final touches

docs/tutorial/01/hub.md

@@ -155,28 +155,49 @@ If everything looks good, hit that `[ Create ]` button.
 
 ### [N]etwork [S]ecurity [G]roup
 
-1. Create a Network security group
-1. Attach it to the `default` subnet.
-
-We'll configure it later down the road
-
 #### Market place
 
 Look for a "Network security group" in the Azure Portal's market place
 
 ![Network Security Group](../../../assets/img/azure/market/nsg/logo.png)
 
+#### Create
+
+Create a Network security group
+
 #### Settings
 
 ##### Subnets
 
 > [!IMPORTANT]
 > Associate the `default` subnet to the NSG.
 
+Associating a NSG to a subnet, allows it to assume "intra-subnet" communication.
+
+Network Security Groups associate with a `subnet` does not make it into "a fence". Is more like a "shared configuration" that each resource inside that `subnet` will comply with.
+
+It is important to note that EACH RESOURCE will treat rules inbound/outbound rules for each network jump, even if they are "part of the same subnet".
+
+Don't believe me? just add a "deny all" rule to the NSG and see how your resources will stop communicating, even if they are in the same `subnet`.
+
+So associating the NSG to the subnet merely helps us avoid to have to explicitly add each resource hosted in the subnet to the NSG.
+
+1. Settings > Subnets > [ + Associate ]
+
 > [!WARNING]
-> we recommend that you associate a network security group to a **subnet**, or a **network interface**, but **not both**.
+> We recommend that you associate a network security group to a **subnet**, or a **network interface**, but **not both**.
+
+_Unless you have a specific reason to, since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting._
+
+##### Rules
+
+###### Inbound
+
+Get familiarized with the default rules.
+
+These are standard, to ensure connectivity with a minimum level of security on resources you create under that subnet.
 
-Unless you have a specific reason to, since rules in a network security group associated to a subnet can conflict with rules in a network security group associated to a network interface, you can have unexpected communication problems that require troubleshooting.
+![Inbound](../../../assets/img/azure/solution/vnets/hub/vnet/snets/default/nsg/rules/inbound/01.png)
 
 ## Status Check
 

docs/tutorial/02/hub/fw.md

@@ -2,41 +2,28 @@
 
 Now that all traffic is going through the **Azure Firewall**, we can start adding rules to allow or deny traffic.
 
-## Step 1: Disallow all
+> [!TIP]
+> Everytime you add a rule, the firewall takes like 1+ full minute(s) to apply the rule.
 
-Add a rule to disallow all traffic.
-
-- Name: `disallow-all`
-- Priority: `100,000`
-- Action: _"Deny"_
-- Rules
-  - IP Addresses:
-
-| name  | Protocol | Source Type | Source | Destination Type | Destination Addresses | Destination Ports |
-| ----- | -------- | ----------- | ------ | ---------------- | --------------------- | ----------------- |
-| `WWW` | Any      | Any         | `*`    | Any              | `*`                   | `*`               |
-
-Now go to the Jump box, and test that in fact you cannot access anything in the WWW, like `bing.com`
-
-![Deny all](../../../../assets/img/azure/solution/vnets/hub/vm/inside/com/bing/01.png)
+## Pre-requisites: DNS Proxy
 
-## Step 2: Allow some FDQNs
+### Step 1: Try to add any FDQN rule
 
 Try to add an allow rule.
 
-- Name: `allow-github`
+- Name: `allow-bing`
 - Priority: `100`
 - Action: _"Allow"_
 - Rules
   - FQDNS:
 
-| name         | Protocol | Source Type | Source | Destination FQDNs | Destination Ports |
-| ------------ | -------- | ----------- | ------ | ----------------- | ----------------- |
-| `GitHub.com` | Any      | Any         | `*`    | `GitHub.com`      | `*`               |
+| name       | Protocol | Source Type | Source | Destination FQDNs | Destination Ports |
+| ---------- | -------- | ----------- | ------ | ----------------- | ----------------- |
+| `bing.com` | Any      | Any         | `*`    | `bing.com`        | `*`               |
 
 If you get a "You must enable DNS Proxy" error, go to the **Azure Firewall**, go to the next section
 
-## Step 3: Enable DNS Proxy
+### Step 2: Enable DNS Proxy
 
 Uhm, it seems we missed something...
 
