docs: add Variables from variables.yml tables to Part 5 Operational Foundations (18 files)

- Phase 01 SDN: 1 file (task-03 NSG)
- Phase 02 Monitoring: 6 files (Log Analytics, AMA, HCI Insights, Alerting, OMIMSWAC, Datadog)
- Phase 03 Backup/DR: 3 files (Azure Backup, Site Recovery, DR Testing)
- Phase 04 Security: 5 files (Defender, Policy, Baselines, Security Logging, Update Manager)
- Phase 05 Licensing: 3 files (Hybrid Benefit, WS Subscription, Telemetry)
- Skipped 3 files: SDN validate/enable (no vars), network device logging (device-side config)

Author: Kristopher Turner

docs/implementation/05-operational-foundations/phase-01-sdn-deployment/task-03-configure-network-security-groups.mdx

@@ -61,6 +61,14 @@ NSGs include implicit default rules:
 - **AllowInternetOutBound** (Priority 65001) - Allow outbound to Internet
 - **DenyAllOutBound** (Priority 65500) - Deny all other outbound
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_SUBSCRIPTION_ID` | `azure.subscription.id` | `00000000-0000-0000-0000-000000000000` |
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `AZURE_REGION` | `azure.resource_group.location` | `eastus2` |
+
 ---
 
 ## Execution Options

docs/implementation/05-operational-foundations/phase-02-monitoring-observability/task-01-configure-log-analytics-workspace.mdx

@@ -33,6 +33,17 @@ The Log Analytics workspace is the **foundation** for all Azure Local monitoring
 | RBAC Permissions | Contributor or Owner on resource group | Role assignment verified |
 | Region Selection | Same region as Azure Local cluster | Latency considerations |
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_SUBSCRIPTION_ID` | `azure.subscription.id` | `00000000-0000-0000-0000-000000000000` |
+| `AZURE_SUBSCRIPTION_NAME` | `azure.subscription.name` | `Azure Local Production` |
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `AZURE_REGION` | `azure.resource_group.location` | `eastus2` |
+| `LOG_ANALYTICS_WORKSPACE_NAME` | `monitoring.log_analytics.workspace_name` | `law-azl-DAL-prod-01` |
+| `SITE_CODE` | `site.code` | `DAL` |
+
 ## Overview
 
 ```mermaid

docs/implementation/05-operational-foundations/phase-02-monitoring-observability/task-02-configure-azure-monitor-agent.mdx

@@ -34,6 +34,21 @@ The Azure Monitor Agent (AMA) is the modern, unified agent for collecting monito
 | RBAC Permissions | Monitoring Contributor on resource group | Role assignment verified |
 | Network Connectivity | Outbound 443 to Azure Monitor endpoints | Firewall rules verified |
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_SUBSCRIPTION_ID` | `azure.subscription.id` | `00000000-0000-0000-0000-000000000000` |
+| `AZURE_SUBSCRIPTION_NAME` | `azure.subscription.name` | `Azure Local Production` |
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `AZURE_REGION` | `azure.resource_group.location` | `eastus2` |
+| `LOG_ANALYTICS_WORKSPACE_NAME` | `monitoring.log_analytics.workspace_name` | `law-azl-DAL-prod-01` |
+| `SITE_CODE` | `site.code` | `DAL` |
+| `CLUSTER_NODE_01_NAME` | `nodes[0].name` | `azl-dal-node-01` |
+| `CLUSTER_NODE_02_NAME` | `nodes[1].name` | `azl-dal-node-02` |
+| `CLUSTER_NODE_03_NAME` | `nodes[2].name` | `azl-dal-node-03` |
+| `CLUSTER_NODE_04_NAME` | `nodes[3].name` | `azl-dal-node-04` |
+
 ## Overview
 
 ```mermaid

docs/implementation/05-operational-foundations/phase-02-monitoring-observability/task-03-enable-hci-insights.mdx

