Line edits

Author: lootle1

learn-pr/azure/azure-vmware-solution/includes/1-introduction.md

@@ -1,8 +1,8 @@
-Organizations have very prescriptive network traffic security requirements. Noncompliance with network traffic security requirements can potentially result in costly penalties – especially in heavily regulated industries such as healthcare or finance. This module demonstrates how to meet these network security requirements by securing outbound network traffic from Azure VMware Solution.
+Organizations have very prescriptive network traffic security requirements. Noncompliance with network traffic security requirements can potentially result in costly penalties, especially in heavily regulated industries such as healthcare or finance. This module demonstrates how to meet these network security requirements by securing outbound network traffic from Azure VMware Solution.
 
 ## Example Scenario
 
-You work for a healthcare industry customer – Contoso. Contoso recently moved their applications from an on-premises VMware environment to Azure VMware Solution.
+You work for a healthcare industry customer, Contoso. Contoso recently moved their applications from an on-premises VMware environment to Azure VMware Solution.
 
 Contoso's network security team wants to implement the same network traffic inspection and control process in Azure VMware Solution as they had in their on-premises environment. Carrying forward these same processes helps Contoso to remain compliant with rigorous healthcare industry regulations while accelerating their digital transformation initiatives further.
 

learn-pr/azure/azure-vmware-solution/includes/10-network-security-management.md

@@ -6,12 +6,12 @@ Azure Firewall is configured in "block by default" design. It means any network
 
 ## Outbound network rules
 
-While "block by default" is a good principle, you need legitimate traffic to be excluded from this principle.  You can use one of the two features provided by Azure Firewall to exclude legitimate traffic from "block by default" configuration. The first feature is called "classic rules" or just "rules." Each Azure Firewall instance is configured with a rule, which consists of a protocol, source IP address space, source ports, destination IP address space, and destination ports. This is an excellent choice for smaller deployments. But for enterprise-grade deployments, this approach has limited scalability as the rules are defined per Azure Firewall instance. When there are multiple Azure Firewall instances, the process of defining rules becomes repetitive and difficult to manage. This is where the second feature, which uses Azure Firewall policy, becomes handy. By using Azure Firewall policy, rules are defined only once and then applied to multiple 
-Azure Firewall instances.
+While "block by default" is a good principle, you need legitimate traffic to be excluded from this principle.  You can use one of the two features provided by Azure Firewall to exclude legitimate traffic from "block by default" configuration.
+
+The first feature is called "classic rules" or just "rules." Each Azure Firewall instance is configured with a rule, which consists of a protocol, source IP address space, source ports, destination IP address space, and destination ports. This is an excellent choice for smaller deployments. But for enterprise-grade deployments, this approach has limited scalability as the rules are defined per Azure Firewall instance. When there are multiple Azure Firewall instances, the process of defining rules becomes repetitive and difficult to manage. This is where the second feature, which uses Azure Firewall policy, becomes handy. By using Azure Firewall policy, rules are defined only once and then applied to multiple Azure Firewall instances.
 
 ## Firewall rules for Azure VMware Solution
 
-In this unit, you'll use the "rule" feature instead of the "Azure Firewall policy" feature. However, using the "Azure Firewall policy" feature is recommended for enterprise-grade deployments as it offers better scalability and manageability. Defining firewall rules for Azure VMware Solution involves the workload segment IP address space, protocol, and ports. For destination type, select **IP Address**. For destination address space, choose **\*** and for destination ports, choose **\*** or specific ports such as 80, 443. etc.
+In this unit, you'll use the "rule" feature instead of the "Azure Firewall policy" feature. However, using the "Azure Firewall policy" feature is recommended for enterprise-grade deployments as it offers better scalability and manageability. Defining firewall rules for Azure VMware Solution involves the workload segment IP address space, protocol, and ports. For destination type, select **IP Address**. For destination address space, choose **\***. For destination ports, choose **\*** or specific ports such as 80, 443. etc.
 
