Merge pull request #54127 from MicrosoftDocs/main

learn-build-service-prod[bot] · web-flow · commit c537614e82a1 · 2026-04-06T23:08:21.000Z
Auto Publish – main to live - 2026-04-06 23:00 UTC
diff --git a/learn-pr/wwl-azure/design-implement-network-monitoring/includes/2-monitor-networks-using-azure-monitor.md b/learn-pr/wwl-azure/design-implement-network-monitoring/includes/2-monitor-networks-using-azure-monitor.md
@@ -30,7 +30,7 @@ The next diagram offers a high-level view of Azure Monitor. At the center of the
 
 1. **The data platform** stores the collected data. Azure Monitor's core data platform has stores for metrics, logs, traces, and changes. Metrics  are numerical values that describe an aspect of a system at a particular point in time. Logs are recorded system events. 
 
-1. **Insights** are large, scalable, curated visualizations. Insights are available for applications, containers, networks, and virtual machines. 
+1. **Insights** provides visualizations for applications, containers, networks, and virtual machines. 
 
 1. **Visualizations** such as charts and tables are effective tools for summarizing monitoring data and presenting it to different audiences. Visualizations can include: dashboards, workbooks, Power BI, and Grafana. Grafana is an open platform that excels in operational dashboards. 
 
@@ -41,4 +41,4 @@ The next diagram offers a high-level view of Azure Monitor. At the center of the
 1. **Integrate** allows other systems or custom solutions to use your monitoring data. Integrate can include: Event Hubs, Azure storage, Logic Apps, Azure Functions, and APIs. 
 
 > [!TIP]
-> Learn more about Azure Monitor in the [Introduction to Azure Monitor](/training/modules/intro-to-azure-monitor/) training module.
+> Learn more about Azure Monitor in the [Introduction to Azure Monitor](/training/modules/intro-to-azure-monitor/) training module.
diff --git a/learn-pr/wwl-azure/design-implement-network-monitoring/includes/4-monitor-networks-using-azure-network-watcher.md b/learn-pr/wwl-azure/design-implement-network-monitoring/includes/4-monitor-networks-using-azure-network-watcher.md
@@ -2,7 +2,7 @@
 
 ## Azure Network Watcher
 
-[Azure Network Watcher](/azure/network-watcher/network-watcher-overview) is a regional service that enables you to monitor and diagnose network conditions. Network diagnostic and visualization tools help you understand, diagnose, and gain insights to your network in Azure. Network Watcher is designed to monitor and repair the network health of IaaS products which includes virtual machines, virtual networks, Application Gateways, and Load Balancers.
+[Azure Network Watcher](/azure/network-watcher/network-watcher-overview) is a regional service that enables you to monitor and diagnose network conditions. Network diagnostic and visualization tools help you understand, diagnose, and gain insights to your network in Azure. Network Watcher is designed to monitor and repair the network health of IaaS products that includes virtual machines, virtual networks, Application Gateways, and Load Balancers.
 
 ## Azure Network Watcher (video)
 
@@ -17,7 +17,8 @@
 
 ### Monitoring tools
 
-- **Network Topology** generates a visualization of the entire network for understanding network configuration.
+- **Network topology** gives you an interactive map of your network across subscriptions, resource groups, and locations. You can click on resources to view traffic and connectivity details and use diagnostic tools within the map.
+  
 - **Connection monitor** provides end-to-end connection monitoring for Azure and hybrid endpoints.
 
 ### Diagnostic tools
@@ -32,13 +33,20 @@
 
 - **Packet Capture** lets you remotely create packet capture sessions to record all network traffic to and from a virtual machine (VM) or a virtual machine scale set.
 
+- **NSG diagnostics** detects traffic filtering issues at a virtual machine, virtual machine scale set, or application gateway level. Checks if a packet is allowed or denied to or from an IP address, IP prefix, or service tag. Identifies which security rule allowed or denied the traffic.
+
 - **VPN troubleshoot** enables you to troubleshoot virtual network gateways and their connections.
 
