[Network Flow] ELI5 work continued - #2 (cloudflare#28972)

* eli5

* eli5

Author: marciocloudflare

src/content/partials/networking-services/mnm-magic-transit-integration.mdx

@@ -4,31 +4,34 @@ params:
   - rulesAutoAdvertiseURL
 ---
 
-import { GlossaryTooltip, Markdown, Width } from "~/components"
+import { GlossaryTooltip, Markdown, Width } from "~/components";
 
-With [Magic Transit On Demand](/magic-transit/on-demand/), you can use {props.productName} to analyze your network traffic and detect Distributed Denial of Service (DDoS) attacks while Magic Transit is disabled. If an attack is detected, you can automatically or manually enable Magic Transit to mitigate attacks.
+[Magic Transit On Demand](/magic-transit/on-demand/) allows you to keep Magic Transit disabled during normal operations and activate it only when you need DDoS protection. {props.productName} monitors your traffic while Magic Transit is off and detects attacks. When an attack is detected, you can enable Magic Transit automatically or manually.
 
-You can create {props.productName} rules which monitor specific Internet Protocol (IP) <GlossaryTooltip term="prefix">prefixes</GlossaryTooltip> for DDoS attacks. When a DDoS attack is detected, Cloudflare notifies you by email, [webhook](/notifications/get-started/configure-webhooks/), or [PagerDuty](/notifications/get-started/configure-pagerduty/) with information about the attack. Then, you can [automatically activate IP advertisement](#activate-ip-auto-advertisement) and enable Magic Transit to protect the targeted IP prefixes from DDoS attacks. This feature is referred to as auto-advertisement, and you can enable it for individual {props.productName} rules through the dashboard or API.
+You can create {props.productName} rules that monitor specific IP <GlossaryTooltip term="prefix">prefixes</GlossaryTooltip> for DDoS attacks. When an attack is detected, Cloudflare notifies you by email, [webhook](/notifications/get-started/configure-webhooks/), or [PagerDuty](/notifications/get-started/configure-pagerduty/).
 
-After Magic Transit is activated and your traffic is flowing through Cloudflare, Cloudflare blocks malicious DDoS traffic, and your origin servers receive only clean network traffic through IPsec or Generic Routing Encapsulation (GRE) tunnels.
+If you enable [auto-advertisement](#activate-ip-auto-advertisement) on a rule, Magic Transit activates automatically to protect the targeted prefixes. You can enable auto-advertisement for individual {props.productName} rules through the dashboard or API.
+
+After Magic Transit activates and your traffic flows through Cloudflare, Cloudflare blocks malicious DDoS traffic. Your origin servers receive only clean traffic through IPsec or GRE tunnels.
 
 The following diagrams illustrate this process:
 
 <Width size="large">
-![The diagram shows the flow of traffic when you send flow data from your network to Cloudflare for analysis.](~/assets/images/network-flow/1-flowdata.png)
+	![The diagram shows the flow of traffic when you send flow data from your network to Cloudflare for analysis.](~/assets/images/network-flow/1-flowdata.png)
 </Width>
 
 <Width size="large">
-![Cloudflare automatically notifies you when Cloudflare detects an attack based on your flow data.](~/assets/images/network-flow/2-flowdata.png)
+	![Cloudflare automatically notifies you when Cloudflare detects an attack	based on your flow data.](~/assets/images/network-flow/2-flowdata.png)
 </Width>
 
 <Width size="large">
-![You can create rules to activate Magic Transit automatically, to protect your IP addresses from a DDoS attack.](~/assets/images/network-flow/3-flowdata.png)
+	![You can create rules to activate Magic Transit automatically, to protect your IP addresses from a DDoS
+	attack.](~/assets/images/network-flow/3-flowdata.png)
 </Width>
 
 ## Activate IP auto-advertisement
 
-Enable IP auto-advertisement to use {props.productName} rules. You can activate IP auto-advertisement through the dashboard or the API.
+Before a rule can automatically activate Magic Transit, you must enable IP advertisement for the relevant prefixes. You can do this through the dashboard or the API.
 
 ### Dashboard
 

src/content/partials/networking-services/mnm/rules/overview.mdx

@@ -2,19 +2,19 @@
 {}
 ---
 
-import { Render, DashButton } from "~/components"
+import { Render, DashButton } from "~/components";
 
-Network Flow (formerly Magic Network Monitoring) rules allow you to monitor your network traffic for Distributed Denial of Service (DDoS) attacks on specific IP addresses or IP prefixes within your network. If the network traffic that is monitored by a rule exceeds the rule's threshold or contains a DDoS attack fingerprint, then you will receive an alert.
+Network Flow (formerly Magic Network Monitoring) rules monitor your network traffic for Distributed Denial of Service (DDoS) attacks targeting specific IP addresses or prefixes. When traffic exceeds a rule's threshold or matches a known DDoS attack fingerprint, you receive an alert.
 
 ## Rule types
 
-There are three different types of rules that can be configured within Network Flow. You can refer to the linked documentation page for each rule type to learn more.
+Network Flow supports three rule types:
 
