Confiring Azure account improvements

Author: Shubha Narayanan

installing/installing_azure/installing-azure-account.adoc

@@ -1,20 +1,19 @@
 :_mod-docs-content-type: ASSEMBLY
 [id="installing-azure-account"]
-= Configuring an Azure account
+= Configuring an {azure-short} account
 include::_attributes/common-attributes.adoc[]
 :context: installing-azure-account
 
 toc::[]
 
-Before you can install {product-title}, you must configure a Microsoft Azure account to meet installation requirements.
+Before you can install {product-title}, you must configure a {azure-first} account to meet installation requirements.
 
 [IMPORTANT]
 ====
-All Azure resources that are available through public endpoints are subject to
-resource name restrictions, and you cannot create resources that use certain
-terms. For a list of terms that Azure restricts, see
+All {azure-short} resources that are available through public endpoints are subject to
+resource name restrictions. For a list of terms that {azure-short} restricts for resource names, see
 link:https://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-reserved-resource-name[Resolve reserved resource name errors]
-in the Azure documentation.
+in the {azure-short} documentation.
 ====
 
 include::modules/installation-azure-limits.adoc[leveloffset=+1]
@@ -26,15 +25,16 @@ include::modules/installation-azure-limits.adoc[leveloffset=+1]
 
 include::modules/installation-azure-network-config.adoc[leveloffset=+1]
 
-include::modules/installation-azure-increasing-limits.adoc[leveloffset=+1]
-
 include::modules/installation-azure-subscription-tenant-id.adoc[leveloffset=+1]
 
 include::modules/installation-azure-identities.adoc[leveloffset=+1]
 
 include::modules/installation-azure-permissions.adoc[leveloffset=+2]
-include::modules/minimum-required-permissions-ipi-azure.adoc[leveloffset=+2]
+
+include::modules/minimum-required-permissions-ipi-azure.adoc[leveloffset=+3]
+
 include::modules/installation-using-azure-managed-identities.adoc[leveloffset=+2]
+
 include::modules/installation-creating-azure-service-principal.adoc[leveloffset=+2]
 
 [role="_additional-resources"]

installing/installing_azure/upi/installing-azure-user-infra.adoc

@@ -53,8 +53,6 @@ include::modules/installation-azure-network-config.adoc[leveloffset=+2]
 
 You can view Azure's DNS solution by visiting this xref:installation-azure-create-dns-zones_{context}[example for creating DNS zones].
 
-include::modules/installation-azure-increasing-limits.adoc[leveloffset=+2]
-
 include::modules/csr-management.adoc[leveloffset=+2]
 
 include::modules/installation-azure-subscription-tenant-id.adoc[leveloffset=+2]

installing/installing_azure/upi/installing-restricted-networks-azure-user-provisioned.adoc

@@ -55,8 +55,6 @@ include::modules/installation-azure-network-config.adoc[leveloffset=+2]
 
 You can view Azure's DNS solution by visiting this xref:installation-azure-create-dns-zones_{context}[example for creating DNS zones].
 
-include::modules/installation-azure-increasing-limits.adoc[leveloffset=+2]
-
 include::modules/csr-management.adoc[leveloffset=+2]
 
 include::modules/installation-azure-permissions.adoc[leveloffset=+2]

modules/installation-azure-identities.adoc

@@ -4,10 +4,12 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="installation-azure-identities_{context}"]
-= Supported identities to access Azure resources
+= Supported identities to access {azure-short} resources
 
-An {product-title} cluster requires an Azure identity to create and manage Azure resources. As such, you need one of the following types of identities to complete the installation:
+An {product-title} cluster requires an {azure-short} identity to create and manage {azure-short} resources. You need one of the following types of identities to complete the installation:
 
 * A service principal
 * A system-assigned managed identity
 * A user-assigned managed identity
+
+For more information on Azure identities, see link:https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview#managed-identity-types[Managed identity types].

modules/installation-azure-increasing-limits.adoc

@@ -206,6 +206,8 @@ Using spot VMs for control plane nodes is not recommended.
 endif::ash[]
 |===
 
+To increase an account limit, file a support request on the Azure portal. For more information, see link:https://learn.microsoft.com/en-us/azure/deployment-environments/how-to-request-quota-increase[Request a quota limit increase for Azure Deployment Environments resources].
+
 ifeval::["{context}" == "installing-azure-stack-hub-user-infra"]
 :!ash:
 :!cp: Azure Stack Hub

modules/installation-azure-limits.adoc

@@ -4,13 +4,13 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="installation-azure-marketplace_{context}"]
-= Supported Azure Marketplace regions
+= Supported {azure-short} Marketplace regions
 
-Installing a cluster using the Azure Marketplace image is available to customers who purchase the offer in North America and EMEA.
+Installing a cluster using the {azure-short} Marketplace image is available to customers who purchase the offer in North America and EMEA.
 