@@ -33,6 +33,18 @@ Azure Local Insights provides a rich, pre-built Azure Monitor Workbook that visu
 | Arc-Enabled Cluster | Azure Local cluster registered | Portal shows cluster resource |
 | RBAC Permissions | Monitoring Contributor | Role assignment verified |
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_SUBSCRIPTION_ID` | `azure.subscription.id` | `00000000-0000-0000-0000-000000000000` |
+| `AZURE_SUBSCRIPTION_NAME` | `azure.subscription.name` | `Azure Local Production` |
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `CLUSTER_NAME` | `cluster.name` | `azl-dal-cl01` |
+| `LOG_ANALYTICS_WORKSPACE_NAME` | `monitoring.log_analytics.workspace_name` | `law-azl-DAL-prod-01` |
+| `SITE_CODE` | `site.code` | `DAL` |
+| `CLUSTER_NODE_01_NAME` | `nodes[0].name` | `azl-dal-node-01` |
+
 ## Overview
 
 HCI Insights collects data from specific Windows Event Log channels and performance counters:

docs/implementation/05-operational-foundations/phase-02-monitoring-observability/task-04-setup-alerting.mdx

@@ -37,6 +37,18 @@ Azure Monitor alerts provide proactive notification when cluster health degrades
 | Notification Targets | Email addresses, Teams webhooks, etc. | Contact list prepared |
 | RBAC Permissions | Monitoring Contributor | Role assignment verified |
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_SUBSCRIPTION_ID` | `azure.subscription.id` | `00000000-0000-0000-0000-000000000000` |
+| `AZURE_SUBSCRIPTION_NAME` | `azure.subscription.name` | `Azure Local Production` |
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `SITE_CODE` | `site.code` | `DAL` |
+| `NOC_EMAIL` | `alerting.noc_email` | `noc@contoso.com` |
+| `CUSTOMER_EMAIL` | `alerting.customer_email` | `ops@customer.com` |
+| `TEAMS_WEBHOOK_URL` | `alerting.teams_webhook_url` | `https://outlook.office.com/webhook/...` |
+
 ## Action Groups
 
 Action groups define **who** and **how** to notify when alerts fire. Create these before creating alert rules.

docs/implementation/05-operational-foundations/phase-02-monitoring-observability/task-05-deploy-omimswac-monitoring.mdx

@@ -47,6 +47,16 @@ Dell OpenManage Integration for Windows Admin Center (OMIMSWAC) provides hardwar
 | **TPM/BIOS** | TPM 2.0 (fw ≥ 7.2.2.0), BIOS meets Secured-core minimum | For Secured-core enablement |
 | **Azure** | Subscription, Resource Group, Log Analytics, Arc rights | Role includes Microsoft.Authorization/* |
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_SUBSCRIPTION_NAME` | `azure.subscription.name` | `Azure Local Production` |
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `LOG_ANALYTICS_WORKSPACE_NAME` | `monitoring.log_analytics.workspace_name` | `law-azl-DAL-prod-01` |
+| `CLUSTER_NODE_01_NAME` | `nodes[0].name` | `azl-dal-node-01` |
+| `CLUSTER_NODE_02_NAME` | `nodes[1].name` | `azl-dal-node-02` |
+
 ## Configuration Steps
 
 ### Step 5.1: Connect Cluster in Windows Admin Center

docs/implementation/05-operational-foundations/phase-02-monitoring-observability/task-07-configure-datadog-integration.mdx