 ### Traffic tools
 
-- **Flow logs** allows you to log information about your Azure IP traffic and stores the data in Azure storage. You can log IP traffic flowing through a network security group or Azure virtual network.
+- **Flow logs** allows you to log information about your Azure IP traffic.
+
+  -	**VNet flow logs (recommended)**: Enable logging at the virtual network level. Capture all supported workloads in the VNet without needing multi-level configuration. Also, record Azure Virtual Network Manager security admin rule decisions and traffic encryption status.
+    
+  -	**NSG flow logs**: Retiring September 30, 2027. No new NSG flow logs can be created after June 30, 2025. Existing deployments should [migrate to VNet flow logs](/azure/network-watcher/nsg-flow-logs-migrate).
+
 
 - **Traffic analytics** provides rich visualizations of flow logs data.
 
 > [!TIP]
-> Learn more about Azure Network Watcher in the [Introduction to Network Watcher](/training/modules/intro-to-azure-network-watcher/) training module.
+> Learn more about Azure Network Watcher in the [Introduction to Network Watcher](/training/modules/intro-to-azure-network-watcher/) training module.
diff --git a/learn-pr/wwl-azure/design-implement-network-monitoring/includes/5-summary-resources.md b/learn-pr/wwl-azure/design-implement-network-monitoring/includes/5-summary-resources.md
@@ -12,18 +12,14 @@ In this module, you learned about Azure Monitor and Network Watcher.
 
 Copilot can assist you in configuring Azure infrastructure solutions. Copilot can compare, recommend, explain, and research products and services where you need more information. Open a Microsoft Edge browser and choose Copilot (top right) or navigate to copilot.microsoft.com. Take a few minutes to try these prompts and extend your learning with Copilot.
 
-- What is Azure Monitor and what features are included? Provide usage examples.
-- What is Network Monitor and what features are included? Provide usage examples. 
+- What is Azure Network Watcher and what features are included? Provide usage examples.
+- What traffic analysis tools does Azure Network Watcher include? Provide usage examples.
 
 ## Learn more with self-paced training
 
-- [Introduction to Azure Monitor](/training/modules/intro-to-azure-monitor/).Learn how to use Azure Monitor to provide insights into your Azure resource performance and operations.
-
 - [Design and implement network monitoring](/training/modules/analyze-infrastructure-with-azure-monitor-logs/). Use Azure Monitor logs to extract valuable information about your infrastructure from log data.
 
 - [Introduction to Network Watcher](/training/modules/intro-to-azure-network-watcher/). This module explains what Network Watcher does, how it works, and when you should choose to use Network Watcher as a solution to meet your organization's needs.
 
-- [Monitor and troubleshoot your end-to-end Azure network infrastructure by using network monitoring tools](/training/modules/design-implement-network-monitoring/). You learn to design and implement network monitoring solutions such as Azure Monitor and Network Watcher. 
-
 - [Configure monitoring for virtual networks](/training/modules/configure-monitoring-virtual-networks/). Understand how to use Azure Network Watcher Connection Monitor, flow logs, NSG diagnostics, and packet capture.
 
diff --git a/learn-pr/wwl-azure/design-implement-network-monitoring/index.yml b/learn-pr/wwl-azure/design-implement-network-monitoring/index.yml
@@ -5,15 +5,15 @@ metadata:
   prefetch-feature-rollout: true
   title: Design and Implement Network Monitoring
   description: "You learn to design and implement network monitoring solutions such as Azure Monitor and Network watcher."
-  ms.date: 01/26/2026
+  ms.date: 03/23/2026
   author: wwlpublish
   ms.author: cynthist
   ms.topic: module
   ms.collection: N/A
   ms.custom:
   - N/A
   ms.service: azure-network-watcher
-  ai-usage: human-only
+  ai-usage: ai-assisted
 title: Design and implement network monitoring
 summary: You learn to design and implement network monitoring solutions such as Azure Monitor and Network watcher.
 abstract: |
@@ -25,7 +25,7 @@ abstract: |
 
   -   Configure and use Traffic Analytics
 
-  -   Configure NSG flow logs
+  -   Configure VNet flow logs
 
   -   Enable and configure diagnostic logging
 
diff --git a/learn-pr/wwl-azure/design-implement-network-security-monitoring/includes/10-implement-web-application-firewall-on-azure-front-door.md b/learn-pr/wwl-azure/design-implement-network-security-monitoring/includes/10-implement-web-application-firewall-on-azure-front-door.md
@@ -14,7 +14,7 @@ There are two WAF policy modes: Detection and Prevention. By default, the WAF po
 
 :::image type="content" source="../media/waf-policy-modes-4a04568d.png" alt-text="Screenshot of the WAF policy modes.":::
 
-The Web Application Firewall works with the Application Gateway, Azure Front Door Service, and the Azure CDN Service.
+The Web Application Firewall works with the Application Gateway and Azure Front Door.
 
