changed files by pdets auto publish service, publishid[adfe811b-e4f6-447d-a261-d256f5224b5b] and do [publish].

Author: wwlpublish

learn-pr/wwl-azure/security-virtual-networks/includes/14-azure-best-practices-network-security.md

@@ -41,7 +41,7 @@ Best practice: Simplify network security group rule management by defining [Appl
 
 ## Adopt a Zero Trust approach
 
-Perimeter-based networks operate on the assumption that all systems within a network can be trusted. But today's employees access their organization's resources from anywhere on various devices and apps, which makes perimeter security controls irrelevant. Access control policies that focus only on who can access a resource aren't enough. To master the balance between security and productivity, security admins also need to factor in *how* a resource is being accessed.
+Perimeter-based networks operate on the assumption that all systems within a network can be trusted. But today's employees access their organization's resources from anywhere on various devices and apps, which make perimeter security controls irrelevant. Access control policies that focus only on who can access a resource aren't enough. To master the balance between security and productivity, security admins also need to factor in *how* a resource is being accessed.
 
 Networks need to evolve from traditional defenses because networks might be vulnerable to breaches: an attacker can compromise a single endpoint within the trusted boundary and then quickly expand a foothold across the entire network. [Zero Trust](/security/zero-trust/deploy/networks) networks eliminate the concept of trust based on network location within a perimeter. Instead, Zero Trust architectures use device and user trust claims to gate access to organizational data and resources. For new initiatives, adopt Zero Trust approaches that validate trust at the time of access.
 
@@ -87,7 +87,7 @@ To find available Azure virtual network security appliances, go to the [Azure Ma
 
 A [perimeter network](/azure/architecture/vdc/networking-virtual-datacenter) (also known as a DMZ) is a physical or logical network segment that provides an extra layer of security between your assets and the internet. Specialized network access control devices on the edge of a perimeter network allow only desired traffic into your virtual network.
 
-Perimeter networks are useful because you can focus your network access control management, monitoring, logging, and reporting on the devices at the edge of your Azure virtual network. A perimeter network is where you typically enable [distributed denial of service (DDoS) protection](/azure/ddos-protection/ddos-protection-overview), intrusion detection/intrusion prevention systems (IDS/IPS), firewall rules and policies, web filtering, network antimalware, and more. The network security devices sit between the internet and your Azure virtual network and have an interface on both networks.
+Perimeter networks are useful because you can focus your network access control management, monitoring, logging, and reporting on the devices at the edge of your Azure virtual network. A perimeter network is where you typically enable [distributed denial of service (DDoS) protection](/azure/ddos-protection/ddos-protection-overview), intrusion detection/intrusion prevention systems (IDS/IPS), firewall rules and policies, web filtering, network anti-malware, and more. The network security devices sit between the internet and your Azure virtual network and have an interface on both networks.
 
 Although this is the basic design of a perimeter network, there are many different designs, like back-to-back, tri-homed, and multi-homed.
 
@@ -131,7 +131,7 @@ Load-balancing option: Use [Azure Application Gateway](/azure/application-gatewa
 Scenario: You need to load balance incoming connections from the internet among your servers located in an Azure virtual network. Scenarios are when you:
 
  -  Have stateless applications that accept incoming requests from the internet.
- -  Don't require sticky sessions or TLS offload. Sticky sessions is a method used with Application Load Balancing, to achieve server-affinity.
+ -  Don't require sticky sessions or TLS offload. Sticky sessions are a method used with Application Load Balancing, to achieve server-affinity.
 
 Load-balancing option: Use the Azure portal to [create an external load balancer](/azure/load-balancer/quickstart-load-balancer-standard-public-portal) that spreads incoming requests across multiple VMs to provide a higher level of availability.
 

learn-pr/wwl-azure/security-virtual-networks/includes/2-data-protection-logging-threat-detection-network-security.md

@@ -8,7 +8,7 @@ Data Protection covers control of data protection at rest, in transit, and via a
 | ------------------------- | --------------------------- | ------------------------ |
 | 3.10                      | SC-8                        | 3.5, 3.6, 4.1            |
 
-Security principle: Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers cannot easily read or modify the data.
+Security principle: Protect the data in transit against 'out of band' attacks (such as traffic capture) using encryption to ensure that attackers can't easily read or modify the data.
 
 Set the network boundary and service scope where data in transit encryption is mandatory inside and outside of the network. While this is optional for traffic on private networks, this is critical for traffic on external and public networks.
 
@@ -91,7 +91,7 @@ AWS implementation and additional context:
 
 GCP guidance: Most of the network activities logs are available through the VPC Flow Logs which records a sample of network flows send from and received by resources, including instances used as Google Compute VMs, Kubernetes Engine nodes. These logs can be used for network monitoring, forensics, real-time security analysis, and expense optimization.
 
-You can view flow logs in Cloud Logging, and export logs to the destination that Cloud Logging export supports. Flow logs are aggregated by connection from Compute Engine VM’s and exported in real time. By subscribing to Pub/Sub, you can analyze flow logs using real-time streaming APIs.
+You can view flow logs in Cloud Logging, and export logs to the destination that Cloud Logging export supports. Flow logs are aggregated by connection from Compute Engine VMs and exported in real time. By subscribing to Pub/Sub, you can analyze flow logs using real-time streaming APIs.
 
 > [!NOTE]
 > You can also use Packet Mirroring clones the traffic of specified instances in your Virtual Private Cloud (VPC) network and forwards it for examination. Packet Mirroring captures all traffic and packet data, including payloads and headers.
@@ -125,7 +125,7 @@ Examples of high-risk workload include:
 
  -  An application storing or processing highly sensitive data.
  -  An external network-facing application accessible by the public or users outside of your organization.
- -  An application using insecure architecture or containing vulnerabilities that cannot be easily remediated.
+ -  An application using insecure architecture or containing vulnerabilities that can't be easily remediated.
 
 To enhance your enterprise segmentation strategy, restrict or monitor traffic between internal resources using network controls. For specific, well-defined applications (such as a 3-tier app), this can be a highly secure "deny by default, permit by exception" approach by restricting the ports, protocols, source, and destination IPs of the network traffic. If you have many applications and endpoints interacting with each other, blocking traffic may not scale well, and you may only be able to monitor traffic.
 
@@ -183,36 +183,36 @@ Customer security stakeholders ([Learn more](/azure/cloud-adoption-framework/org
 
 Security principle: Secure cloud services by establishing a private access point for resources. You should also disable or restrict access from public networks when possible.
 
-Azure guidance: Deploy private endpoints for all Azure resources that support the Private Link feature to establish a private access point for the resources. Using Private Link will keep the private connection from routing through the public network.
+Azure guidance: Deploy private endpoints for all Azure resources that support the Private Link feature to establish a private access point for the resources. Using Private Link keeps the private connection from routing through the public network.
 
 > [!NOTE]
-> Certain Azure services may also allow private communication through the service endpoint feature, though it is recommended to use Azure Private Link for secure and private access to services hosted on Azure platform.
+> Certain Azure services may also allow private communication through the service endpoint feature, though it's recommended to use Azure Private Link for secure and private access to services hosted on Azure platform.
 
 For certain services, you can choose to deploy VNet integration for the service where you can restrict the VNET to establish a private access point for the service.
 
 You also have the option to configure the service native network ACL rules or simply disable public network access to block access from public networks.
 
-For Azure VMs, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to the VM interface and instead use gateway or load balancer services as the front-end for access by the public network.
+For Azure VMs, unless there's a strong use case, you should avoid assigning public IPs/subnet directly to the VM interface and instead use gateway or load balancer services as the front-end for access by the public network.
 
 Azure implementation and additional context:
 
  -  [Understand Azure Private Link](/azure/private-link/private-link-overview)
  -  [Integrate Azure services with virtual networks for network isolation](/azure/virtual-network/vnet-integration-for-azure-services)
 
-AWS guidance: Deploy VPC PrivateLink for all AWS resources that support the PrivateLink feature, to allow private connection to the supported AWS services or services hosted by other AWS accounts (VPC endpoint services). Using PrivateLink will keep the private connection from routing through the public network.
+AWS guidance: Deploy VPC PrivateLink for all AWS resources that support the PrivateLink feature, to allow private connection to the supported AWS services or services hosted by other AWS accounts (VPC endpoint services). Using PrivateLink keeps the private connection from routing through the public network.
 
 For certain services, you can choose to deploy the service instance into your own VPC to isolate the traffic.
 
 You also have the option to configure the service native ACL rules to block access from the public network. For example, Amazon S3 allows you to block public access at the bucket or account level.
 
-When assigning IPs to your service resources in your VPC, unless there is a strong use case, you should avoid assigning public IPs/subnet directly to your resources and instead use private IPs/subnet.
+When assigning IPs to your service resources in your VPC, unless there's a strong use case, you should avoid assigning public IPs/subnet directly to your resources and instead use private IPs/subnet.
 
 AWS implementation and additional context:
 
  -  [AWS PrivateLink](https://docs.aws.amazon.com/vpc/latest/privatelink/endpoint-service.html)
  -  [Blocking public access to your Amazon S3 storage](https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html)
 
-GCP guidance: Deploy VPC Private Google Access implementations for all GCP resources that support it to establish a private access point for the resources. These private access options will keep the private connection from routing through the public network. Private Google Access has VM instances that only have internal IP addresses (no external IP adresses)
+GCP guidance: Deploy VPC Private Google Access implementations for all GCP resources that support it to establish a private access point for the resources. These private access options keeps the private connection from routing through the public network. Private Google Access has VM instances that only have internal IP addresses (no external IP addresses)
 
 For certain services, you can choose to deploy the service instance into your own VPC to isolate the traffic. You also have the option to configure the service native ACL rules to block access from the public network. For example, the App Engine firewall allows you to control which network traffic is allowed or rejected when communicating with the App Engine resource. Cloud Storage is another resource where you can enforce public access prevention on individual buckets or at the organization level.
 
@@ -299,8 +299,8 @@ AWS implementation and additional context:
 
 GCP guidance: Google Cloud Armor offers the following options to help protect systems against DDoS attacks:
 
- -  Standard network DDoS protection: basic always-on protection for network load balancers, protocol forwarding, or VM’s with public IP addresses.
- -  Advanced network DDoS protection: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VM’s with public IP addresses.
+ -  Standard network DDoS protection: basic always-on protection for network load balancers, protocol forwarding, or VMs with public IP addresses.
+ -  Advanced network DDoS protection: additional protections for Managed Protection Plus subscribers who use network load balancers, protocol forwarding, or VMs with public IP addresses.
  -  Standard network DDoS protection is always enabled. You configure advanced network DDoS protection on a per-region basis.
 
 GCP implementation and additional context:
@@ -335,7 +335,7 @@ Azure implementation and additional context:
 
 AWS guidance: Use AWS Web Application Firewall (WAF) in Amazon CloudFront distribution, Amazon API Gateway, Application Load Balancer, or AWS AppSync to protect your applications, services and APIs against application layer attacks at the edge of your network.
 
-Use AWS Managed Rules for WAF to deploy built-in baseline groups and customize it to your application needsfor the user-case rule groups.
+Use AWS Managed Rules for WAF to deploy built-in baseline groups and customize it to your application needs for the user-case rule groups.
 
 To simplify the WAF rules deployment, you can also use the AWS WAF Security Automations solution to automatically deploy pre-defined AWS WAF rules that filters web-based attacks on your web ACL.
 
@@ -347,11 +347,11 @@ AWS implementation and additional context:
 
 GCP guidance: Use Google Cloud Armor to help protect your applications and websites against denial of service and web attacks.
 
-Use Google Cloud Armor out-of-the box rules based on industry standards to mitigate common web-application vulnerabilities and help provide protection from OWASP Top 10.
+Use Google Cloud Armor out-of-the-box rules based on industry standards to mitigate common web-application vulnerabilities and help provide protection from OWASP Top 10.
 
 Setup your preconfigured WAF rules, each consisting of multiple signatures sourced from ModSecurity Core Rules (CRS). Each signature corresponds to an attack detection rule in the ruleset.
 
-Cloud Armor works in conjunction with external load balancers and protects from distributed denial-of-service (DDoS) and other web-based attacks, whether the applications are deployed on Google Cloud, in a hybrid deployment, or in a multi-cloud architecture. Security policies can be configured manually, with configurable match conditions, and actions in a security policy. Cloud Armor also features preconfigured security policies, which cover a variety of use cases.
+Cloud Armor works in conjunction with external load balancers and protects from distributed denial-of-service (DDoS) and other web-based attacks, whether the applications are deployed on Google Cloud, in a hybrid deployment, or in a multicloud architecture. Security policies can be configured manually, with configurable match conditions, and actions in a security policy. Cloud Armor also features preconfigured security policies, which cover a variety of use cases.
 
 Adaptive Protection in Cloud Armor helps you prevent, detect and protect your application and services from L7 distributed attacks by analyzing patterns of traffic to your backend services, detecting and alerting suspected attacks, and generating suggested WAF rules to mitigate such attacks. These rules can be fine-tuned to meet your needs.
 

learn-pr/wwl-azure/security-virtual-networks/includes/6-user-defined-routes.md

@@ -62,7 +62,7 @@ Expand table
 
 An on-premises network gateway can exchange routes with an Azure virtual network gateway by using the BGP. Using BGP with an Azure virtual network gateway is dependent on the type you selected when you created the gateway:
 
- -  ExpressRoute: You must use BGP to advertise on-premises routes to the Microsoft edge router. You can't create UDRs to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as the type ExpressRoute. You can use UDRs for forcing traffic from the express route to, for example, a network virtual appliance.
+ -  ExpressRoute: You must use BGP to advertise on-premises routes to the Microsoft Edge router. You can't create UDRs to force traffic to the ExpressRoute virtual network gateway if you deploy a virtual network gateway deployed as the type ExpressRoute. You can use UDRs for forcing traffic from the express route to, for example, a network virtual appliance.
  -  VPN: Optionally, you can use BGP. For more information, see [BGP with site-to-site VPN connections](/azure/vpn-gateway/vpn-gateway-bgp-overview?toc=/azure/virtual-network/toc.json).
 
 When you exchange routes with Azure by using BGP, a separate route is added to the route table of all subnets in a virtual network for each advertised prefix. The route is added with Virtual network gateway listed as the source and next hop type.
@@ -165,6 +165,9 @@ The following diagram shows an implementation through the Resource Manager deplo
 > [!NOTE]
 > Arrows show the flow of traffic.
 
+:::image type="content" source="../media/resource-manager-deployment-model-c83dd0d1.png" alt-text="Diagram showing an example of an implementation through the Resource Manager deployment model.":::
+
+
 ### Route tables
 
 Here are the route tables for the preceding routing example.