid]::Empty) -ProfileData 2
         ```
 
 - The VM doesn't have default network policies applied. Since this VM was created outside Windows Admin Center, the default policies for the VM aren't applied, and the **Network Settings** for the VM doesn't display correctly. To rectify this issue, follow these steps:
 
+:::zone pivot="azure-stack-hci"
+
+    In Windows Admin Center, [Create a logical network](./tenant-logical-networks.md?context=/windows-server/context/windows-server-failover-clustering). Create a subnet under the logical network and provide no VLAN ID or subnet prefix. Then, attach a VM to the logical network using the following steps:
+
+::: zone-end
+:::zone pivot="windows-server"
+
     In Windows Admin Center, [Create a logical network](./tenant-logical-networks.md). Create a subnet under the logical network and provide no VLAN ID or subnet prefix. Then, attach a VM to the logical network using the following steps:
 
+::: zone-end
+
     [!INCLUDE [hci-display-correct-default-network-policies-windows](../../includes/hci-display-correct-default-network-policies-windows.md)]
 
     :::image type="content" source="./media/manage-default-network-access-policies-virtual-machines/enable-policies-other-vms-1.png" alt-text="Screenshot showing how to enable default network to VLAN." lightbox="./media/manage-default-network-access-policies-virtual-machines/enable-policies-other-vms-1.png":::
@@ -126,4 +189,13 @@ If you're using alternate mechanisms (for example, Hyper-V UI or New-VM PowerShe
 
 Learn more about:
 
-- [Configure network security groups with tags](../concepts/datacenter-firewall-overview.md)
+:::zone pivot="azure-stack-hci"
+
+- [Configure network security groups with tags](../concepts/datacenter-firewall-overview.md)
+
+::: zone-end
+:::zone pivot="windows-server"
+
+- [Configure network security groups with tags](../concepts/datacenter-firewall-overview.md?context=/windows-server/context/windows-server-failover-clustering)
+
+::: zone-end
