pr-review fix

Author: R-C-Stewart

learn-pr/wwl-azure/advanced-security-compute/includes/10-azure-data-encryption.md

@@ -23,7 +23,7 @@ In addition to satisfying compliance and regulatory requirements, encryption at
 
 Microsoft is committed to encryption at rest options across cloud services and giving customers control of encryption keys and logs of key use. Additionally, Microsoft is working towards encrypting all customer data at rest by default.
 
-## Azure Encryption at Rest Components
+## Azure Encryption at Rest components
 
 As described previously, the goal of encryption at rest is that data that is persisted on disk is encrypted with a secret encryption key. To achieve that goal secure key creation, storage, access control, and management of the encryption keys must be provided. Though details might vary, Azure services Encryption at Rest implementations can be described in terms illustrated in the following diagram.
 
@@ -38,7 +38,7 @@ The storage location of the encryption keys and access control to those keys is
 
 Permissions to use the keys stored in Azure Key Vault, either to manage or to access them for Encryption at Rest encryption and decryption, can be given to Microsoft Entra accounts.
 
-## Envelope Encryption with a Key Hierarchy
+## Envelope encryption with a key hierarchy
 
 More than one encryption key is used in an encryption at rest implementation. Storing an encryption key in Azure Key Vault ensures secure key access and central management of keys. However, service local access to encryption keys is more efficient for bulk encryption and decryption than interacting with Key Vault for every data operation, allowing for stronger encryption and better performance. Limiting the use of a single encryption key decreases the risk that the key is compromised and the cost of re-encryption when a key must be replaced. Azure encryption at rest models uses envelope encryption, where a key encryption key encrypts a data encryption key. This model forms a key hierarchy that is better able to address performance and security requirements:
 

learn-pr/wwl-azure/advanced-security-compute/includes/11-azure-security-baseline-api-management.md

@@ -60,7 +60,7 @@ Azure Policy built-in definitions - Microsoft.ApiManagement:
 | API Management services should use a virtual network                                       | Azure Virtual Network deployment provides enhanced security, isolation and allows you to place your API Management service in a non-internet routable network that you control access to. These networks can then be connected to your on-premises networks using various VPN technologies, which enables access to your backend services within the network and/or on-premises. The developer portal and API gateway can be configured to be accessible either from the Internet or only within the virtual network. | Audit, Deny, Disabled      | 1.0.2               |
 | API Management should disable public network access to the service configuration endpoints | To secure API Management services, restrict access to configuration endpoints like the management API, Git config, and self-hosted gateway setup.                                                                                                                                                                                                                                                                              | AuditIfNotExists, Disabled | 1.0.1               |
 
- **NS-6**: **Deploy web application firewall**
+ ### **NS-6**: **Deploy web application firewall**
 
 Other guidance for NS-6: To protect critical Web/HTTP APIs, configure API Management within a Virtual Network (VNET) in internal mode and configure an Azure Application Gateway. Application Gateway is a PaaS service. It acts as a reverse-proxy and provides L7 load balancing, routing, web application firewall (WAF), and other services. Learn more.
 
@@ -117,7 +117,7 @@ Alternatively, the sign-in/sign-up process can be further customized through del
 
 ### IM-7: Restrict resource access based on conditions
 
-Features: Conditional Access for Data Plane
+Feature: Conditional Access for Data Plane
 
 Description: Data plane access can be controlled using Microsoft Entra Conditional Access policies.
 
@@ -135,7 +135,7 @@ Configuration Guidance: Set up integration of API Management with Azure Key Vaul
 
 ### PA-1: Separate and limit highly privileged/administrative users
 
-**Feature**: Local Admin Accounts
+Feature: Local Admin Accounts
 
 Description: Service has the concept of a local administrative account.
 
@@ -234,7 +234,7 @@ Feature: Azure Resource Logs
 
 Description: Service produces resource logs that can provide enhanced service-specific metrics and logging. The customer can configure these resource logs and send them to their own data sink like a storage account or log analytics workspace.
 
-Configuration Guidance: Enable resource logs for API Management, resource logs provide rich information about operations, and errors that are important for auditing and troubleshooting purposes. Categories of resource logs for API Management include:
+Configuration Guidance: Enable resource logs for API Management. Resource logs provide rich information about operations, and errors that are important for auditing and troubleshooting purposes. Categories of resource logs for API Management include:
 
 - GatewayLogs
 - WebSocketConnectionLogs

learn-pr/wwl-azure/advanced-security-compute/includes/2-remote-access-public-endpoints-include-azure-bastion.md

@@ -14,7 +14,7 @@ The following diagram shows connections to virtual machines via a Bastion deploy
 | RDP and SSH through the Azure portal                       | You can get to the RDP and SSH session directly in the Azure portal using a single click seamless experience.                                                                                                                                                                                                          |
 | Remote Session over TLS and firewall traversal for RDP/SSH | Azure Bastion uses an HTML5 based web client that is automatically streamed to your local device. Your RDP/SSH session is over TLS on port 443. Traffic can traverse firewalls more securely. Bastion supports TLS 1.2 and above. Older TLS versions aren't supported.                                 |
 | No Public IP address required on the Azure VM              | Azure Bastion opens the RDP/SSH connection to your Azure VM by using the private IP address on your VM. You don't need a public IP address on your virtual machine.                                                                                                                                                    |
-| No hassle of managing Network Security Groups (NSGs)       | You don't need to apply any NSGs to the Azure Bastion subnet. Because Azure Bastion connects to your virtual machines over private IP, you can configure your NSGs to allow RDP/SSH from Azure Bastion only. Removing the hassle of managing NSGs each time you need to securely connect to your virtual machines. |
+| No hassle of managing Network Security Groups (NSGs)       | You don’t need to apply NSGs to the Azure Bastion subnet. Since Bastion connects to your virtual machines using private IPs, you can configure NSGs to allow RDP and SSH traffic only from Bastion. This eliminates the hassle of updating NSGs every time you need secure access to your VMs. |
 | No need to manage a separate bastion host on a VM          | Azure Bastion is a fully managed platform PaaS service from Azure that is hardened internally to provide you secure RDP/SSH connectivity.                                                                                                                                                                              |
 | Protection against port scanning                           | Your VMs are protected against port scanning by rogue and malicious users because you don't need to expose the VMs to the internet.                                                                                                                                                                                    |
 | Hardening in one place only                                | Azure Bastion sits at the perimeter of your virtual network, so you don’t need to worry about hardening each of the VMs in your virtual network.                                                                                                                                                                       |
@@ -85,6 +85,7 @@ Azure Bastion supports manual host scaling for Standard and Premium SKUs. You ca
 - **Basic SKU**: 2 fixed instances (40 RDP sessions or 80 SSH sessions)
 - **Standard SKU**: 2-50 configurable instances (up to 1,000 RDP sessions or 2,000 SSH sessions at maximum scale)
 - **Premium SKU**: 2-50 configurable instances (up to 1,000 RDP sessions or 2,000 SSH sessions at maximum scale)
+    - Extra features over Standard SKU are graphicsl session recording, private-only deployment, and integration with Entra PIM.
 
 Each instance supports approximately 20 concurrent RDP connections and 40 concurrent SSH connections.
 

learn-pr/wwl-azure/advanced-security-compute/includes/3-azure-kubernetes-service-overview.md

@@ -72,13 +72,13 @@ The following list describes some of the common use cases for AKS, but by no mea
 
 **Networking**
 - Use [Kubenet networking](/azure/aks/concepts-network#kubenet-basic-networking) for simple deployments and [Azure Container Networking Interface (CNI) networking](/azure/aks/concepts-network#azure-cni-advanced-networking) for advanced scenarios.
-- [Bring your own Container Network Interface (CNI)](/azure/aks/use-byo-cni) to use a external CNI plugin.
-- Easily access applications deployed to your clusters using the [application routing add-on with nginx](/azure/aks/app-routing). |
+- [Bring your own Container Network Interface (CNI)](/azure/aks/use-byo-cni) to use an external CNI plugin.
+- Easily access applications deployed to your clusters using the [application routing add-on with nginx](/azure/aks/app-routing).
 
 **Development tooling integration**
 - Develop on AKS with [Helm](/azure/aks/quickstart-helm). 
 - Install the [Kubernetes extension for Visual Studio Code](https://marketplace.visualstudio.com/items?itemName=ms-kubernetes-tools.vscode-kubernetes-tools) to manage your workloads.
-- Apply the features of Istio with the [Istio-based service mesh add-on](/azure/aks/istio-about).|
+- Apply the features of Istio with the [Istio-based service mesh add-on](/azure/aks/istio-about).
 
 ## Get started with AKS
 

learn-pr/wwl-azure/advanced-security-compute/includes/6-best-practices-authentication-authorization.md

@@ -41,14 +41,12 @@ Best practice guidance: Use Azure RBAC to define the minimum required user and g
 
 There are two levels of access needed to fully operate an AKS cluster:
 
-- Access the AKS resource on your Azure subscription.
-- This access level allows you to:
+- Access the AKS resource on your Azure subscription. This access level allows you to:
     - Control scaling or upgrading your cluster using the AKS APIs
     - Pull your kubeconfig.
-- Access to the Kubernetes API.
-- This access level controlled by:
-   - Kubernetes RBAC (traditionally) or
-   - By integrating Azure RBAC with AKS for kubernetes authorization.
+- Access to the Kubernetes API. This access level controlled by:
+    - Kubernetes RBAC (traditionally) or
+    - By integrating Azure RBAC with AKS for kubernetes authorization.
 
 ## Use workload identity