Merge pull request #5447 from MicrosoftDocs/main

Merge main to live, 4 AM

docs/global-secure-access/how-to-create-remote-network-custom-ike-policy.md

@@ -1,22 +1,24 @@
 ---
-title: How to create a remote network with a custom IKE policy
+title: Create a remote network with a custom IKE policy
 description: Learn how to set up the bidirectional communication tunnel between Global Secure Access and your router.
-author: kenwith
-ms.author: kenwith
+ms.author: jayrusso
+author: HULKsmashGithub
 manager: amycolannino
 ms.topic: how-to
-ms.date: 03/22/2024
+ms.date: 10/04/2024
 ms.service: global-secure-access
+ms.reviewer: absinh
+
+# Customer intent: As an IT admin, I need to be able to create a custom Internet Key Exchange (IKE) policy to set up the communication tunnel with Global Secure Access.
 
-# Customer intent: As an IT admin, I need to be able to create a custom IKE policy to set up the communication tunnel with Global Secure Access.
 ---
 # Create a remote network with a custom IKE policy for Global Secure Access
 
 IPSec tunnel is a bidirectional communication. This article provides the steps to set up the communication channel in Microsoft Entra admin center and the Microsoft Graph API. The other side of the communication is configured on your customer premises equipment (CPE).
 
 ## Prerequisites
 
-To create a remote network with a custom IKE policy, you must have:
+To create a remote network with a custom Internet Key Exchange (IKE) policy, you must have:
 
 - A **Global Secure Access Administrator** role in Microsoft Entra ID.
 - Received the connectivity information from Global Secure Access onboarding.
@@ -42,9 +44,9 @@ To create a remote network with a custom IKE policy in the Microsoft Entra admin
 
 ### Add a link - General tab
 
-There are several details to enter on the General tab. Pay close attention to the Peer and Local BGP addresses. *The peer and local details are reversed, depending on where the configuration is completed.*
+There are several details to enter on the General tab. Pay close attention to the Peer and Local Border Gateway Protocol (BGP) addresses. *The peer and local details are reversed, depending on where the configuration is completed.*
 
-![Screenshot of the General tab with examples in each field.](./media/how-to-create-remote-network-custom-ike-policy/add-device-link.png)
+:::image type="content" source="./media/how-to-create-remote-network-custom-ike-policy/add-device-link.png" alt-text="Screenshot of the General tab with examples in each field.":::
 
 1. Enter the following details:
     - **Link name**: Name of your CPE.
@@ -56,9 +58,9 @@ There are several details to enter on the General tab. Pay close attention to th
         - A BGP-enabled connection between two network gateways requires that they have different ASNs.
         - Refer to the [valid ASN values](reference-remote-network-configurations.md#valid-asn) list for reserved values that can't be used.
     - **Redundancy**: Select either *No redundancy* or *Zone redundancy* for your IPSec tunnel.
-    - **Zone redundant local BGP address**: This optional field shows up only when you select **Zone redundancy**.
-        - Enter a BGP IP address that is *not* part of your on-premises network where your CPE resides *and* is different from **Local BGP address**.
-    - **Bandwidth capacity (Mbps)**: Specify tunnel bandwidth. Available options are 250, 500, 750, and 1000 Mbps.
+    - **Zone redundancy local BGP address**: This optional field shows up only when you select **Zone redundancy**.
+        - Enter a BGP IP address that *isn't* part of your on-premises network where your CPE resides *and* is different from **Local BGP address**.
+    - **Bandwidth capacity (Mbps)**: Specify tunnel bandwidth. Available options are 250, 500, 750, and 1,000 Mbps.
     - **Local BGP address**: Enter a BGP IP address that *isn't* part of your on-premises network where your CPE resides.
         - For example, if your on-premises network is 10.1.0.0/16, then you can use 10.2.0.4 as your Local BGP address.
         - This address is entered as the *peer* BGP​​ IP address on your CPE.
@@ -75,10 +77,10 @@ There are several details to enter on the General tab. Pay close attention to th
 
 1. Change the **IPSec/IKE policy** to **Custom**.
 
-1. Select your Phase 1 combination details for **Encryption**, **IKEv2 integrity** and **DHGroup**.
+1. Select your Phase 1 combination details for **Encryption**, **IKEv2 integrity**, and **DHGroup**.
     - The combination of details you select must align with the available options listed in the [Remote network valid configurations](reference-remote-network-configurations.md) reference article.
 
-1. Select your Phase 2 combinations for **IPsec encryption**, **IPsec integrity**, **PFS group** and **SA lifetime (seconds)**.
+1. Select your Phase 2 combinations for **IPsec encryption**, **IPsec integrity**, **PFS group**, and **SA lifetime (seconds)**.
     - The combination of details you select must align with the available options listed in the [Remote network valid configurations](reference-remote-network-configurations.md) reference article.
 