 :::image type="content" source="../media/10-network-rules.png" alt-text="Screenshot of Azure Firewall network rule. The menu entry titled 'IP Addresses' highlight source and destination addresses." lightbox="../media/10-network-rules.png":::
-

learn-pr/azure/azure-vmware-solution/includes/11-exercise-establish-outbound-internet.md

@@ -10,6 +10,7 @@ az vmware workload-network segment show --resource-group <resource-group-name>
 ```
 
 ## Configure Azure Firewall Rule for Azure VMware Solution workload network segment
+
 Use the following command to configure Firewall rule for workload segment:
 
 ```azurecli

learn-pr/azure/azure-vmware-solution/includes/2-outbound-internet-connectivity.md

@@ -2,7 +2,7 @@
 
 ## How workloads in Azure VMware Solution can be connected to internet
 
-When Azure VMware Solution private cloud is deployed, it offers multiple ways for outbound internet connectivity. If you're already using Azure Virtual WAN, then you can choose to inject the default route (0.0.0.0/0) – which denotes outbound internet connectivity from Azure Virtual WAN integrated with either Azure Firewall or a certified third-party Network virtual Appliance (NVA). If you aren't using Azure Virtual WAN, then you can use a managed SNAT capability provided by Azure VMware Solution. If you're looking to use a fixed public IP address for connecting with the internet, then you can use a public IP deployed at NSX Edge of Azure VMware Solution.
+When Azure VMware Solution private cloud is deployed, it offers multiple ways for outbound internet connectivity. If you're already using Azure Virtual WAN, then you can choose to inject the default route (0.0.0.0/0), which denotes outbound internet connectivity from Azure Virtual WAN integrated with either Azure Firewall or a certified third-party Network virtual Appliance (NVA). If you aren't using Azure Virtual WAN, then you can use a managed SNAT capability provided by Azure VMware Solution. If you're looking to use a fixed public IP address for connecting with the internet, then you can use a public IP deployed at NSX Edge of Azure VMware Solution.
 
 Choosing the right way for outbound internet connectivity depends upon whether you already have services like Azure Virtual WAN or not. Additionally, whether you require a fixed public IP address for all outbound internet connectivity or not also plays a role in choosing between Managed SNAT and public IP deployed at NSX Edge.
 

learn-pr/azure/azure-vmware-solution/includes/4-exchange-routes-with-avs.md

@@ -2,7 +2,7 @@
 
 ## Network paths in Azure VMware Solution private cloud
 
-Azure VMware Solution private cloud contains a management segment which is used to run infrastructure services such as vSAN, NSX Data Center, private cloud management, etc. Additionally, there can be one or more network segments for running applications – commonly referred as workload segments. Management and workload segments both use the private IP address space. Virtual machines (VMs) running on a workload segment can communicate with each other. However, extra configuration is required for workload segment VMs to communicate outside of Azure VMware Solution private cloud which is discussed in the [Default outbound internet connectivity for Azure VMware Solution](../2-outbound-internet-connectivity.yml) unit.
+Azure VMware Solution private cloud contains a management segment which is used to run infrastructure services such as vSAN, NSX Data Center, private cloud management, etc. Additionally, there can be one or more network segments for running applications, commonly referred to as workload segments. Management and workload segments both use the private IP address space. Virtual machines (VMs) running on a workload segment can communicate with each other. However, extra configuration is required for workload segment VMs to communicate outside of Azure VMware Solution private cloud which is discussed in the [Default outbound internet connectivity for Azure VMware Solution](../2-outbound-internet-connectivity.yml) unit.
 
 ## Network paths in Azure
 

learn-pr/azure/azure-vmware-solution/includes/5-exercise-create-route-server.md

@@ -1,7 +1,8 @@
 The following steps explain how to create and configure Azure Route Server (ARS) using Azure Command Line Interface (CLI). However, you can use Azure portal, PowerShell, or Terraform to achieve the same effect.
 
