From ff0e8ef15b47878d9f83b7a6a8573111e2bd7d4c Mon Sep 17 00:00:00 2001
From: sarna <P.Sarna@f5.com>
Date: Tue, 16 Dec 2025 14:35:06 -0800
Subject: [PATCH 1/5] naas: Add format of network attachment

This makes it easier for the user to know what it
looks like when we are asking them to save it for
use later on in the deployment.
---
 .../getting-started/create-deployment/deploy-console.md       | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/content/nginxaas-google/getting-started/create-deployment/deploy-console.md b/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
index b8dbd6615..c64fddbc8 100644
--- a/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
+++ b/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
@@ -30,7 +30,9 @@ NGINXaaS requires a [network attachment](https://cloud.google.com/vpc/docs/about
 1. Create a network attachment in your new subnet. See [Google's documentation on creating a network attachment](https://cloud.google.com/vpc/docs/create-manage-network-attachments#create-network-attachments) for a step-by-step guide.
    - For **production use cases**, we recommend setting the **Connection preference** on the Network Attachment resource to **Accept connections from selected projects**. This lets you manually approve trusted connections, as this setting cannot be changed later. To start, you can leave the list of accepted projects empty and add the NGINXaaS deployment project after it is created.
    - For **development use cases**, you can set the **Connection preference** to **Automatically accept connections from all projects**, which allows connections without manual approval. If you choose this option, you don't need to explicitly allow the NGINXaaS deployment project.
-1. Make a note of the network attachment ID. You will need it in the next steps to create your NGINXaaS deployment.
+1. Make a note of the network attachment ID as it will be needed in the next steps to create your NGINXaaS deployment. You can find the network attachment ID in the Google Cloud Console by following the steps below:
+   1. Go to Network Attachments at the following link: https://console.cloud.google.com/net-services/psc/list/networkAttachments?project=my-google-project (replace `my-google-project` in the URL with your project name).
+   1. Open the desired network attachment and copy the value from the `Network Attachment` field. **Example format:** `projects/my-google-project/regions/us-east1/networkAttachments/my-network-attachment`.
 
 ## Access the NGINXaaS Console
 

From bb6358642529f3f0ace02213300e46303200a042 Mon Sep 17 00:00:00 2001
From: sarna <P.Sarna@f5.com>
Date: Tue, 16 Dec 2025 14:49:50 -0800
Subject: [PATCH 2/5] Call out where a user can find their deployment service
 account ID

This is important as we do not have references to
it anywhere and is information needed by the user
to set up deployment observability.
---
 content/nginxaas-google/monitoring/access-management.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/content/nginxaas-google/monitoring/access-management.md b/content/nginxaas-google/monitoring/access-management.md
index 3e5f5fc93..6fb293af9 100644
--- a/content/nginxaas-google/monitoring/access-management.md
+++ b/content/nginxaas-google/monitoring/access-management.md
@@ -10,7 +10,7 @@ nd-product: NGOOGL
 
 
 
-F5 NGINXaaS for Google Cloud (NGINXaaS) leverages Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, when WIF is configured, NGINXaaS can export logs and metrics from your deployment to Cloud Monitoring in your chosen Google project. To learn more about WIF on Google Cloud, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation). 
+F5 NGINXaaS for Google Cloud (NGINXaaS) leverages Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, when WIF is configured, NGINXaaS can export logs and metrics from your deployment to Cloud Monitoring in your chosen Google project. To learn more about WIF on Google Cloud, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation).
 
 ## Prerequisites
 
@@ -28,7 +28,7 @@ F5 NGINXaaS for Google Cloud (NGINXaaS) leverages Workload Identity Federation (
     - `Issuer URL` must be `https://accounts.google.com`.
     - `Allowed audiences` must contain the full canonical resource name of the workload identity pool provider, for example, `https://iam.googleapis.com/projects/<project-number>/locations/<location>/workloadIdentityPools/<pool-id>/providers/<provider-id>`. If `Allowed audiences` is empty, the full canonical resource name of the workload identity pool provider will be included by default.
     - Add the following **attribute mapping**: `google.subject=assertion.sub`.
-    - Add the following **attribute condition**: `assertion.sub=='$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID'` where `$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID` is your NGINXaaS deployment's service account's unique ID.
+    - Add the following **attribute condition**: `assertion.sub=='$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID'`, where `$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID` is the unique ID of your NGINXaaS deployment's service account. This ID can be found in the `F5 NGINXaaS Service Account Unique ID` field under the **Cloud Info** section in the **Details** tab of your deployment.
 
 ### Grant access to the WIF principal with your desired roles
 
@@ -37,7 +37,7 @@ In the [Google Cloud Console](https://console.cloud.google.com/),
 1. Go to the **IAM** page.
 1. Select **Grant Access**.
 1. Enter your principal, for example, `principal://iam.googleapis.com/projects/$WIF_PROJECT_NUMBER/locations/global/workloadIdentityPools/$WIF_POOL_ID/subject/$NGINXAAS_SERVICE_ACCOUNT_UNIQUE_ID`.
-1. Assign roles. For example, 
+1. Assign roles. For example,
     - To grant access to export logs, add the **Logs Writer** role.
     - To grant access to export metrics, add the **Monitoring Metric Writer** role.
 