-While the offer must be purchased in North America or EMEA, you can deploy the cluster to any of the Azure public partitions that {product-title} supports.
+While the offer must be purchased in North America or EMEA, you can deploy the cluster to any of the {azure-short} public partitions that {product-title} supports.
 
 [NOTE]
 ====
-Deploying a cluster using the Azure Marketplace image is not supported for the Azure Government regions.
+Deploying a cluster using the {azure-short} Marketplace image is not supported for the {azure-short} Government regions.
 ====

modules/installation-azure-marketplace.adoc

@@ -6,37 +6,29 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="installation-azure-network-config_{context}"]
-= Configuring a public DNS zone in Azure
+= Configuring a public DNS zone in {azure-short}
 
-To install {product-title}, the Microsoft Azure account you use must
+To install {product-title}, the {azure-first} account you use must
 have a dedicated public hosted DNS zone in your account. This zone must be
 authoritative for the domain. This service provides
 cluster DNS resolution and name lookup for external connections to the cluster.
 
 .Procedure
 
 . Identify your domain, or subdomain, and registrar. You can transfer an
-existing domain and registrar or obtain a new one through Azure or another source.
-+
-[NOTE]
-====
-For more information about purchasing domains through Azure, see
-link:https://docs.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain[Buy a custom domain name for Azure App Service]
-in the Azure documentation.
-====
-
-. If you are using an existing domain and registrar, migrate its DNS to Azure. See
+existing domain and registrar or obtain a new one through {azure-short} or another source.
+
+** To purchase a new domain through {azure-short}, see link:https://docs.microsoft.com/en-us/azure/app-service/manage-custom-dns-buy-domain[Buy a custom domain name for Azure App Service].
+
+** If you are using an existing domain and registrar, migrate its DNS to {azure-short}. For more information, see
 link:https://docs.microsoft.com/en-us/azure/app-service/manage-custom-dns-migrate-domain[Migrate an active DNS name to Azure App Service]
-in the Azure documentation.
+in the {azure-short} documentation.
 
-. Configure DNS for your domain. Follow the steps in the
-link:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns[Tutorial: Host your domain in Azure DNS]
-in the Azure documentation to create a public hosted zone for your domain or
-subdomain, extract the new authoritative name servers, and update the registrar
-records for the name servers that your domain uses.
+. Configure DNS for your domain, which includes creating a public hosted zone for your domain or subdomain, extracting the new authoritative name servers, and updating the registrar records for the name servers that your domain uses. For more information, see
+link:https://docs.microsoft.com/en-us/azure/dns/dns-delegate-domain-azure-dns[Tutorial: Host your domain in Azure DNS].
 +
 Use an appropriate root domain, such as `openshiftcorp.com`, or subdomain,
 such as `clusters.openshiftcorp.com`.
 
-. If you use a subdomain, follow your company's procedures to add its delegation
+. If you use a subdomain, follow your organization's procedures to add its delegation
 records to the parent domain.

modules/installation-azure-network-config.adoc

@@ -4,14 +4,18 @@
 // * installing/installing_azure/installing-azure-user-infra.adoc
 // * installing/installing_azure/installing-restricted-networks-azure-user-provisioned.adoc
 
+:_mod-docs-content-type: CONCEPT
 [id="installation-azure-permissions_{context}"]
-= Required Azure roles
+= Required {azure-short} roles
 
-An {product-title} cluster requires an Azure identity to create and manage Azure resources. Before you create the identity, verify that your environment meets the following requirements:
+Before you create the identity, verify that your environment meets the following requirements based on the identity:
 
 * The Azure account that you use to create the identity is assigned the `User Access Administrator` and `Contributor` roles. These roles are required when:
+
 ** Creating a service principal or user-assigned managed identity.
+
 ** Enabling a system-assigned managed identity on a virtual machine.
+
 * If you are going to use a service principal to complete the installation, verify that the Azure account that you use to create the identity is assigned the `microsoft.directory/servicePrincipals/createAsOwner` permission in Microsoft Entra ID.
 
-To set roles on the Azure portal, see the link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[Manage access to Azure resources using RBAC and the Azure portal] in the Azure documentation.
+To set roles on the {azure-short} portal, see link:https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal[Assign {azure-short} roles using the {azure-short} portal] in the {azure-short} documentation.

modules/installation-azure-permissions.adoc

@@ -4,42 +4,42 @@
 
 :_mod-docs-content-type: PROCEDURE
 [id="preparing-disk-encryption-sets_{context}"]
-= Preparing an Azure Disk Encryption Set
-The {product-title} installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in Azure and provide the key to the installer.
+= Preparing an {azure-short} Disk Encryption Set
+The {product-title} installer can use an existing Disk Encryption Set with a user-managed key. To enable this feature, you can create a Disk Encryption Set in {azure-short} and provide the key to the installer.
 
