Merge pull request magento-commerce/devdocs/pull/2593 from magento-devdocs/hg-mc8217-privatelink

hguthrie · web-flow · commit 2da06e674511 · 2021-10-26T10:26:37.000-05:00
MCLOUD-8217 Azure Private Link update
diff --git a/src/cloud/project/privatelink-service.md b/src/cloud/project/privatelink-service.md
@@ -21,56 +21,76 @@ The PrivateLink service integration for {{site.data.var.ece}} projects includes
 
 ## Limitations
 
--  Support for PrivateLink is available on Pro plan Production and Staging environments only. It is not available on local or integration environments, or on Starter plan projects.
--  You cannot establish SSH connections using PrivateLink. For SSH, use the SSH capabilities. See [Enable SSH keys][].
+-  Support for PrivateLink is available on Pro Production and Staging environments only. It is not available on local or integration environments, or on Starter projects.
+-  You cannot establish SSH connections using PrivateLink. For SSH, see [Enable SSH keys][].
 -  {{site.data.var.ee}} support does not cover troubleshooting AWS PrivateLink issues beyond initial enablement.
 -  Customers are responsible for costs associated with managing their own VPC.
 -  You cannot use the HTTPS protocol (port 443) to connect to {{ site.data.var.ece }} over PrivateLink.
 -  PrivateDNS is not available.
 
 ## PrivateLink connection types
 
-The following network diagram shows the PrivateLink connection types available to establish secure communication between your store and external systems hosted outside of the Cloud environment.<br><br>
+There are two PrivateLink connection types available—shown in the following network diagram—to establish secure communication between your store and external systems hosted outside of the Cloud environment.
 
 ![PrivateLink network diagram]
 
-You must determine the PrivateLink connection type required for your {{site.data.var.ece}} environments:
+Choose one of the PrivateLink connection types best suited for your {{site.data.var.ece}} environments:
 
 -  **Unidirectional PrivateLink**–Choose this configuration to retrieve data securely from a {{ site.data.var.ece }} store.
 -  **Bidirectional PrivateLink**–Choose this configuration to establish secure connections to and from systems outside of the {{site.data.var.ece}} environment. The bidirectional option requires two connections:
    -  A connection between the customer VPC and the Adobe VPC
    -  A connection between the Adobe VPC and the customer VPC
 
 {:.bs-callout-tip}
- Work with your network administrator or Cloud platform provider for help selecting the PrivateLink connection type, or help with VPC setup and administration. Also, see your Cloud platform PrivateLink documentation [AWS PrivateLink][], [Azure Private Link][].
+ Work with your network administrator or Cloud platform provider for help with selecting the PrivateLink connection type, or help with VPC setup and administration. See Cloud platform PrivateLink documentation: [AWS PrivateLink][] or [Azure Private Link][].
 
 ## Request PrivateLink enablement
 
 {:.bs-callout-warning}
-Enabling PrivateLink can take up to 5 business days. Providing incomplete, or inaccurate information can delay the process.
+Enabling PrivateLink can take up to _five_ business days. Providing incomplete or inaccurate information can delay the process.
 
 ### Prerequisites
 
--  {:.fix}A Cloud account (AWS or Azure) in the same region as the {{site.data.var.ece}} instance
--  {:.fix}A VPC in the customer environment that hosts the services to connect via PrivateLink. See the AWS or Azure documentation for help with VPC set up or contact your network administrator.
+-  {:.fix}A Cloud account (AWS or Azure) in the same region as the {{site.data.var.ece}} instance.
+-  {:.fix}A VPC in the customer environment that hosts the services to connect via PrivateLink. See the AWS or Azure documentation for help with VPC setup or contact your network administrator.
 -  {:.fix}For bidirectional PrivateLink connections, you must create the endpoint service configuration for your application or service, and create an endpoint in your VPC environment before requesting PrivateLink enablement. See [Set up for bidirectional PrivateLink connections](#set-up-for-bidirectional-privatelink-connections).
--  {:.fix}Gather the following data required for PrivateLink enablement:
 
-   -  **Customer Cloud account number** (AWS or Azure)–Must be in the same region as the {{site.data.var.ece}} instance
-   -  **Cloud region**–Provide the Cloud region where the account is hosted for verification purposes
-   -  **Services and communication ports**–Adobe must open ports to enable service communication between VPCs, for example _Webserver, HTTP port 80_, _SFTP port 2222_
-   -  **Project ID**–Provide the {{site.data.var.ece}} Pro project ID. You can get the Project ID and other project information using the folllowing [Magento Cloud CLI][] command:  ```magento-cloud project:info```
-   -  **Connection type**–Specify unidirectional or bidirectional for connection type
-   -  **Endpoint service**–For bidirectional PrivateLink connections, provide the DNS URL for the VPC endpoint service that Adobe must connect to, for example `com.amazonaws.vpce.<cloud-region>.vpce-svc-<service-id>`.
-   -  **Endpoint service access granted**-Provide the Adobe account principal with access to this endpoint service: `arn:aws:iam::402592597372:root`. If access to the endpoint service is not provided, the bidirectional PrivateLink connection to the service in your VPC is **not** added, which delays the setup.
+Gather the following data required for PrivateLink enablement:
+
+-  {:.fix}**Customer Cloud account number** (AWS or Azure)—Must be in the same region as the {{site.data.var.ece}} instance
+-  {:.fix}**Cloud region**—Provide the Cloud region where the account is hosted for verification purposes
+-  {:.fix}**Services and communication ports**—Adobe must open ports to enable service communication between VPCs, for example _Webserver, HTTP port 80_, _SFTP port 2222_
+-  {:.fix}**Project ID**—Provide the {{site.data.var.ece}} Pro project ID. You can get the Project ID and other project information using the following [Magento Cloud CLI][] command: `magento-cloud project:info`
+-  {:.fix}**Connection type**—Specify unidirectional or bidirectional for connection type
+-  {:.fix}**Endpoint service**—For bidirectional PrivateLink connections, provide the DNS URL for the VPC endpoint service that Adobe must connect to, for example: `com.amazonaws.vpce.<cloud-region>.vpce-svc-<service-id>`
+-  {:.fix}**Endpoint service access granted**—To connect to external service, allow the endpoint service access to the following AWS account principal: `arn:aws:iam::402592597372:root`
+
+   {:.bs-callout-warning}
+   If access to the endpoint service is not provided, then the bidirectional PrivateLink connection to the service in your VPC is **not** added, which delays the setup.
+
+Additional prerequisites specific to Azure Private Link enablement:
+
+-  {:.fix}Provide the cluster ID; using SSH, log in to the remote and use the command: `cat /etc/platform_cluster`
+
+-  {:.fix}For an external service to connect to your {{site.data.var.ee}} Pro cluster, you need:
+
+   -  A list of ports on your Pro cluster to expose to the new external Private Endpoint
+
+   -  A list of Azure subscription IDs for the Private Endpoint connections
+
+-  {:.fix}To connect your {{site.data.var.ee}} Pro cluster to an external service, you need:
+
+   -  A list of resource IDs for the target services. External Private Link service IDs look similar to the following:
+
+   ```text
+   /subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/privateLinkServices/{svcNameID}
+   ```
 