 ## Create Resource Group & Virtual Network
-The recommendation is to deploy Azure VMware Solution private cloud as part of Azure Landing Zone Architecture. Using Landing Zone architecture helps to meet changing requirements effectively, meet governance requirements faster and promote reuse of shared services to drive cost optimization. In this architecture, a separate subscription is used to deploy Azure VMware Solution private cloud. Azure Landing Zone connectivity subscription should be used to deploy Azure Networking services such as Azure Route Server, Azure ExpressRoute Gateway, Azure Firewall, etc.
+
+The recommendation is to deploy Azure VMware Solution private cloud as part of Azure Landing Zone Architecture. Using Landing Zone architecture helps to meet changing requirements effectively, meet governance requirements faster, and promote reuse of shared services to drive cost optimization. In this architecture, a separate subscription is used to deploy Azure VMware Solution private cloud. Azure Landing Zone connectivity subscription should be used to deploy Azure Networking services such as Azure Route Server, Azure ExpressRoute Gateway, Azure Firewall, etc.
 
 The first step is to configure Azure VMware Solution private cloud with the right resource group and virtual network to enable outbound internet connectivity.
 
@@ -30,7 +31,8 @@ az network routeserver create --name <routeserver-name>  --resource-group <resou
 ```
 
 ## Enable Branch-to-branch connectivity
-The last step is to set up your route exchange mechanism is to enable branch-to-branch connectivity: 
+
+The last step to set up your route exchange mechanism is to enable branch-to-branch connectivity:
 
 ```azurecli
 az network routeserver update --name <routeserver-name>  --resource-group <resource-group-name>   --allow-b2b-traffic true

learn-pr/azure/azure-vmware-solution/includes/6-securing-network-communication.md

@@ -2,14 +2,14 @@
 
 ## Protecting digital assets
 
-You must protect every virtual machine (VM) that gets deployed in Azure and Azure VMware Solution private cloud. Network traffic in and out of Azure VMware Solution private cloud must be inspected for malicious activity in real time. Contoso wants to allow their IT administrators to allow or deny access to potentially risky websites such as certain types of social media websites. 
+You must protect every virtual machine (VM) that gets deployed in Azure and Azure VMware Solution private cloud. Network traffic in and out of Azure VMware Solution private cloud must be inspected for malicious activity in real time. Contoso wants to allow their IT administrators to allow or deny access to potentially risky websites such as certain types of social media websites.
 
 ## Controlling network traffic
 
 Contoso has multiple Azure Virtual Networks (VNets). Each VNet has multiple subnets. Contoso needs clearly defined rules established that permit well-defined network traffic across subnets. Such rules enable Contoso to control how each subnet initiates network traffic. It also gives them the ability to override Azure's default network policy of allowing network flow across subnets.
 
 ## Firewall Internet Route
 
-After Contoso evaluated the requirements around protection and controlling of network traffic, they chose to use Azure Firewall. It's a stateful, managed firewall as a service. Azure Firewall provides traffic filtering through hybrid network connectivity using ExpressRoute and VPN gateways – which is relevant for Azure VMware Solution private cloud. While Azure Firewall can be used for traffic filtering, it needs direct access to the internet itself which is achieved by configuring the appropriate rules on the subnet in which Azure Firewall is deployed.
+After Contoso evaluated the requirements around protection and controlling of network traffic, they chose to use Azure Firewall. It's a stateful, managed firewall as a service. Azure Firewall provides traffic filtering through hybrid network connectivity using ExpressRoute and VPN gateways, which is relevant for Azure VMware Solution private cloud. While Azure Firewall can be used for traffic filtering, it needs direct access to the internet itself which is achieved by configuring the appropriate rules on the subnet in which Azure Firewall is deployed.
 
