Acrolinx and prerequisite edits

Author: robinharwood

azure-stack/hci/manage/configure-network-security-groups-with-tags.md

@@ -7,7 +7,7 @@ ms.topic: article
 author: sethmanheim
 ms.subservice: core-os
 zone_pivot_groups: windows-os
-ms.date: 10/03/2024
+ms.date: 10/10/2024
 ---
 
 # Configure network security groups with tags in Windows Admin Center
@@ -40,11 +40,11 @@ Complete the following prerequisites to use network security groups with tags:
 
 - You have Network Controller installed. Network Controller enforces the default network policies. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md).
 
-- You have created a logical network or a virtual network. For more information, see how to [Create a logical network](./tenant-logical-networks.md) or [Create a virtual network](./tenant-virtual-networks.md).
+- You have a logical network or a virtual network to use. For more information, see how to [Create a logical network](./tenant-logical-networks.md) or [Create a virtual network](./tenant-virtual-networks.md).
 
-- You have created a VM. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
+- You have a VM to apply a network security group to. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
 
-- FIXME: You have permissions to manage network. For more information, see how to [Assign permissions to manage network access policies](./assign-permissions.md).
+- You have administrator permissions or equivalent to the cluster nodes and network controller.
 
 ::: zone-end
 
@@ -54,11 +54,11 @@ Complete the following prerequisites to use network security groups with tags:
 
 - You have Network Controller installed. For more information, see how to [Deploy an SDN infrastructure using SDN Express](../manage/sdn-express?context=/windows-server/context/windows-server-edge-networking).
 
-- You have created a logical network or a virtual network. For more information, see how to [Create a logical network](./tenant-logical-networks.md?context=/windows-server/context/windows-server-failover-clustering) or [Create a virtual network](./tenant-virtual-networks.md?context=/windows-server/context/windows-server-failover-clustering).
+- You have a logical network or a virtual network to use. For more information, see how to [Create a logical network](./tenant-logical-networks.md?context=/windows-server/context/windows-server-failover-clustering) or [Create a virtual network](./tenant-virtual-networks.md?context=/windows-server/context/windows-server-failover-clustering).
 
-- You have created a VM. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
+- You have a VM to apply a network security group to. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
 
-- FIXME: You have permissions to manage network access policies. For more information, see how to [Assign permissions to manage network access policies](./assign-permissions.md).
+- You have administrator permissions or equivalent to the cluster nodes and network controller.
 
 ::: zone-end
 
@@ -70,9 +70,9 @@ Network security groups allow you to configure access policies based on network
 
 - When building policies for applications, you might want to reuse them across different scenarios. For example, if your production web app can only be reached over port 80 from the internet, and can't be reached by other apps in production or other environments, you'd have a similar policy for any new app. However, with network segmentation, recreating policies becomes necessary due to unique network elements for each app.
 
-- If you decommission an old application and provision a new one within the same network segment, policy adjustments are required.
+- If you decommission an old application and deploy a new one within the same network segment, policy adjustments are required.
 
-With the network security tags feature, you no longer need to track the network segments where your applications are hosted. This simplifies policy management and avoids the complexities associated with network constructs. Let's reconsider the example with Web Server and database VMs: Tag the corresponding VMs with "Web" and "Database" network security tags, then create a rule to restrict communication between "Web" and "Database" tags.
+With network security tags, you no longer need to track the network segments where your applications are hosted. Network security tags simplify policy management and avoids the complexities associated with network constructs. Let's reconsider the example with Web Server and database VMs: Tag the corresponding VMs with "Web" and "Database" network security tags, then create a rule to restrict communication between "Web" and "Database" tags.
 
 ## Create network security tag based network security groups
 
@@ -176,7 +176,7 @@ After you create a network security group, you're ready to create network securi
     | ----- | ----------- |
     | **Name** | Name of the rule. |
     | **Priority** | Priority of the rule. Acceptable values are **101** to **65000**. A lower value denotes a higher priority. |
-    | **Types** | Type of the rule. This can be **Inbound** or **Outbound**. |
+    | **Types** | Type of the rule. This rule type can be **Inbound** or **Outbound**. |
     | **Protocol** | Protocol to match either an incoming or outgoing packet. Acceptable values are **All**, **TCP** and **UDP**. |
     | **Source** | Select **Network Security Tag**.<br><br>**Note:** You can either select an address prefix or a network security tag but not both. |
     | **Source Security Tag Type** | (Optional) Select a type for the tag. |
@@ -203,6 +203,7 @@ You can apply a network security group to:
 - [Network security tag](#apply-network-security-group-to-a-network-security-tag)
 