 ## Microsoft managed rule sets, rule groups, and rules
 
diff --git a/learn-pr/wwl-azure/design-implement-network-security-monitoring/includes/11-summary-resources.md b/learn-pr/wwl-azure/design-implement-network-security-monitoring/includes/11-summary-resources.md
@@ -12,7 +12,7 @@ In this module, you explored a range of network security features.
 
 - Azure Firewall Manager provides centralized configuration and management across multiple Azure Firewall instances. Azure Firewall Manager lets you create one or more firewall policies and rapidly apply them to multiple firewalls. Firewall Manager can provide security management for secured virtual hubs and hub virtual networks. 
 
-- Web Application Firewall provides centralized protection of your web applications from common exploits and vulnerabilities. There are two WAF policy modes: Detection and Prevention. WAF works with the Application Gateway, Azure Front Door Service, and the Azure CDN Service.
+- Web Application Firewall provides centralized protection of your web applications from common exploits and vulnerabilities. There are two WAF policy modes: Detection and Prevention. WAF works with the Application Gateway and Azure Front Door.
 
 ## Learn more with Copilot
 
diff --git a/learn-pr/wwl-azure/design-implement-network-security-monitoring/includes/6-azure-firewall.md b/learn-pr/wwl-azure/design-implement-network-security-monitoring/includes/6-azure-firewall.md
@@ -16,16 +16,20 @@ Azure Firewall has three [SKUs](/azure/firewall/choose-firewall-sku): Azure Fire
 
 ### How to choose the SKU
 
-- **Basic**: Up to 250 Mbps; SMB environments; has threat intelligence in alert mode only.
-- **Standard**: Up to 30 Gbps; enterprise environments; L3–L7 filtering, DNS proxy, web categories, and threat intelligence.
-- **Premium**: Up to 100 Gbps; regulated/sensitive environments (healthcare, payment); adds TLS inspection, IDPS, full URL filtering, and PCI DSS compliance.
+All SKUs support availability zone deployment for zone-redundant high availability. All SKUs include policy analytics for tracking rule usage over time and managing redundant or conflicting rules.
+
+- **Basic SKU**: Up to 250 Mbps; SMB environments; has threat intelligence in alert mode only.
+  
+- **Standard SKU**: Up to 30 Gbps; enterprise environments; L3–L7 filtering, DNS proxy, web categories, and threat intelligence.
+  
+- **Premium SKU**: Up to 100 Gbps; regulated/sensitive environments (healthcare, payment); adds TLS inspection, IDPS, full URL filtering, and PCI DSS compliance.
 
 
 
 
 ## What are Azure Firewall rules?
 
- An Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic. Rules are organized inside Rule Collections which are contained in Rule Collection Groups. In the Azure Firewall, you can configure NAT rules, network rules, and applications rules.
+ An Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic. Rules are organized inside Rule Collections that are contained in Rule Collection Groups. In the Azure Firewall, you can configure NAT rules, network rules, and applications rules.
 
 | Rule type	| Description |
 | --- | --- |
diff --git a/learn-pr/wwl-azure/design-implement-network-security-monitoring/includes/8-secure-networks-with-azure-firewall-manager.md b/learn-pr/wwl-azure/design-implement-network-security-monitoring/includes/8-secure-networks-with-azure-firewall-manager.md
@@ -14,15 +14,22 @@ Firewall Manager can provide security management for secured virtual hubs and hu
 
 - **Hub Virtual Network**. A standard Azure virtual network that you create and manage. When you associate firewall policies with this type of hub, you're creating a hub virtual network. This architecture's underlying resource is a virtual network.
 