 .Procedure
 
-. Set the following environment variables for the Azure resource group by running the following command:
+. Set the environment variables for the {azure-short} resource group by running the following command:
 +
 [source,terminal]
 ----
 $ export RESOURCEGROUP="<resource_group>" \// <1>
     LOCATION="<location>" <2>
 ----
-<1> Specifies the name of the Azure resource group where you will create the Disk Encryption Set and encryption key. To avoid losing access to your keys after destroying the cluster, you should create the Disk Encryption Set in a different resource group than the resource group where you install the cluster.
-<2> Specifies the Azure location where you will create the resource group.
+<1> Specifies the name of the {azure-short} resource group where the Disk Encryption Set and encryption key are to be created. To prevent losing access to your keys when you destroy the cluster, create the Disk Encryption Set in a separate resource group from the one where you install the cluster.
+<2> Specifies the {azure-short} location where the resource group is to be created.
 +
-. Set the following environment variables for the Azure Key Vault and Disk Encryption Set by running the following command:
+. Set the environment variables for the {azure-short} Key Vault and Disk Encryption Set by running the following command:
 +
 [source,terminal]
 ----
 $ export KEYVAULT_NAME="<keyvault_name>" \// <1>
     KEYVAULT_KEY_NAME="<keyvault_key_name>" \// <2>
     DISK_ENCRYPTION_SET_NAME="<disk_encryption_set_name>" <3>
 ----
-<1> Specifies the name of the Azure Key Vault you will create.
-<2> Specifies the name of the encryption key you will create.
-<3> Specifies the name of the disk encryption set you will create.
+<1> Specifies the name of the {azure-short} Key Vault to be created.
+<2> Specifies the name of the encryption key to be created.
+<3> Specifies the name of the disk encryption set to be created.
 +
-. Set the environment variable for the ID of your Azure Service Principal by running the following command:
+. Set the environment variable for the ID of your {azure-short} service principal by running the following command:
 +
 [source,terminal]
 ----
 $ export CLUSTER_SP_ID="<service_principal_id>" <1>
 ----
-<1> Specifies the ID of the service principal you will use for this installation.
+<1> Specifies the ID of the service principal to be used for installation.
 +
-. Enable host-level encryption in Azure by running the following commands:
+. Enable host-level encryption in {azure-short} by running the following command:
 +
 [source,terminal]
 ----
@@ -56,14 +56,14 @@ $ az feature show --namespace Microsoft.Compute --name EncryptionAtHost
 $ az provider register -n Microsoft.Compute
 ----
 +
-. Create an Azure Resource Group to hold the disk encryption set and associated resources by running the following command:
+. Create an {azure-short} resource group to hold the disk encryption set and associated resources by running the following command:
 +
 [source,terminal]
 ----
 $ az group create --name $RESOURCEGROUP --location $LOCATION
 ----
 +
-. Create an Azure key vault by running the following command:
+. Create an {azure-short} Key Vault by running the following command:
 +
 [source,terminal]
 ----
@@ -102,7 +102,7 @@ $ az disk-encryption-set create -n $DISK_ENCRYPTION_SET_NAME -l $LOCATION -g \
     $RESOURCEGROUP --source-vault $KEYVAULT_ID --key-url $KEYVAULT_KEY_URL
 ----
 +
-. Grant the DiskEncryptionSet resource access to the key vault by running the following commands:
+. Grant the `DiskEncryptionSet` resource access to the key vault by running the following commands:
 +
 [source,terminal]
 ----
@@ -116,7 +116,7 @@ $ az keyvault set-policy -n $KEYVAULT_NAME -g $RESOURCEGROUP --object-id \
     $DES_IDENTITY --key-permissions wrapkey unwrapkey get
 ----
 +
-. Grant the Azure Service Principal permission to read the DiskEncryptionSet by running the following commands:
+. Grant the {azure-short} service principal permission to read the Disk Encryption Set by running the following commands:
 +
 [source,terminal]
 ----
@@ -129,4 +129,4 @@ $ DES_RESOURCE_ID=$(az disk-encryption-set show -n $DISK_ENCRYPTION_SET_NAME -g
 $ az role assignment create --assignee $CLUSTER_SP_ID --role "<reader_role>" \// <1>
     --scope $DES_RESOURCE_ID -o jsonc
 ----
-<1> Specifies an Azure role with read permissions to the disk encryption set. You can use the `Owner` role or a custom role with the necessary permissions.
+<1> Specifies an {azure-short} role with read permissions to the disk encryption set. You can use the `Owner` role or a custom role with the necessary permissions.