Fix PR feedback: terminology, allowlist, and mask subscription ID

Author: david-emakenemi

articles/iot-operations/end-to-end-tutorials/tutorial-layered-network-private-connectivity.md

@@ -520,7 +520,7 @@ The end-to-end telemetry flow follows this path:
 1. **Proxy forwarding (L3 to L4):** Envoy Proxy on L3 forwards MQTT traffic to Envoy Proxy on L4.
 1. **Egress (L4):** Envoy Proxy on L4 sends traffic to the Azure Firewall Explicit Proxy on port 8443 over ExpressRoute.
 1. **Private routing:** The proxy routes requests to Azure services through Private Endpoints.
-1. **Cloud integration:** Services such as Event Grid Topic Spaces, Azure Storage, and Azure Key Vault are accessed privately using Azure Private Link. Public network access is disabled for all Azure services in the deployment.
+1. **Cloud integration:** Services such as Event Grid topic spaces, Azure Storage, and Azure Key Vault are accessed privately using Azure Private Link. Public network access is disabled for all Azure services in the deployment.
 
 ### Event Grid topic spaces
 
@@ -643,7 +643,7 @@ The following limitations are specific to the layered network tutorial:
 
 - **Level 1:** The L1 device layer is unused in this deployment flow.
 - **Level 4 Arc:** Level 4 is not Arc-enabled; only Envoy Proxy is deployed at this layer.
-- **Sovereign clouds:** This scenario was validated in Azure public cloud only. Sovereign cloud environments (for example, Azure Government, Azure China 21Vianet) use different endpoints and Private DNS Zone names and haven't been validated.
+- **Sovereign clouds:** This scenario was validated in Azure public cloud only. Sovereign cloud environments (for example, Azure Government, Azure operated by 21Vianet) use different endpoints and Private DNS Zone names and haven't been validated.
 - **Out-of-scope configurations:** Scenarios involving Azure VNets with external firewalls, transparent proxies, or cloud-only VNet deployments haven't been validated and are outside the support scope.
 
 ## Appendix

articles/iot-operations/manage-layered-network/howto-private-connectivity.md

@@ -39,7 +39,7 @@ These scenarios apply to environments with a single Arc-enabled Kubernetes clust
 
 ## Set up Arc Gateway
 
-[Azure Arc Gateway](/azure/azure-arc/kubernetes/arc-gateway-simplify-networking) consolidates the ~200+ Azure endpoints that Arc agents and extensions require into a single gateway URL. This significantly simplifies your firewall allowlist, instead of allowing 200+ individual FQDNs, you allow approximately 9.
+[Azure Arc Gateway](/azure/azure-arc/kubernetes/arc-gateway-simplify-networking) consolidates the ~200+ Azure endpoints that Arc agents and extensions require into a single gateway URL. This significantly simplifies your firewall allow list, instead of allowing 200+ individual FQDNs, you allow approximately 9.
 
 ### Step 1: Create an Arc Gateway resource
 
@@ -202,7 +202,7 @@ For the full list of private DNS zone names, see [Azure Private DNS Zone values]
 
 With Private Endpoints and DNS in place, connect your cluster to Azure Arc. Choose the tab that matches your connectivity approach:
 
-- **Arc Gateway only** — The cluster connects through Arc Gateway with a simplified firewall allowlist (~9 FQDNs), but outbound traffic still uses public internet paths.
+- **Arc Gateway only** — The cluster connects through Arc Gateway with a simplified firewall allow list (~9 FQDNs), but outbound traffic still uses public internet paths.
 - **Arc Gateway + Explicit Proxy** — All outbound traffic routes through [Azure Firewall Explicit Proxy](/azure/azure-arc/azure-firewall-explicit-proxy) over your private network with no public internet exposure.
 
 Both tabs build on [Set up Arc Gateway](#set-up-arc-gateway). Complete that section first to create the Arc Gateway resource and retrieve the custom locations OID.

articles/iot-operations/manage-layered-network/media/howto-private-connectivity/arc-gateway-portal.png

@@ -53,7 +53,7 @@ The sample and guidance show how to:
 
 - Use Kubernetes-based configuration and networking primitives for layered environments.
 - Connect devices in isolated networks at scale to [Azure Arc](/azure/azure-arc/) for application lifecycle management and remote configuration.
-- Enforce security and governance across network levels with URL/IP allowlists and connection auditing.
+- Enforce security and governance across network levels with URL/IP allow lists and connection auditing.
 - Ensure compatibility with all Azure IoT Operations services.
 
 > [!NOTE]