-### Azure Firewall Manager features
+### Azure Firewall Manager capabilities
 
-If your organization has multiple Azure Firewall instances, you benefit from centralizing these configurations. Firewall Manager enables you to:
+Azure Firewall Manager provides six key capability areas:
 
-- Span multiple Azure subscriptions.
+-	**Central deployment and configuration**. Manage Azure Firewall deployment and policies across multiple subscriptions and regions.
+  
+-	**Hierarchical policies**.  Create global policies authored by central IT with locally authored overrides.
+  
+-	**Security partner provider integration**.  Route Internet-bound VNet and branch traffic through Zscaler, Check Point, or iboss while Azure Firewall handles private traffic in the same hub.
+  
+-	**Centralized route management**.  Automatically route spoke traffic to secured hubs without manually configuring user-defined routes.
+  
+-	**DDoS protection plan management**.  Associate virtual networks with a DDoS plan directly from Firewall Manager.
+  
+-	**WAF policy management**.  Centrally create, view, and associate WAF policies to Front Door and Application Gateway across subscriptions.
 
-- Span different Azure regions.
-
-- Implement hub and spoke architectures to provide for traffic governance and protection.
 
 ### Azure Firewall Manager decision criteria
 
@@ -36,4 +43,4 @@ Administrators who protect multiple Azure virtual networks use rules to control
 
 
 > [!TIP]
-> Learn more about Azure Firewall in the [Introduction to Azure Firewall Manager](/training/modules/introduction-azure-firewall/) module.
+> Learn more about Azure Firewall in the [Introduction to Azure Firewall Manager](/training/modules/introduction-azure-firewall/) module.
diff --git a/learn-pr/wwl-azure/design-implement-network-security-monitoring/index.yml b/learn-pr/wwl-azure/design-implement-network-security-monitoring/index.yml
@@ -13,7 +13,7 @@ metadata:
   ms.custom:
   - N/A
   ms.service: azure
-  ai-usage: human-only
+  ai-usage: ai-assisted
 title: Design and implement network security
 summary: You learn to design and implement network security solutions such as Azure DDoS, Network Security Groups, Azure Firewall, and Web Application Firewall.
 abstract: |
diff --git a/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/includes/3-design-for-azure-backup.md b/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/includes/3-design-for-azure-backup.md
@@ -19,9 +19,9 @@ Azure Backup offers multiple components that you can download and deploy on the
 
 Azure Backup organizes your backup data in a storage entity called a _vault_. A storage vault stores backup copies, recovery points, and backup policies. There are two types of vaults: Azure Backup and Azure Recovery Services. The primary differences are the types of supported data sources and Azure products. 
 
-- **Azure Backup vault**: Azure Backup vaults are used with Azure Backup only. Supported data sources include Azure Database for PostgreSQL servers, Azure blobs, and Azure disks.
+- **Azure Backup vault**: Azure Backup vaults are used with Azure Backup only. 
 
-- **Azure Recovery Services vault**: Azure Recovery Services vaults can be used with Azure Backup or Azure Site Recovery. Supported data sources include Azure virtual machines, SQL, or SAP HANA in an Azure virtual machine, and Azure file shares. You can back up data to a Recovery Services vault from Azure Backup Server, Azure Backup Agent, and System Center Data Protection Manager.
+- **Azure Recovery Services vault**: Azure Recovery Services vaults can be used with Azure Backup or Azure Site Recovery. 
 
 ### Things to consider when using storage vaults
 
@@ -35,4 +35,11 @@ In your planning for Azure Backup and vault storage, consider the following poin
 
 - **Consider redundancy**. Specify how data in your vault is replicated for redundancy.
    - Use locally redundant storage (LRS) to protect against failure in a datacenter. LRS replicates data to a storage scale unit.
-   - Use geo-redundant storage (GRS) to protect against region-wide outages. GRS replicates your data to a secondary region. 
+   - Use zone-redundant storage (ZRS) to replicate data across availability zones in the same region, combining resilience to zone failures with data residency.
+   - Use geo-redundant storage (GRS) to protect against region-wide outages. GRS replicates your data to a secondary region.
+
+- **Consider ransomware protection**. Protect against ransomware by making your backup vault immutable, so recovery points can't be deleted before their set expiry. You can also choose to make this immutability permanent.
+  
+- **Consider multi-user authorization**. Require approval from another user for important backup actions by using Resource Guard. Multi-user authorization adds extra security and helps prevent insider threats.
+  
+- **Consider centralized management**. Use Resiliency in Azure to manage backups and disaster recovery across all vaults, subscriptions, and regions. Get a unified view of security, protection, and alerts.
diff --git a/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/includes/5-design-for-azure-files-backup-recovery.md b/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/includes/5-design-for-azure-files-backup-recovery.md
@@ -27,15 +27,19 @@ Let's review some of the characteristics regarding backup and recovery of Azure
 