 1. Whether you choose Default or Custom, the IPSec/IKE policy you specify must match the crypto policy on your CPE.
@@ -104,45 +106,40 @@ Remote networks with a custom IKE policy can be created using Microsoft Graph on
 1. Add the following query, then select **Run query**.
 
 ```http
-    POST https://graph.microsoft.com/beta/networkaccess/connectivity/branches
+    POST https://graph.microsoft.com/beta/networkAccess/connectivity/remoteNetworks/dc6a7efd-6b2b-4c6a-84e7-5dcf97e62e04/deviceLinks
+Content-Type: application/json
+
 {
-    "name": "BranchOffice_CustomIKE",
-    "region": "eastUS", 
-    "deviceLinks": [
-        {
-            "name": "custom link",
-            "ipAddress": "114.20.4.14",
-            "deviceVendor": "ciscoMeraki",
-            "tunnelConfiguration": {
-                "saLifeTimeSeconds": 300,
-                "ipSecEncryption": "gcmAes128",
-                "ipSecIntegrity": "gcmAes128",
-                "ikeEncryption": "aes128",
-                "ikeIntegrity": "sha256",
-                "dhGroup": "ecp384",
-                "pfsGroup": "ecp384",
-                "@odata.type": "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom",
-                "preSharedKey": "SHAREDKEY"
-            },
-            "bgpConfiguration": {
-                "localIpAddress": "10.1.1.11",
-                "peerIpAddress": "10.6.6.6",
-                "asn": 65000
-            },
-            "redundancyConfiguration": {
-                "redundancyTier": "zoneRedundancy",
-                "zoneLocalIpAddress": "10.1.1.12"
-            },
-            "bandwidthCapacityInMbps": "mbps250"
-        }
-    ]
+    "name": "custom link",
+    "ipAddress": "114.20.4.14",
+    "deviceVendor": "ciscoMeraki",
+    "tunnelConfiguration": {
+        "saLifeTimeSeconds": 300,
+        "ipSecEncryption": "gcmAes128",
+        "ipSecIntegrity": "gcmAes128",
+        "ikeEncryption": "aes128",
+        "ikeIntegrity": "sha256",
+        "dhGroup": "ecp384",
+        "pfsGroup": "ecp384",
+        "@odata.type": "#microsoft.graph.networkaccess.tunnelConfigurationIKEv2Custom",
+        "preSharedKey": "SHAREDKEY"
+    },
+    "bgpConfiguration": {
+        "localIpAddress": "10.1.1.11",
+        "peerIpAddress": "10.6.6.6",
+        "asn": 65000
+    },
+    "redundancyConfiguration": {
+        "redundancyTier": "zoneRedundancy",
+        "zoneLocalIpAddress": "10.1.1.12"
+    },
+    "bandwidthCapacityInMbps": "mbps250"
 }
 ```
 
 ---
 
 
-
 ## Next steps
 
 - [How to manage remote networks](how-to-manage-remote-networks.md)

docs/global-secure-access/how-to-create-remote-network-vwan.md

@@ -1,9 +1,9 @@
 ---
 title: Simulate remote network connectivity using Azure vWAN
-description: Use Global Secure Access to configure Azure and Entra resources to create a virtual wide area network to connect to your resources in Azure.
+description: Use Global Secure Access to configure Azure and Microsoft Entra resources to create a virtual wide area network to connect to your resources in Azure.
 ms.service: global-secure-access
 ms.topic: how-to
-ms.date: 07/01/2024
+ms.date: 10/04/2024
 ms.author: jayrusso
 author: HULKsmashGithub
 manager: amycolannino
@@ -31,7 +31,7 @@ This document uses the following example values, along with the values in the im
 - Region: South Central US
 
 ## High-level steps
-The steps to create a remote network using Azure vWAN require access to both the Azure portal and the Microsoft Entra admin center. To switch between them easily, keep Azure and Entra open in separate tabs. Because certain resources can take more than 30 minutes to deploy, set aside at least two hours to complete this process. Reminder: Resources left running can cost you money. When done testing, or at the end of a project, it's a good idea to remove the resources that you no longer need.
+The steps to create a remote network using Azure vWAN require access to both the Azure portal and the Microsoft Entra admin center. To switch between them easily, keep Azure and Microsoft Entra open in separate tabs. Because certain resources can take more than 30 minutes to deploy, set aside at least two hours to complete this process. Reminder: Resources left running can cost you money. When done testing, or at the end of a project, it's a good idea to remove the resources that you no longer need.
 
 1. [Set up a vWAN in the Azure portal](#set-up-a-vwan-in-the-azure-portal)
     1. [Create a vWAN](#create-a-vwan)
@@ -154,15 +154,17 @@ In this step, use the network information from the VPN gateway to create a remot
     1. Complete the fields on the **General** tab in the **Add a link** form, using the VPN gateway's *Instance0* configuration from the JSON view:
         - **Link name**: Name of your Customer Premises Equipment (CPE). For this example, **Instance0**.
         - **Device type**: Choose a device option from the dropdown list. Set to **Other**.
-        - **IP address**: Public IP address of your device. For this example, use **203.0.113.250**.
-        - **Local BGP address**: Use a BGP IP address that *isn't* part of your on-premises network where your CPE resides, such as **192.168.10.10**.
-        - **Peer BGP address**: Enter the BGP IP address of your CPE. For this example, **10.101.0.4**.
-        - **Link ASN**: Provide the autonomous system number (ASN) of the CPE. For this example, the ASN is **65515**.
+        - **Device IP address**: Public IP address of your device. For this example, use **203.0.113.250**.
+        - **Device BGP address**: Enter the Border Gateway Protocol (BGP) IP address of your CPE. For this example, use **10.101.0.4**.
+        - **Device ASN**: Provide the autonomous system number (ASN) of the CPE. For this example, the ASN is **65515**.
         - **Redundancy**: Set to **No redundancy**.
         - **Zone redundant local BGP address**: This optional field shows up only when you select **Zone redundancy**.
             - Enter a BGP IP address that *isn't* part of your on-premises network where your CPE resides and is different from the **Local BGP address**.
         - **Bandwidth capacity (Mbps)**: Specify tunnel bandwidth. For this example, set to **250 Mbps**.
-        :::image type="content" source="media/how-to-create-remote-network-vwan/vwan-json-add-a-link-general-crop.png" alt-text="Screenshot of the Add a link form with arrows showing the relationship between the JSON code and the link information." lightbox="media/how-to-create-remote-network-vwan/vwan-json-add-a-link-general-crop-expanded.png":::
+        - **Local BGP address**: Use a BGP IP address that *isn't* part of your on-premises network where your CPE resides, such as **192.168.10.10**.
+            - Refer to the [valid BGP addresses](reference-remote-network-configurations.md#valid-bgp-addresses) list for reserved values that can't be used.    
+
+            :::image type="content" source="media/how-to-create-remote-network-vwan/vwan-json-add-a-link-general-crop.png" alt-text="Screenshot of the Add a link form with arrows showing the relationship between the JSON code and the link information.":::
     1. Select the **Next** button to view the **Details** tab. Keep the default settings.
     1. Select the **Next** button to view the **Security** tab. 
     1. Enter the **Preshared key (PSK)**. The same secret key must be used on your CPE.
@@ -175,12 +177,12 @@ For more information about links, see the article, [How to manage remote network
     1. Complete the fields on the **General** tab in the **Add a link** form, using the VPN gateway's *Instance1* configuration from the JSON view:
         - **Link name**: Instance1
         - **Device type**: Other
-        - **IP address**: 203.0.113.251
-        - **Local BGP address**: 192.168.10.11
-        - **Peer BGP address**: 10.101.0.5
-        - **Link ASN**: 65515
+        - **Device IP address**: 203.0.113.251
+        - **Device BGP address**: 10.101.0.5
+        - **Device ASN**: 65515
         - **Redundancy**: No redundancy
         - **Bandwidth capacity (Mbps)**: 250 Mbps
+        - **Local BGP address**: 192.168.10.11
     1. Select the **Next** button to view the **Details** tab. Keep the default settings.
     1. Select the **Next** button to view the **Security** tab. 
     1. Enter the **Preshared key (PSK)**. The same secret key must be used on your CPE.
@@ -207,7 +209,7 @@ Navigate to the Remote network page to view the details of the new remote networ
         }
       ],
       "peerConfiguration": {
-        "endpoint": "203.0.113.33",
+        "endpoint": "203.0.113.250",
         "asn": 65515,
         "bgpAddress": "10.101.0.4"
       }
@@ -224,7 +226,7 @@ Navigate to the Remote network page to view the details of the new remote networ
         }
       ],
       "peerConfiguration": {
-        "endpoint": "203.0.113.35",
+        "endpoint": "203.0.113.251",
         "asn": 65515,
         "bgpAddress": "10.101.0.5"
       }
@@ -370,7 +372,7 @@ Before testing, enable tenant restrictions on the virtual network.
 To test:
 1. Sign in to the Azure Virtual Desktop virtual machine created in the previous steps.
 1. Go to www.office.com and sign in with an internal organization ID. This test should pass successfully.
-1. Repeat the above step, but with an *external account*. This test should fail due to blocked access.
+1. Repeat the previous step, but with an *external account*. This test should fail due to blocked access.   
 :::image type="content" source="media/how-to-create-remote-network-vwan/access-blocked-troubleshooting-details-without-highlight.png" alt-text="Screenshot of the 'Access is blocked' message.":::
 
 ### Test source IP restoration
@@ -384,7 +386,7 @@ To test (option 1):
 Repeat the tenant restriction test from the previous section: 
 1. Sign in to the Azure Virtual Desktop virtual machine created in the previous steps.
 1. Go to www.office.com and sign in with an internal organization ID. This test should pass successfully.
-1. Repeat the above step, but with an *external account*. This test should fail because the source **IP address** in the error message is coming from the VPN gateway public IP address instead of the Microsoft SSE proxying the request to Entra.
+1. Repeat the previous step, but with an *external account*. This test should fail because the source **IP address** in the error message is coming from the VPN gateway public IP address instead of the Microsoft SSE proxying the request to Microsoft Entra.   
 :::image type="content" source="media/how-to-create-remote-network-vwan/access-blocked-troubleshooting-details-with-highlight.png" alt-text="Screenshot of the 'Access is blocked' message with the IP address highlighted.":::
 
 To test (option 2):