 ::: zone-end
+
 :::zone pivot="windows-server"
 
 - [Virtual network subnet](use-datacenter-firewall-windows-admin-center.md?context=/windows-server/context/windows-server-failover-clustering#apply-a-network-security-group-to-a-virtual-network)

azure-stack/hci/manage/manage-default-network-access-policies-virtual-machines-23h2.md

@@ -7,7 +7,7 @@ ms.topic: article
 author: alkohli
 ms.subservice: core-os
 zone_pivot_groups: windows-os
-ms.date: 10/03/2024
+ms.date: 10/10/2024
 ---
 
 # Use default network access policies on virtual machines on Azure Stack HCI, version 23H2
@@ -26,9 +26,9 @@ ms.date: 10/03/2024
 
 ::: zone-end
 
-This article describes how to enable default network access policies and assign these to virtual machines (VMs).
+This article describes how to enable default network access policies and assign them to virtual machines (VMs).
 
-Default network policies can be used to protect virtual machines running from external unauthorized attacks. These policies block all inbound access to virtual machines (except the specified management ports you want enabled) while allowing all outbound access. Use these policies to ensure that your workload VMs have access to only required assets, thereby making it difficult for the threats to spread laterally.
+Default network policies can be used to protect virtual machines running from external unauthorized attacks. These policies block all inbound access to virtual machines (except the specified management ports you want enabled) while allowing all outbound access. Use these policies to ensure that your workload VMs have access to only required assets, making it difficult for the threats to spread laterally.
 
 > [!NOTE]
 > In this release, you can enable and assign default network policies through the Windows Admin Center.
@@ -43,11 +43,11 @@ Complete the following prerequisites to use network access policies:
 
 - You have Network Controller installed. Network Controller enforces the default network policies. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md).
 
-- You have created a logical network or a virtual network. For more information, see how to [Create a logical network](./tenant-logical-networks.md) or [Create a virtual network](./tenant-virtual-networks.md).
+- You have a logical network or a virtual network to use. For more information, see how to [Create a logical network](./tenant-logical-networks.md) or [Create a virtual network](./tenant-virtual-networks.md).
 
-- You have created a VM. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
+- You have a VM to apply policies to. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
 
-- FIXME: You have permissions to manage network access policies. For more information, see how to [Assign permissions to manage network access policies](./assign-permissions.md).
+- You have administrator permissions or equivalent to the cluster nodes and network controller.
 
 ::: zone-end
 
@@ -57,26 +57,26 @@ Complete the following prerequisites to use network access policies:
 
 - You have Network Controller installed. Network Controller enforces the default network policies. For more information, see how to [Install Network Controller](../deploy/sdn-wizard-23h2.md?context=/windows-server/context/windows-server-edge-networking).
 
-- You have created a logical network or a virtual network. For more information, see how to [Create a logical network](./tenant-logical-networks.md?context=/windows-server/context/windows-server-failover-clustering) or [Create a virtual network](./tenant-virtual-networks.md?context=/windows-server/context/windows-server-failover-clustering).
+- You have a logical network or a virtual network to use. For more information, see how to [Create a logical network](./tenant-logical-networks.md?context=/windows-server/context/windows-server-failover-clustering) or [Create a virtual network](./tenant-virtual-networks.md?context=/windows-server/context/windows-server-failover-clustering).
 
-- You have created a VM. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
+- You have a VM to apply policies to. For more information, see how to [Manage VMs with Windows Admin Center](vm.md?context=/windows-server/context/windows-server-failover-clustering#create-a-new-vm).
 
-- FIXME: You have permissions to manage network access policies. For more information, see how to [Assign permissions to manage network access policies](./assign-permissions.md).
+- You have administrator permissions or equivalent to the cluster nodes and network controller.
 
 ::: zone-end
 
 ## Assign default network policies to a VM
 
 You can attach default policies to a VM in two ways:
 
-- During VM creation. You'll need to attach the VM to a logical network (traditional VLAN network) or an SDN virtual network.
+- During VM creation. You need to attach the VM to a logical network (traditional VLAN network) or an SDN virtual network.
 - Post VM creation.
 
 ### Create and attach networks
 
-Depending on the type of network you want to attach your VM to, steps may be different.
+Depending on the type of network you want to attach your VM to, steps might be different.
 
-- **Attach VMs to a physical network**: Create one or more logical networks to represent those physical networks. A logical network is just a representation of the physical network(s) available to your Azure Stack HCI. For more information, see how to [Create a logical network](./tenant-logical-networks.md).
+- **Attach VMs to a physical network**: Create one or more logical networks to represent those physical networks. A logical network is just a representation of one or more physical networks available to your Azure Stack HCI. For more information, see how to [Create a logical network](./tenant-logical-networks.md).
 
 - **Attach VMs to a SDN virtual network**: Create a virtual network before you create the VM. For more information, see how to [Create a virtual network](./tenant-virtual-networks.md).
 
@@ -112,29 +112,29 @@ Here's an example that explains how you can attach your VM directly to a VLAN wh
 
 ### Apply default network policies
 
-When you create a VM through Windows Admin Center, you'll see a **Security level** setting.
+When you create a VM through Windows Admin Center, you see a **Security level** setting.
 
 :::image type="content" source="./media/manage-default-network-access-policies-virtual-machines/security-level-2.png" alt-text="Screenshot showing the three security level options for VMs in Windows Admin Center." lightbox="./media/manage-default-network-access-policies-virtual-machines/security-level-2.png":::
 
 You have three options:
 
-- **No protection** - Choose this option if you don't want to enforce any network access policies to your VM. When this option is selected, all ports on your VM are exposed to external networks thereby posing a security risk. This option isn't recommended.
+- **No protection** - Choose this option if you don't want to enforce any network access policies to your VM. When this option is selected, all ports on your VM are exposed to external networks posing a security risk. This option isn't recommended.
 
     :::image type="content" source="./media/manage-default-network-access-policies-virtual-machines/no-protection-1.png" alt-text="Screenshot showing the No protection option selected for VMs in Windows Admin Center." lightbox="./media/manage-default-network-access-policies-virtual-machines/no-protection-1.png":::
 
 - **Open some ports** - Choose this option to go with default policies. The default policies block all inbound access and allow all outbound access. You can optionally enable inbound access to one or more well defined ports, for example, HTTP, HTTPS, SSH, or RDP as per your requirements.
 
     :::image type="content" source="./media/manage-default-network-access-policies-virtual-machines/ports-to-open-1.png" alt-text="Screenshot showing the ports that can be opened on VMs specified during VM creation in Windows Admin Center." lightbox="./media/manage-default-network-access-policies-virtual-machines/ports-to-open-1.png":::
 
-- **Use existing NSG** - Choose this option to apply custom policies. You'll specify a Network Security Group (NSG) that you've already created.
+- **Use existing NSG** - Choose this option to apply custom policies. You specify a Network Security Group (NSG) that you've already created.
 
     :::image type="content" source="./media/manage-default-network-access-policies-virtual-machines/use-existing-nsg-1.png" alt-text="Screenshot showing the existing network security group selected during VM creation in Windows Admin Center." lightbox="./media/manage-default-network-access-policies-virtual-machines/use-existing-nsg-1.png":::
 
 ## VMs created outside of Windows Admin Center
 
-If you're using alternate mechanisms (for example, Hyper-V UI or New-VM PowerShell cmdlet) to create VMs, and you have enabled default network access policies, you might encounter these two issues:
+You might encounter issues when you create VMs outside of Windows Admin Center and you have enabled default network access policies. For example, you've enabled default network access policies and created VMs using Hyper-V UI or New-VM PowerShell cmdlet.
 
-- The VMs may not have network connectivity. This happens since the VM is being managed by a Hyper-V switch extension called Virtual Filtering Platform (VFP) and by default, the Hyper-V port connected to the VM is in blocked state.
+- The VMs might not have network connectivity. Since the VM is being managed by a Hyper-V switch extension called Virtual Filtering Platform (VFP) and by default, the Hyper-V port connected to the VM is in blocked state.
 
     To unblock the port, run the following commands from a PowerShell session on a Hyper-V host where the VM is located:
 
@@ -145,7 +145,7 @@ If you're using alternate mechanisms (for example, Hyper-V UI or New-VM PowerShe
         Install-Module -Name SdnDiagnostics
         ```
 
-        Alternatively, if already installed then use the following:
+        Alternatively, if already installed then use the following command:
 
         ```azurepowershell
         Update-Module -Name SdnDiagnostics
@@ -200,6 +200,7 @@ Learn more about:
 - [Configure network security groups with tags](../concepts/datacenter-firewall-overview.md)
 
 ::: zone-end
+
 :::zone pivot="windows-server"
 
 - [Configure network security groups with tags](../concepts/datacenter-firewall-overview.md?context=/windows-server/context/windows-server-failover-clustering)