From a71bfc224a094a2bf190a1580cbad26a320d9613 Mon Sep 17 00:00:00 2001
From: sarna <P.Sarna@f5.com>
Date: Tue, 16 Dec 2025 15:27:59 -0800
Subject: [PATCH 3/5] Link users to monitoring docs from IAM prereqs

After I am done setting up my WIF provider, I
should be directed to enable monitoring and
logging for my deployment.
---
 content/nginxaas-google/monitoring/access-management.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/content/nginxaas-google/monitoring/access-management.md b/content/nginxaas-google/monitoring/access-management.md
index 6fb293af9..22ff3a82f 100644
--- a/content/nginxaas-google/monitoring/access-management.md
+++ b/content/nginxaas-google/monitoring/access-management.md
@@ -67,4 +67,5 @@ In the NGINXaaS Console,
 
 ## What's next
 
-[Add SSL/TLS Certificates]({{< ref "/nginxaas-google/getting-started/ssl-tls-certificates/ssl-tls-certificates-console.md" >}})
+- [Monitor your deployment]({{< ref "/nginxaas-google/monitoring/enable-monitoring.md" >}})
+- [Enable NGINX Logs]({{< ref "/nginxaas-google/monitoring/enable-nginx-logs.md" >}})

From e49249bfd5d45819bec1893fc52d4fed312c6ca8 Mon Sep 17 00:00:00 2001
From: sarna <P.Sarna@f5.com>
Date: Wed, 17 Dec 2025 13:54:38 -0800
Subject: [PATCH 4/5] Simplify intro to WIF a bit

---
 content/nginxaas-google/monitoring/access-management.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/content/nginxaas-google/monitoring/access-management.md b/content/nginxaas-google/monitoring/access-management.md
index 22ff3a82f..b0bfc9b6b 100644
--- a/content/nginxaas-google/monitoring/access-management.md
+++ b/content/nginxaas-google/monitoring/access-management.md
@@ -10,7 +10,7 @@ nd-product: NGOOGL
 
 
 
-F5 NGINXaaS for Google Cloud (NGINXaaS) leverages Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, when WIF is configured, NGINXaaS can export logs and metrics from your deployment to Cloud Monitoring in your chosen Google project. To learn more about WIF on Google Cloud, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation).
+F5 NGINXaaS for Google Cloud (NGINXaaS) uses Workload Identity Federation (WIF) to integrate with Google Cloud services. For example, with WIF configured, your NGINXaaS deployment can export logs and metrics to Cloud Monitoring in your Google project. To learn more, see [Google's Workload Identity Federation documentation](https://cloud.google.com/iam/docs/workload-identity-federation).
 
 ## Prerequisites
 

From a2c7c1d328bb58ed70ac701fbb2628138a40a156 Mon Sep 17 00:00:00 2001
From: sarna <P.Sarna@f5.com>
Date: Wed, 17 Dec 2025 14:23:37 -0800
Subject: [PATCH 5/5] Improve warning around setting up network attachments

We want to strongly recommend using a connection
preference that is secure but keep the
instructions open for a user that may not be as
concerned with security or just wants to
prioritize deploying quickly just to try out the
service.
---
 .../getting-started/create-deployment/deploy-console.md  | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/content/nginxaas-google/getting-started/create-deployment/deploy-console.md b/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
index c64fddbc8..0e7452739 100644
--- a/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
+++ b/content/nginxaas-google/getting-started/create-deployment/deploy-console.md
@@ -27,9 +27,12 @@ NGINXaaS requires a [network attachment](https://cloud.google.com/vpc/docs/about
 1. Access the [Google Cloud Console](https://console.cloud.google.com/).
 1. Create a consumer VPC network and subnetwork. See [Google's documentation on creating a VPC and subnet](https://cloud.google.com/vpc/docs/create-modify-vpc-networks#console_1) for a step-by-step guide.
    - The region you select for the network attachment determines the region where your NGINXaaS deployment will be created. You do not manually select a region when creating an NGINXaaS deployment; it will automatically be created in the same region as the network attachment.
-1. Create a network attachment in your new subnet. See [Google's documentation on creating a network attachment](https://cloud.google.com/vpc/docs/create-manage-network-attachments#create-network-attachments) for a step-by-step guide.
-   - For **production use cases**, we recommend setting the **Connection preference** on the Network Attachment resource to **Accept connections from selected projects**. This lets you manually approve trusted connections, as this setting cannot be changed later. To start, you can leave the list of accepted projects empty and add the NGINXaaS deployment project after it is created.
-   - For **development use cases**, you can set the **Connection preference** to **Automatically accept connections from all projects**, which allows connections without manual approval. If you choose this option, you don't need to explicitly allow the NGINXaaS deployment project.
+1. Create a network attachment in your new subnet. See [Google's documentation on creating a network attachment](https://cloud.google.com/vpc/docs/create-manage-network-attachments#create-network-attachments) for a step-by-step guide. To ensure secure and controlled access to your network attachments, we strongly recommend configuring the **Connection preference** on the Network Attachment resource to **Accept connections from selected projects**. This option helps maintain security by ensuring only trusted providers can connect to your service by letting you manually approve trusted connections. To start, you can leave the list of accepted projects empty and add the NGINXaaS deployment project after it is created.
+
+   {{< call-out "caution" >}}
+   For development and testing purposes, or in scenarios where speed and simplicity are prioritized over security, you have the option to configure the **Connection Preference** to **Automatically accept connections for all projects**. Please note that this approach is inherently less secure and may expose your service to unintended or unauthorized access. We encourage you to exercise caution if using the less restrictive option and to avoid using it in production or sensitive environments.
+   {{< /call-out >}}
+
 1. Make a note of the network attachment ID as it will be needed in the next steps to create your NGINXaaS deployment. You can find the network attachment ID in the Google Cloud Console by following the steps below:
    1. Go to Network Attachments at the following link: https://console.cloud.google.com/net-services/psc/list/networkAttachments?project=my-google-project (replace `my-google-project` in the URL with your project name).
    1. Open the desired network attachment and copy the value from the `Network Attachment` field. **Example format:** `projects/my-google-project/regions/us-east1/networkAttachments/my-network-attachment`.