 Use instructions in the following unit for technical implementation of Azure Firewall and network traffic controls. This implementation helps to meet key network security requirements discussed in this unit.

learn-pr/azure/azure-vmware-solution/includes/7-exercise-create-firewall.md

@@ -1,4 +1,4 @@
-> [!IMPORTANT] 
+> [!IMPORTANT]
 
 > Try our Secure Outbound Internet Connectivity click-through demo. This demo shows how to use Azure vNET with Route Server, a network virtual appliance (NVA), and Azure Firewall to inspect and manage traffic originating from Azure VMware Solution and heading to the internet. [Try now](https://regale.cloud/microsoft/play/4174/secure-outbound-internet-connectivity#/0/0)
 

learn-pr/azure/azure-vmware-solution/includes/8-using-frrouting-nva.md

@@ -5,11 +5,13 @@
 NVAs are part of Contoso's Standard Operating Process (SOP). Contoso's monitoring and management processes rely on certain feature sets (like traffic rules and network segmentation) being available in NVAs. Using the same processes and features makes it easy for Contoso to migrate from an on-premises environment to Azure.
 
 ## Skills
+
 As part of Contoso's IT team, you developed deep knowledge of the NVA over the years. It's a good thing that those NVAs can be deployed and operated in Azure. You can carry forward your NVA skills in Azure instead of learning a corresponding Azure service.  
 
 ## Open-source
+
  NVAs can either be proprietary or open source. Open source NVAs are developed by the technical community as opposed to a commercial vendor. Proprietary NVAs incur additional costs but provide guaranteed support. With open source NVAs, you have access to source code and rely upon the technical community for any support. At Contoso, you use an open-source implementation for the NVA. Such an implementation gives you flexibility to use open protocols such as BGP. You can use NVA capability to generate a default route. NVAs offers simple integration with VMs and networks running in Azure.
 
-The considerations previously discussed are the key reasons why Contoso uses FRRouting (FRR) – an open source and free implementation for network routing.
+The considerations previously discussed are the key reasons why Contoso uses FRRouting (FRR), an open source and free implementation for network routing.
 
 In the next unit, you'll practice how to configure FRR in Azure and generate the default route.

learn-pr/azure/azure-vmware-solution/includes/9-exercise-configure-custom-router.md

@@ -102,9 +102,9 @@ This step configures the FRR NVA to have Azure Route Server as its BGP neighbor.
     !
     ```
 
-1. sign in to FRR shell.
+1. Sign in to FRR shell.
 1. Paste the script with updated variables.
-1. Run `show ip bgp` to confirm that the NVA didn't learned routes except its own default route.
+1. Run `show ip bgp` to confirm that the NVA didn't learn routes except its own default route.
 1. Run `show ip bgp sum` to confirm that the NVA didn't established BGP sessions.
 
    :::image type="content" source="../media/9-config-bgp-showip-nosession.png" alt-text="Screenshot of command execution on NVA VM. Screenshot shows Azure Route Server as BGP neighbor for NVA.":::
@@ -130,6 +130,6 @@ The following steps establish a BGP peer relationship between the FRR NVA and Az
 
     :::image type="content" source="../media/9-config-bgp-route-table.png" alt-text="Screenshot of Azure portal menu. The menu entry titled “ToInternet” route table highlights default route configured with Internet as next hop.":::
 
-At this point, you configured Azure VMware Solution private cloud to implement secure outbound internet connectivity. You deployed Azure Route Server for an effective route exchange between Azure VMware Solution private cloud and the NVA. You then deployed Azure Firewall as the exit point for all internet-bound traffic. This was followed-up by using FRR – a custom router, which injects default route with Azure Firewall as the next hop into Azure VMware Solution private cloud.
+At this point, you configured Azure VMware Solution private cloud to implement secure outbound internet connectivity. You deployed Azure Route Server for an effective route exchange between Azure VMware Solution private cloud and the NVA. You then deployed Azure Firewall as the exit point for all internet-bound traffic. This was followed-up by using FRR, a custom router which injects a default route with Azure Firewall as the next hop into Azure VMware Solution private cloud.
 
 In the next unit, you'll learn how to implement fine-grained access controls in Azure Firewall, which allows/denies network traffic from Azure VMware Solution private cloud.