-| Rule Type | Rule Description | Rule Availability |
-| :---- | :---- | :---- |
-| [Dynamic threshold](/network-flow/rules/dynamic-threshold/) (recommended) | A dynamic threshold rule will analyze a network's traffic patterns over time and automatically adjust the rule's DDoS threshold, in terms of bits or packets, based on traffic history. | API configuration only |
-| [Static threshold](/network-flow/rules/static-threshold/) | A static threshold rule allows you to define a constant numeric threshold, in terms of bits or packets, for DDoS traffic monitoring. | API configuration and dashboard configuration |
-| [sFlow DDoS attack](/network-flow/rules/s-flow-ddos-attack/) | Network Flow customers that send sFlow data to Cloudflare can receive alerts when a specific type of DDoS attack is detected within their network traffic. | API configuration only. Only applicable to sFlow data sets |
+| Rule Type                                                                 | Description                                                                                                                                 | Availability               |
+| :------------------------------------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------ | :------------------------- |
+| [Dynamic threshold](/network-flow/rules/dynamic-threshold/) (recommended) | Analyzes your network's traffic patterns over time and automatically adjusts the DDoS threshold (bits or packets) based on traffic history. | API only                   |
+| [Static threshold](/network-flow/rules/static-threshold/)                 | You define a fixed threshold (bits or packets) for DDoS traffic monitoring.                                                                 | API and dashboard          |
+| [sFlow DDoS attack](/network-flow/rules/s-flow-ddos-attack/)              | If you send sFlow data to Cloudflare, you can receive alerts when a specific DDoS attack type is detected in your traffic.                  | API only (sFlow data only) |
 
 ## Create rules in the dashboard
 
@@ -38,7 +38,7 @@ To create a new rule:
 
 2. Select **Configure Network flow**.
 3. In the **Configure rules** tab, select **Add new rule**.
-4. Create a new static traffic threshold rule according to your needs. Refer to the documentation on [static threshold](/network-flow/rules/static-threshold/) rules for more information on each field in the static threshold rule's configuration.
+4. Fill in the rule fields. For details on each field, refer to [Static threshold rules](/network-flow/rules/static-threshold/).
 5. Select **Create a new rule** when you are finished.
 
 ## Edit rules in the dashboard
@@ -66,50 +66,60 @@ To create a new rule:
 
 ### Rule Auto-Advertisement
 
-If you are an Enterprise customer using [Magic Transit On Demand](/magic-transit/on-demand), you can enable **Auto-Advertisement** for any dynamic threshold, static threshold, and sFlow DDoS attack rule. The Auto-Advertisement feature will automatically activate Magic Transit when a static or dynamic rule threshold is exceeded or a DDoS attack fingerprint is identified in sFlow traffic logs.
+Auto-Advertisement automatically activates [Magic Transit](/magic-transit/) when a rule triggers, routing your traffic through Cloudflare for DDoS mitigation without manual intervention.
+
+This feature is available to Enterprise customers using [Magic Transit On Demand](/magic-transit/on-demand). You can enable it for any dynamic threshold, static threshold, or sFlow DDoS attack rule.
 
 Follow the previous steps to [create](#create-rules-in-the-dashboard) or [edit](#edit-rules-in-the-dashboard) a rule. Then, enable **Auto-Advertisement**.
 
 #### Rule Auto-Advertisement notifications
 
-<Render file="mnm-auto-advertisement-notifications" product="networking-services" />
+<Render
+	file="mnm-auto-advertisement-notifications"
+	product="networking-services"
+/>
 
 ### Rule IP prefixes
 
-Each rule must include a group of IP prefixes in its definition. All IP prefixes inside a rule are evaluated as a whole, and you should set up a rule with multiple IP prefixes when you want the IP prefixes' aggregated traffic to trigger an alert or advertisement. For thresholds on singular IP prefixes or IP addresses, you can create an individual rule with one prefix and the desired rule parameters.
+Each rule must include one or more IP prefixes. All prefixes in a rule are evaluated as aggregate traffic — their combined volume is measured against the threshold.
+
+- To alert on the **combined** traffic of multiple prefixes, add them to the same rule.
+- To alert on **individual** prefix traffic, create a separate rule for each prefix.
 
 #### Rule IP prefixes example
 
-For a rule with two prefix Classless Inter-Domain Routing (CIDR) blocks and a `packet_threshold` of `10000` as shown below, the rule will be flagged if the joint packet traffic of `192.168.0.0/24` and `172.118.0.0/24` is greater than `10000`. This also means that Cloudflare attempts to auto advertise both CIDR blocks if the rule has the auto advertisement flag enabled. Customers can also [configure Rule IP prefixes at scale using Cloudflare's API](/api/resources/magic_network_monitoring/subresources/rules/).
+In the following example, the rule triggers when the **combined** packet traffic of `192.168.0.0/24` and `172.118.0.0/24` exceeds `10000` packets. If Auto-Advertisement is enabled, Cloudflare advertises both prefixes when the rule triggers.
+
+You can also [configure rule IP prefixes at scale using the API](/api/resources/magic_network_monitoring/subresources/rules/).
 
 ```json
 {
-  "rules": [
-    {
-      "name": "Too many packets",
-      "prefixes": ["192.168.0.0/24", "172.118.0.0/24"],
-      "packet_threshold": 10000,
-      "automatic_advertisement": true,
-      "duration": "1m0s",
-      "type": "threshold"
-    }
-  ]
+	"rules": [
+		{
+			"name": "Too many packets",
+			"prefixes": ["192.168.0.0/24", "172.118.0.0/24"],
+			"packet_threshold": 10000,
+			"automatic_advertisement": true,
+			"duration": "1m0s",
+			"type": "threshold"
+		}
+	]
 }
 ```
 
-For more granular thresholds, create a more focused rule as shown below.
+To set a threshold for a single prefix, create a separate rule:
 
 ```json
 {
-  "rules": [
-    {
-      "name": "Too many packets",
-      "prefixes": ["172.118.0.0/24"],
-      "packet_threshold": 1000,
-      "automatic_advertisement": true,
-      "duration": "1m0s",
-      "type": "threshold"
-    }
-  ]
+	"rules": [
+		{
+			"name": "Too many packets",
+			"prefixes": ["172.118.0.0/24"],
+			"packet_threshold": 1000,
+			"automatic_advertisement": true,
+			"duration": "1m0s",
+			"type": "threshold"
+		}
+	]
 }
-```
+```