 #### Automated file share backups
 
-You can automate and manage your Azure file shares snapshots. Automating snapshot backups with Azure Backup is the recommended approach. The following diagram shows how automatic backups of file shares can be restored from a Recovery Services vault.
+You can protect Azure file shares using two backup approaches: **vaulted backup** and **snapshot backup**. Microsoft recommends vaulted backup for comprehensive protection against data loss, including protection from ransomware attacks and rogue administrator deletion.
+
+- **Vaulted backup** stores backup data in a Backup vault (offsite copy), supports retention up to 10 years, and provides protection against storage account deletion and ransomware. Vaulted backup is the recommended approach for comprehensive data protection.
+- **Snapshot backup** creates snapshots that are stored locally within the storage account and managed via Recovery Services vault metadata. While faster for restore operations, snapshot backups cannot protect against storage account-level deletion or ransomware targeting the storage account. The following diagram shows how automatic snapshot backups can be restored:
+
 
 :::image type="content" source="../media/file-share-automated.png" alt-text="Diagram that shows how Azure file shares snapshots are restored from a Recovery Services vault in Azure Backup." border="false":::
 
-- Azure Backup keeps the metadata about the snapshot backup in the Recovery Services vault, but no data is transferred. This method provides you with a fast backup solution that has built-in backup and reporting. 
+1. Azure Backup keeps the metadata about the snapshot backup in the Recovery Services vault, but no data is transferred. This method provides you with a fast backup solution that has built-in backup and reporting. 
 
-- When Azure Backup is enabled on the file share, the soft delete feature is also enabled. 
+1. When Azure Backup is enabled on the file share, the soft delete feature is also enabled. 
 
-- You can configure snapshot backups for daily, weekly, monthly, or yearly retention.
+1. You can configure snapshot backups for daily, weekly, monthly, or yearly retention.
 
 ### Things to consider when using file share backups
 
@@ -45,10 +49,12 @@ Take a moment to review some considerations for creating and recovering from fil
 
 - **Consider alerts and reporting**. You can configure alerts for backup and restore failures and use the reporting solution provided by Azure Backup. These reports provide insights on file share backups.
 
+- **Consider backup approach choice**. Choose vaulted backup for comprehensive protection including ransomware resilience and long-term retention up to 10 years. Choose snapshot backup when you need faster restore times for short-term scenarios and have other protection measures for the storage account itself.
+
 - **Consider self-service restore**. Azure Backup uses server endpoint Windows Volume Shadow Copy Service (VSS) snapshots. You might consider giving advanced users the ability to restore files themselves. 
 
 - **Consider on-demand backups**. Azure Backup policies are limited to scheduling a backup once a day. If a user creates a file in the morning and works on it all day, a nightly backup doesn't include the new file. For these reasons, consider on-demand backups for the most critical file shares. 
 
 - **Consider file share organization**. Organize your file shares according to how you intend to store the data in backups. You might separate your file shares for backup according to public facing data versus internal file shares. 
 
-- **Consider code deployments**. If a bug or application error is introduced with the new deployment, you can go back to a previous version of your data on that file share. To help protect against these scenarios, you can take a share snapshot before you deploy new application code. 
+- **Consider code deployments**. If a bug or application error is introduced with the new deployment, you can go back to a previous version of your data on that file share. To help protect against these scenarios, you can take a share snapshot before you deploy new application code. 
diff --git a/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/includes/6-design-for-azure-virtual-machine-backup-recovery.md b/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/includes/6-design-for-azure-virtual-machine-backup-recovery.md
diff --git a/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/includes/7-design-for-azure-sql-backup-recovery.md b/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/includes/7-design-for-azure-sql-backup-recovery.md
diff --git a/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/index.yml b/learn-pr/wwl-azure/design-solution-for-backup-disaster-recovery/index.yml