 ### Enablement workflow
 
 The following workflow outlines the enablement process for PrivateLink integration with {{site.data.var.ece}}.
 
-1. **Customer** submits a support ticket requesting PrivateLink enablement with the subject line `PrivateLink support for <company>`. Include the [data required for enablement](#prerequisites) in the ticket.
-
-   We use the Support ticket to coordinate communication during the enablement process.
+1. **Customer** submits a support ticket requesting PrivateLink enablement with the subject line `PrivateLink support for <company>`. Include the [data required for enablement](#prerequisites) in the ticket. Adobe uses the Support ticket to coordinate communication during the enablement process.
 
 1. **Adobe** enables customer account access to the endpoint service in the Adobe VPC.
 
@@ -111,18 +131,18 @@ The following workflow outlines the enablement process for PrivateLink integrati
 You can use the Telnet application to test the connection to the VPC endpoint service.
 
 {:.bs-callout-tip}
-For help installing and using Telnet, see [Telnet How-To][] in the Telnet documentation.
+For help with installing and using Telnet, see [Telnet How-To][] in the _Telnet_ documentation.
 
 {:.procedure}
 To test the connection to the VPC endpoint service:
 
-1. Log in to {{site.data.var.ece}} project, and checkout the Staging or Production environment.
+1. Log in to {{site.data.var.ece}}.
 
    ```bash
    magento-cloud login
    ```
 
-1. From the project root directory, checkout the environment configured to access the PrivateLink endpoint service.
+1. From the project root directory, **checkout** the Staging or Production environment configured to access the PrivateLink endpoint service.
 
    ```bash
    magento-cloud environment:checkout <environment-id>
@@ -156,26 +176,26 @@ To test the connection to the VPC endpoint service:
    ```
    {:.no-copy}
 
-1. Run the following command to ensure the service is listening on VM:
+1. Verify the service is listening on VM.
 
    ```bash
-   netstat -na |grep <port>
+   netstat -na | grep <port>
    ```
 
-1. Run the following command to check the packages flow:
+1. Check the packages flow.
 
    ```bash
-   tcpdump -i <ethernet interface> -tt -nn port <destination port> and host <source host>
+   tcpdump -i <ethernet-interface> -tt -nn port <destination-port> and host <source-host>
    ```
 
    Check the following internal settings to ensure that the configuration is valid:
 
    -  Endpoint and endpoint services settings
    -  NLB settings
    -  The target groups in NLB and verify they are healthy
-   -  The netcat/curl endpoint URL from each VM ( listed above)
+   -  The netcat/curl endpoint URL from each VM (listed above)
 
-   See the following articles for help troubleshooting connection issues:
+   See the following articles for help with troubleshooting connection issues:
 
    -  [AWS: Troubleshooting endpoint service connections][]
    -  [Amazon: Troubleshooting Azure Private Link connectivity problems][]
@@ -205,7 +225,7 @@ If these resources are not available in the customer VPC, you must sign into you
 
 See your Cloud platform documentation for PrivateLink set up instructions:
 
--  **AWS PrivateLink  documentation**
+-  **AWS PrivateLink documentation**
    -  [Create a Network Load Balancer][]
    -  [Create an endpoint service configuration][]
    -  [Create an interface endpoint][]
@@ -233,7 +253,7 @@ See your Cloud platform documentation for PrivateLink set up instructions:
 [Create a Network Load Balancer]: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/create-network-load-balancer.html
 [Create an endpoint service configuration]: https://docs.aws.amazon.com/vpc/latest/userguide/create-endpoint-service.html
 [Create an interface endpoint]: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#create-interface-endpoint
-[Enable SSH keys]: https://devdocs.magento.com/cloud/before/before-workspace-ssh.html
+[Enable SSH keys]: {{site.baseurl}}/cloud/before/before-workspace-ssh.html
 [interface endpoint lifecycle]: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html#vpce-interface-lifecycle
 [interface endpoint]: https://docs.aws.amazon.com/vpc/latest/userguide/vpce-interface.html
 [Magento Cloud CLI]: {{site.baseurl}}/cloud/reference/cli-ref-topic.html
