minor update

ceperezb · ceperezb · commit e1d4496896ee · 2026-02-09T11:25:00.000-05:00
diff --git a/learn-pr/wwl-sci/design-solutions-network-security/includes/2-design-solutions-network-segmentation.md b/learn-pr/wwl-sci/design-solutions-network-security/includes/2-design-solutions-network-segmentation.md
@@ -99,3 +99,4 @@ Beyond virtual network and subnet boundaries, design microsegmentation within in
 - **NSG rules between application tiers.** For a three-tier application, allow only the web tier to communicate with the application tier, and only the application tier to communicate with the database tier. Deny all other inter-tier traffic.
 - **Private endpoints.** Use [Azure Private Link](/azure/private-link/private-link-overview) to access PaaS services through private endpoints within the virtual network, eliminating public internet exposure and mapping each endpoint to a specific resource instance to prevent data exfiltration to other accounts.
 - **Azure Bastion.** Replace direct RDP/SSH access with [Azure Bastion](/azure/bastion/bastion-overview), which provides secure remote access over TLS through the Azure portal without exposing management ports.
+- **Virtual network encryption.** Enable [virtual network encryption](/azure/virtual-network/virtual-network-encryption-overview) to encrypt traffic between virtual machines and virtual machine scale sets within the same virtual network and across peered virtual networks. This protects data in transit at the network layer, even from users with access to the underlying infrastructure. Virtual network encryption requires the Accelerated Networking capability on supported VM SKUs.
diff --git a/learn-pr/wwl-sci/design-solutions-network-security/includes/4-design-solutions-network-posture-management.md b/learn-pr/wwl-sci/design-solutions-network-security/includes/4-design-solutions-network-posture-management.md
@@ -54,9 +54,15 @@ Each attack path includes a risk level (High, Medium, or Low) determined by cont
 
 The **cloud security explorer** complements attack path analysis by letting you build custom queries across your cloud security graph. You can query for specific network conditions, such as "show all internet-facing VMs without endpoint protection, that have network access to databases containing sensitive data."
 
+## Verify reachability with network verifier
+
+Network verifier is a feature of Azure Virtual Network Manager that lets you check whether your network policies allow or block traffic between Azure network resources. You create a verifier workspace within your network manager instance, define reachability analysis intents that specify source, destination, ports, and protocol, and then run a static analysis. The analysis evaluates NSG rules, ASG rules, Security Admin Rules, virtual network peering, route tables, service endpoints, private endpoints, Virtual WAN configurations, and Azure Firewall rules (static Layer 4) to determine whether packets can reach the destination.
+
+Network verifier is useful during both the design and post-deployment phases of your network setup. When you encounter unexpected traffic allowances or blocks, the reachability analysis results reconstruct the source-to-destination path and show where the misconfiguration lies. Use this capability to validate segmentation intent, prove compliance with security requirements, and catch misconfigurations before or after they reach production.
+
 ## Validate posture with Network Watcher diagnostics
 
-Azure Network Watcher provides diagnostic tools that help you verify your network configurations match your intended design. While the next unit covers network monitoring in depth, two Network Watcher capabilities are especially relevant for posture validation:
+Azure Network Watcher provides diagnostic tools that help you verify your network configurations match your intended design. While the next unit covers network monitoring in depth, several Network Watcher capabilities are especially relevant for posture validation:
 
 - **IP flow verify** and **NSG diagnostics** check whether specific traffic is allowed or denied by evaluating the effective security rules at the VM or subnet level. Use these tools to confirm that your NSG configurations enforce the traffic-filtering policies you designed, without waiting for actual traffic to trigger a flow log entry.
 
diff --git a/learn-pr/wwl-sci/design-solutions-network-security/includes/9-summary.md b/learn-pr/wwl-sci/design-solutions-network-security/includes/9-summary.md
@@ -33,6 +33,7 @@ You learned how to:
 - [Azure Virtual Network Manager overview](/azure/virtual-network-manager/overview)
 - [Security admin rules in Azure Virtual Network Manager](/azure/virtual-network-manager/concept-security-admins)
 - [Azure Network Security Perimeter](/azure/private-link/network-security-perimeter-concepts)
+- [Azure Virtual Network encryption](/azure/virtual-network/virtual-network-encryption-overview)
 - [Azure Firewall overview](/azure/firewall/overview)
 - [Azure Virtual WAN overview](/azure/virtual-wan/virtual-wan-about)
 
@@ -52,6 +53,7 @@ You learned how to:
 - [Networking security recommendations reference](/azure/defender-for-cloud/recommendations-reference-networking)
 - [Identify and remediate attack paths](/azure/defender-for-cloud/how-to-manage-attack-path)
 - [Governance rules in Defender for Cloud](/azure/defender-for-cloud/governance-rules)
+- [Network verifier in Azure Virtual Network Manager](/azure/virtual-network-manager/concept-virtual-network-verifier)
 - [Azure Policy built-in definitions for Azure networking](/azure/virtual-network/policy-reference)
 
 ### Network monitoring
