Merge pull request #314028 from mbender-ms/appgw-article-integrity

small fix

Author: prmerger-automator[bot]

articles/networking/cross-service-scenarios/design-secure-hub-spoke-network.md

@@ -89,7 +89,7 @@ This foundation is built in layers. Each layer depends on the one before it, so
 | 4 | **VNet peering** | Bidirectional peering between hub and spoke | Peering connects the two VNets so that Bastion in the hub can reach VMs in the spoke and traffic can flow between shared services and workloads. Create peering before deploying resources that depend on cross-VNet connectivity. | [Tutorial: Connect virtual networks with peering](/azure/virtual-network/tutorial-connect-virtual-networks) |
 | 5 | **Access control** | NSGs with default-deny rules on every subnet in both VNets | NSGs are the first security boundary. Associating them immediately after peering ensures no resource ever operates in an uncontrolled subnet - even briefly during deployment. Add the Application Gateway, Bastion, and workload NSG rules at this step so subnets are ready to receive services. | [Tutorial: Filter network traffic with a network security group](/azure/virtual-network/tutorial-filter-network-traffic) |
 | 6 | **DDoS protection** (conditional) | DDoS Protection plan linked to both VNets | DDoS Protection enables at the VNet level and covers every public IP in that VNet. Enabling the plan before you create public IPs for Application Gateway or Bastion means those IPs are protected from the moment they come online. Skip this step if the architecture has no public IPs. | [Quickstart: Create and configure Azure DDoS Network Protection](/azure/ddos-protection/manage-ddos-protection) |
-| 7 | **Ingress security** | Application Gateway WAF_v2 with public IP, WAF policy, and Key Vault TLS certificates (in spoke) | With the network foundation, peering, NSG rules, and DDoS protection in place, the Application Gateway can deploy into a spoke subnet that's already locked down. The WAF policy inspects traffic before it reaches any backend. | [Quickstart: Direct web traffic with Azure Application Gateway](/azure/application-gateway/quick-create-portal) and [Create WAF policies for Application Gateway](/azure/web-application-firewall/ag/create-waf-policy-ag) |
+| 7a | **Ingress security** | Application Gateway WAF_v2 with public IP, WAF policy, and Key Vault TLS certificates (in spoke) | With the network foundation, peering, NSG rules, and DDoS protection in place, the Application Gateway can deploy into a spoke subnet that's already locked down. The WAF policy inspects traffic before it reaches any backend. | [Quickstart: Direct web traffic with Azure Application Gateway](/azure/application-gateway/quick-create-portal) and [Create WAF policies for Application Gateway](/azure/web-application-firewall/ag/create-waf-policy-ag) |
 | 7b | **Outbound connectivity** | NAT Gateway on workload subnet (or Azure Firewall UDR if step 10 is used) | Private subnets have no implicit outbound IP. Attach a NAT Gateway before deploying VMs so they have outbound connectivity (Windows Activation, updates, dependencies) from the start. Skip if Azure Firewall handles egress. | [Quickstart: Create a NAT gateway](/azure/nat-gateway/quickstart-create-nat-gateway) |
 | 8 | **Backend compute** | App Service, VMs, or Virtual Machine Scale Sets in the spoke workload subnet | Backend resources inherit the NSG rules that allow traffic only from the Application Gateway subnet. Workloads start in a secure state from the first request. | [Quickstart: Deploy an ASP.NET web app](/azure/app-service/quickstart-dotnetcore) or [Quickstart: Create a Windows VM](/azure/virtual-machines/windows/quick-create-portal) |
 | 9 | **Management access** (IaaS only) | Azure Bastion in the hub `AzureBastionSubnet` | Deploy Bastion in the hub after VMs exist in the spoke so operators have targets to manage. Bastion reaches spoke VMs through the peering connection. The Basic SKU or higher supports VNet peering. Skip this step for PaaS-only backends. | [Quickstart: Deploy Azure Bastion from the Azure portal](/azure/bastion/quickstart-host-portal) |