@@ -53,7 +40,133 @@ Oh, so we need to enable the DNS Proxy first!
 
 Now try to go back to the rules and add the rule again.
 
-## Step 4: Add MORE FQDNs
+> [!TIP]
+> Note how it says that DNS Proxy works on port `53`.
+
+You should take this into account, when securing Network Security Groups
+
+## Step 3: Add the FDQN rule
+
+Now try again to add the `allow` rule mentioned above.
+
+- Name: `allow-bing`
+- Priority: `100`
+- Action: _"Allow"_
+- Rules
+  - FQDNS:
+
+| name       | Protocol | Source Type | Source | Destination FQDNs | Destination Ports |
+| ---------- | -------- | ----------- | ------ | ----------------- | ----------------- |
+| `bing.com` | Any      | Any         | `*`    | `bing.com`        | `*`               |
+
+## Scenarios
+
+There are 2 scenarios we can consider:
+
+1. **Allow all, except...**: (5 minutes-ish) If you don't have much time to spend, this is the quickest way to get started to understand some concepts.
+1. **Zero Trust.- Disallow ALL, except...**: (30 minutes-ish) If you want to learn more and are willing to put in the time, head to the second scenario
+
+Either way, we recommend that you fully read both before you proceed, so you have a better understanding of trade-offs.
+
+_"In politics, there are no solutions, only trade-offs."_
+
+### Scenario 1: Allow All, except...
+
+In the most basic scenario, we can
+
+1. Assume `allow` **all traffic** by default (no additional rule needed)
+1. And then manage a disallow list were we add things we DON'T want.
+
+Do you know long it would be to basically keep an inventory of all the WWW?
+
+Who wants that kind of headache?
+
+Any who...
+
+#### Step 1: Check access
+
+1. Open Edge browser
+1. Navigate to [https://google.com](https://google.com)
+1. See that the site is correctly rendered
+
+We want to make sure that it was the firewall that did the blocking, and not some miss-vm-configuration.
+
+#### Step 2: Disallow google.com
+
+- Name: `disallow-google`
+- Priority: `1000`
+- Action: _"Deny"_
+- Rules
+  - FQDNS:
+
+| name         | Protocol | Source Type | Source | Destination FQDNs | Destination Ports |
+| ------------ | -------- | ----------- | ------ | ----------------- | ----------------- |
+| `google.com` | Any      | Any         | `*`    | `google.com`      | `*`               |
+
+Now go to the Jump box.
+
+You might still be able to access `google.com` because of the DNS cache.
+How so?
+
+1. `google.com` redirects to `www.google.com`
+1. But we're only blocking contents of `google.com`
+
+Oh jeez!
+
+#### Step 3: Disallow www.google.com
+
+Well, let's add a rule for `*.google.com` then.
+
+| name           | Protocol | Source Type | Source | Destination FQDNs | Destination Ports |
+| -------------- | -------- | ----------- | ------ | ----------------- | ----------------- |
+| `*.google.com` | Any      | Any         | `*`    | `*.google.com`    | `*`               |
+
+_"What do you mean I cannot add `*.foo.bar` domains?"_
+
+Alright, let's try `www.google.com` then.
+
+| name             | Protocol | Source Type | Source | Destination FQDNs | Destination Ports |
+| ---------------- | -------- | ----------- | ------ | ----------------- | ----------------- |
+| `www.google.com` | Any      | Any         | `*`    | `www.google.com`  | `*`               |
+
+So your rule should look like this:
+
+- Name: `disallow-google`
+- Priority: `1000`
+- Action: _"Deny"_
+- Rules
+  - FQDNS:
+
+| name             | Protocol | Source Type | Source | Destination FQDNs | Destination Ports |
+| ---------------- | -------- | ----------- | ------ | ----------------- | ----------------- |
+| `google.com`     | Any      | Any         | `*`    | `google.com`      | `*`               |
+| `www.google.com` | Any      | Any         | `*`    | `www.google.com`  | `*`               |
+
+_"Are there any domains I have not accounted for?"_
+
+Well, Yeah! like THE REST OF THE INTERNET! (Why are we screaming?!)
+
+### Scenario 2: Zero Trust.- Disallow ALL, except...
+
+#### Step 1: Disallow all
+
+Add a rule to disallow all traffic.
+
+- Name: `disallow-all`
+- Priority: `100,000`
+- Action: _"Deny"_
+- Rules
+  - IP Addresses:
+
+| name  | Protocol | Source Type | Source | Destination Type | Destination Addresses | Destination Ports |
+| ----- | -------- | ----------- | ------ | ---------------- | --------------------- | ----------------- |
+| `Any` | Any      | Any         | `*`    | Any              | `*`                   | `*`               |
+
+Now go to the Jump box, and test that in fact you cannot access anything in the WWW, like `bing.com`
+
+![Deny all](../../../../assets/img/azure/solution/vnets/hub/vm/inside/com/bing/01.png)
+
+#### Step 4: Add MORE FQDNs
 
 Yai! \o/
 err... success?
@@ -75,12 +188,16 @@ So keep rinse & repeat until:
 `bing.com`
 ![github.com](../../../../assets/img/azure/solution/vnets/hub/vm/inside/com/bing/02.png)
 
-### Rules
+##### Rules
 
-These are all the rules I ended up adding:
+These are all the rules we ended up adding:
 
 ![rules](../../../../assets/img/azure/solution/vnets/hub/fw/rules/n.png)
 
+**Zero Trust** can sure be exausting!
+
+But hey, you're worth it!
+
 ## Next Steps
 
 [Go back to parent](../README.md)

docs/tutorial/02/hub/rt.md

@@ -35,7 +35,9 @@ Take a good look at the TERMS
 ### Routes
 
 We'll add the following routes.
-The order matters, we want the more specific routes at the top, and the more general ones at the bottom.
+
+- More specific routes at the top
+- And the more general ones at the bottom.
 
 | Source  | IP range   | CIDR          | Next Hop Type     | Details               |
 | ------- | ---------- | ------------- | ----------------- | --------------------- |

docs/tutorial/03/hub/pdnsz.md

@@ -65,13 +65,19 @@ Go to "DNS Management" > "Virtual Network Links".
 
 Private Endpoints will need to be able to register with the Private DNS Zone. So you need to take in account
 
-- Hub
-  - **Inbound**: Allow traffic DNS traffic (via port `53`) from `10.x.x.x`
 - Spoke
   - **Outbound**: Allow DNS traffic to `10.1.x.x`
     - Storage Account's Private Endpoints registering from `hub` VNet (`10.1.x.x`), as well as other spoke VNets (like `10.2.x.x`).
+- Hub
+  - **Inbound**: Allow traffic DNS traffic (via port `53`) from `10.x.x.x`
 
-In this tutorial we won't go to such extense (mainly because we do not know all the ports involved in DNS Zone registration), but you should take this into account in a production environment.
+> [!NOTE]
+> In this tutorial we won't go to such extense)
+
+Mainly because we're (I'm) NOT 100% sure that working on port `53` would suffice :p
+
+> [!IMPORTANT]
+> You should take this into account in a **Zero Trust** Production Environment.
 
 ## Next Steps
 

docs/tutorial/03/hub/st.md

@@ -245,6 +245,8 @@ You could add an **inbound** rule to allow traffic from our entire `10.x.x.x`
     - `spoke`'s vnet `10.2.x.x`
 - **Destination**: `{some-short-prefix}hub{region}{id}st-pep-asg`
 
+![Inbound](../../../../assets/img/azure/solution/vnets/hub/vnet/snets/default/nsg/rules/inbound/02.png)
+
 > [!IMPORTANT]
 > What happens if a bad actor gets access from a `10.3.4.5` ?
 
@@ -261,24 +263,25 @@ You could add an **inbound** rule to allow traffic from our entire `10.x.x.x`
 > [!IMPORTANT]
 > What happens if a bad actor creates a VM inside `hub`, from a `10.1.4.5` ?
 
-##### Scenario 3: More security
+![Inbound](../../../../assets/img/azure/solution/vnets/hub/vnet/snets/default/nsg/rules/inbound/03.png)
 
-If you want to be more robust, you could
+##### Scenario 3: More security
 
-Remember the ASG we created for the jumpboxes (currently only 1)?
+1. Remember the ASG we created for the jumpboxes (currently only 1)? We'll use that instead of the entire `10.1.x.x`.
+1. Also, why allow the entirety of `10.2.x.x`, when we know the `default` subnet is only 1K IPs? `10.2.4.0/22`
 
 - **Name**: `allow-private-to-storage`
 - **Source**:
-  - `{my-prefix}-hub-{region}-{id}-vm-jump-asg`
-  - `10.2.0.0/16`
+  - ~~`10.1.0.0/16`~~ `{my-prefix}-hub-{region}-{id}-vm-jump-asg`
+  - ~~`10.2.0.0/16`~~ `10.2.4.0/22`
 - **Destination**: `{some-short-prefix}hub{region}{id}st-pep-asg`
 
 > [!WARNING]
 > What happens if a bad actor creates a VM with an IP `10.2.3.4`?
 
 ##### Scenario 4: Zero Trust
 
-This is **NOT** _"only **buddies** trust"_, this is **ZERO TRUST**!
+This is **NOT** _"trust only **buddies**"_, this is **ZERO TRUST**!
 
 - _"But in the future, were planning to have a web application in the `spoke` `vnet` that we want to add access to this storage account"_
 - Well, then you would add the excemption THEN to allow it. [YAGNI](https://en.wikipedia.org/wiki/You_aren%27t_gonna_need_it#:~:text=%22You%20aren't%20gonna%20need,add%20functionality%20until%20deemed%20necessary.)

docs/tutorial/04/README.md

@@ -16,6 +16,8 @@
       1. [P]rivate [E]nd[p]oint
          1. [N]etwork [I]nterfa[c]e
          1. [A]pplication [S]ecurity [G]roup
+1. Networking
+   1. [Configure NSGs](./nsg.md)
 
 ![Diagram](../../../assets/img/azure/solution/diagrams/04.png)
 

docs/tutorial/04/hub/pdnsz.md

@@ -7,6 +7,9 @@ Just like we created a Private DNS Zone for the storage account, we need to crea
 ## Resources
 
 - [R]esource [G]roup: `{my-prefix}-hub-{region}-{id}-rg` (already exists)
+  - [V]irtual [N]etwork: `{my-prefix}-hub-{region}-{id}-vnet` (already exists)
+    - [S]ubnet: `default` (already exists)
+      - [N]etwork [S]ecurity [G]roup: `{my-prefix}-hub-{region}-{id}-nsg` (already exists)
   - [P]rivate [DNS] [Z]one: `privatelink.azurewebsites.net`
     - Links to VNets
       - `privatelink-at-hub`
@@ -66,6 +69,10 @@ Look for a "Private DNS Zone" in the Azure Portal's market place
 > [!IMPORTANT]
 > You won't be able to register another Private DNS zone under the same VNet if you "enable auto-registration".
 
+### Network Security Group
+
+Since you already configured a DNS Zone for storage accounts, it should benefit from the same configuration. So no further action is needed at this point.
+
 ## Status Check
 
 ### Private DNS Zone