@@ -49,6 +49,13 @@ Datadog Account Checklist:
 └── Application Key: ________________________________ (store in Key Vault)
 ```
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `NODE_IP` | `nodes[0].ipv4_address` | `10.0.0.11` |
+| `AZURE_KEYVAULT_NAME` | `azure.keyvault.name` | `kv-azl-dal-prod-01` |
+
 ---
 
 ## 7.1 Create Datadog WDAC Supplemental Policy

docs/implementation/05-operational-foundations/phase-03-backup-dr/task-01-configure-azure-backup.mdx

@@ -36,6 +36,16 @@ Azure Backup provides enterprise backup capabilities for Azure Local VMs with bo
 | Cluster Access | Domain account with local admin on all nodes | CredSSP or Kerberos delegation |
 | Integration Components | Same version on guest VMs and hosts | Required for backup consistency |
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `RECOVERY_VAULT_NAME` | `backup.recovery_vault_name` | `rsv-azl-dal-prod-01` |
+| `BACKUP_SERVER_NAME` | `backup.server_name` | `azl-dal-mabs-01` |
+| `CLUSTER_STORAGE_PATH` | `storage.cluster_storage_path` | `C:\ClusterStorage\Volume01` |
+| `MANAGEMENT_VIRTUAL_SWITCH` | `networking.management.virtual_switch` | `ConvergedSwitch(mgmt_compute)` |
+
 ## Architecture Overview
 
 Azure Backup supports two backup approaches:

docs/implementation/05-operational-foundations/phase-03-backup-dr/task-02-configure-site-recovery.mdx

@@ -35,6 +35,26 @@ Azure Site Recovery (ASR) provides disaster recovery capabilities by replicating
 | Hyper-V Integration | Integration components on all VMs | Current version |
 | Cluster Nodes | Windows Server 2019 or later | Domain-joined |
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_SUBSCRIPTION_NAME` | `azure.subscription.name` | `Azure Local Production` |
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `AZURE_REGION` | `azure.resource_group.location` | `eastus2` |
+| `RECOVERY_VAULT_NAME` | `dr.recovery_vault_name` | `rsv-azl-dal-dr-01` |
+| `DR_STORAGE_ACCOUNT` | `dr.storage_account` | `stazldaldr01` |
+| `DR_VNET_NAME` | `dr.vnet_name` | `vnet-dr-dal-prod` |
+| `DR_VNET_CIDR` | `dr.vnet_cidr` | `10.100.0.0/16` |
+| `DR_SUBNET_NAME` | `dr.subnet_name` | `snet-dr-workloads` |
+| `DR_SUBNET_CIDR` | `dr.subnet_cidr` | `10.100.1.0/24` |
+| `HYPERV_SITE_NAME` | `dr.hyperv_site_name` | `AzureLocal-DAL-Site` |
+| `REPLICATION_POLICY_NAME` | `dr.replication_policy_name` | `rep-policy-dal-24hr` |
+| `DR_RESOURCE_GROUP` | `dr.resource_group` | `rg-dr-dal-prod-eus2` |
+| `MANAGEMENT_NETWORK_NAME` | `networking.management.network_name` | `mgmt-vlan100` |
+| `RECOVERY_PLAN_NAME` | `dr.recovery_plan_name` | `RP-CriticalApps-DAL` |
+| `DR_NOTIFICATION_EMAIL` | `dr.notification_email` | `dr-team@contoso.com` |
+
 ## Architecture Overview
 
 Site Recovery uses two main components on Azure Local:

docs/implementation/05-operational-foundations/phase-03-backup-dr/task-03-test-dr-procedures.mdx

@@ -34,6 +34,18 @@ Regular disaster recovery testing validates that replication is working correctl
 | Recovery plan | Multi-VM orchestration plan | Created in Site Recovery |
 | Change window | Approved maintenance window | For production failover tests |
 
+## Variables from variables.yml
+
+| Variable | Config Path | Example |
+|----------|-------------|---------|
+| `AZURE_RESOURCE_GROUP` | `azure.resource_group.name` | `rg-azurelocal-prod-eus2` |
+| `AZURE_REGION` | `azure.resource_group.location` | `eastus2` |
+| `RECOVERY_VAULT_NAME` | `dr.recovery_vault_name` | `rsv-azl-dal-dr-01` |
+| `DR_TEST_VNET_NAME` | `dr.test_vnet_name` | `vnet-dr-test-isolated` |
+| `RECOVERY_PLAN_NAME` | `dr.recovery_plan_name` | `RP-CriticalApps-DAL` |
+| `TARGET_RTO` | `dr.target_rto_minutes` | `240` |
+| `TARGET_RPO` | `dr.target_rpo_minutes` | `15` |
+
 ## Test Failover Overview
 
 Test failover creates VMs in Azure from the latest recovery point **without affecting production**: