docs: more details in part 1

Author: vburckhardt

Diff for: docs/images/part-1/10-deployment.png

@@ -0,0 +1,3 @@
+[ZoneTransfer]
+LastWriterPackageFamilyName=Microsoft.MSPaint_8wekyb3d8bbwe
+ZoneId=3

Diff for: docs/images/part-1/10-deployment.png:Zone.Identifier

@@ -18,12 +18,13 @@ We will then manually customize the deployed infrastructure to:
 - An IBM Cloud Pay-As-You-Go or Subscription account.
 :information_source: **Note**:  Participants in the TechXchange classroom will be provided with credentials to access an IBM Cloud account for the duration of the lab.
 - An IBMId
-- API Key
+- API Key with the following permissions...
 
 A development machine with the following software:
 - [Terraform](https://developer.hashicorp.com/terraform/tutorials/aws-get-started/install-cli)
 - Text editor of your choice
 - Web browser
 - Tools to generate SSH key. Linux and Mac comes with ssh-keygen. [PuTTYgen](https://www.ssh.com/academy/ssh/putty/windows/puttygen) can be used on Windows. See [Generating an external SSH key](https://cloud.ibm.com/docs/vpc?topic=vpc-ssh-keys&interface=ui#generating-ssh-keys)
+- Optional: [IBM Cloud CLI](https://cloud.ibm.com/docs/cli?topic=cli-getting-started)
 
 :information_source: **Note**:  Participants in the TechXchange classroom will be provided with a development VM with pre-installed software.

Diff for: docs/images/part-1/10-validation.png

@@ -5,7 +5,14 @@
    ssh-keygen -t rsa -b 4096 -N '' -f ./lab-key
    ```
    This command generates two files in the current directory: `lab-key` (the private key) and `lab-key.pub` (the public key).
-
+   Verify that the keys have been created in the current directory.
+   ```
+   ls lab-key*
+   ```
+   This should return:
+   ```
+   lab-key  lab-key.pub
+   ```
 2. Access the [VSI on VPC landing zone Deployable Architecture](https://cloud.ibm.com/catalog/architecture/deploy-arch-ibm-slz-vsi-ef663980-4c71-4fac-af4f-4a510a9bcf68-global?catalog_query=aHR0cHM6Ly9jbG91ZC5pYm0uY29tL2NhdGFsb2cjcmVmZXJlbmNlX2FyY2hpdGVjdHVyZQ%3D%3D)
 3. On the Overview page, make sure the following is selected:\
    a. Product version: **Select the latest** (4.4.7 at the time of writting)
@@ -14,7 +21,7 @@
    ![Overview page](../images/part-1/10-overview-page.png)
 4. Click **Review deployment options** on the bottom right
 5. Click **Add to project**
-6. Under _Create New_, input a name that you wish to provide to the project. For example "Landing Zone Lab"
+6. Under _Create New_, input a name that you wish to provide to the project. For example "\<your initials\> Landing Zone Lab"
 7. Click **Add** on the bottom right
 8. Under _Configure -> Security_ section, set the following:\
    a. Authentication: untoggle _Use a secret_ and paste your IBM Cloud API key input the box
@@ -29,10 +36,18 @@
     a. `add_atracker_route`: false
 11. Click **Save**
 12. Click **Validate**
-13. The project will go through different steps in validation. When it completes, the validation might fail due to a rule within the Security and compliance section. In the _Approval not recommended_ section, add a comment and click **Override and approve** to start provisioning.
+13. The project will go through different steps in validation. When it completes, the validation is marked as successful. In the _Approval pending_ section, add a comment and click **Approve** to start provisioning.
 
 ![Validation](../images/part-1/10-validation.png)
 
 14. Click **Deploy**
 
-Note: The deploy will take approximately 15 minutes to complete
+
+:information_source: **Note**: The deploy will take approximately 15 minutes to complete. Some suggestions during this time:
+- You may following the execution logs. Of interest:
+   ![Deployment](../images/part-1/10-deployment.png)
+   - The terraform plan steps shows the list of resources that are going to be created.
+   - The terraform apply steps shows the resources that are being created.
+   - You may also navigate to the [VPC section](https://cloud.ibm.com/vpc-ext/vpcLayout) and the [resource list](https://cloud.ibm.com/resources) in your account to see the resources starting to spawn up as you refresh the screen during the execution.
+- Explore in more details some of the materials in the [introduction section](README)
+- Coffee ☕

Diff for: docs/images/part-1/30-private-ip.png

@@ -1,6 +1,8 @@
 # Providing operator access to the VPC landing zone
 
-By default, network access to the VPC landing zone topology is locked down for security compliance reasons. In this section, you will open up the necessary access for an operator to access the VPC environment, including deploying application on the VSI's located in the workload VPC.
+## Introduction
+
+By default, network access to the VPC landing zone topology is locked down for security compliance reasons. In this section, you will open up the necessary access for an operator to access the VPC environment, including deploying application on the VSIs located in the workload VPC.
 
 Operator access is provided through the _Management VPC_. There are multiple ways to give operator access to the VPC landing zone, with varying level of security, compliance, and ease of enablement:
 
@@ -9,9 +11,11 @@ Operator access is provided through the _Management VPC_. There are multiple way
 - Deploying a site-to-site VPN solution in the management VPC
 - Deploying a certified bastion solution, such as Gravitational Teleport in the management VPC.
 
-This part of the lab shows how to expose one of the VSI's in the management VPC as a ‘jump-box’, as this is one of the simplest way to proceed, albeit not being strongly secure. The Going Further section below provides links to some of the other ways to provide operator access.
+This part of the lab shows how to expose one of the VSI in the management VPC as a 'jump-box', as this is one of the simplest way to proceed, albeit not being strongly secure. The [Going Further](./part1/50-going-further) section below provides links to some of the other ways to provide operator access.
+
+## Steps
 
-Perform the following actions to provide operator access to a VSI in the management VPC
+Perform the following actions to enable public ssh access to one of the VSI in the management VPC. This VSI will be the unique operator entry point ('jump-box') to the landing zone VPC topology.
 
 1. Access the [Virtual server instances for VPC list](https://cloud.ibm.com/vpc-ext/compute/vs)
 2. Verify that the region is set to the region you provisioned your resources and click the VSI labeled _<initials>-management-server-1_
@@ -20,16 +24,17 @@ Perform the following actions to provide operator access to a VSI in the managem
 
 ![Floating IP](../images/part-1/20-floating-ip.png)
 
-4. In the [Security Groups for VPC](https://cloud.ibm.com/vpc-ext/network/securityGroups), click the one label _<initials>-management_
-5. Go to the Rules section and allow port 22 for inbound by clicking **Create** in the _Inbound rules_ section (Note: Security groups are stateful so you don’t need to add a corresponding outbound rule)
+4. Take note of the public Floating IP. This IP will be used in a subsequent step.
+5. In the [Security Groups for VPC](https://cloud.ibm.com/vpc-ext/network/securityGroups), click the one labelled _<initials>-management_
+6. Go to the Rules section and allow port 22 for inbound by clicking **Create** in the _Inbound rules_ section (Note: Security groups are stateful so you don’t need to add a corresponding outbound rule)
 
 ![Allow SSH in Security group](../images/part-1/20-ssh-sg.png)
 
-6. Click **Create**
-7. In the [Access control lists for VPC](https://cloud.ibm.com/vpc-ext/network/acl), click the one labeled _<initials>-management-acl_
-8. Create the following ACL inbound rule:
+7. Click **Create**
+8. In the [Access control lists for VPC](https://cloud.ibm.com/vpc-ext/network/acl), click the one labeled _<initials>-management-acl_
+9. Create the following ACL inbound rule:
    ![SSH ACL Inbound rule](../images/part-1/20-ssh-acl-inbound.png)
-9. Create the folloiwng ACL outbound rule:
+10. Create the folloiwng ACL outbound rule:
    ![SSH ACL Outbound rule](../images/part-1/20-ssh-acl-outbound.png)
-10. You will now be able to access the Floating IP address that you provisioned in a prior step. On your workstation, issue the following command from a terminal\
-    `ssh -i key root@<Floating IP of Virtual server instance>`
+11. You will now be able to access the 'jump-box' through the public Floating IP address that you provisioned in a prior step. On your workstation, issue the following command from a terminal\
+    `ssh -i ./lab-key root@<Floating IP of Virtual server instance>`

Diff for: docs/part1/00-objectives.md

@@ -2,7 +2,7 @@
 
 In this section, you will install the Apache server on a workload VSI.
 
-1. By default, the workload Virtual server instances are locked down from the management VPC. You will need to allow access through the Access control list. In the [Access control list](https://cloud.ibm.com/vpc-ext/network/acl), click the ACL labeled _<initials>-workload-acl_.
+1. By default, the workload VSI (Virtual Server Instances) are locked down from the management VPC. You will need to allow access through the Access control list. In the [Access control list](https://cloud.ibm.com/vpc-ext/network/acl), click the ACL labeled _<initials>-workload-acl_.
    1. Create an ACL inbound rule to allow ssh access from the Management VPC
       ![Workload SSH ACL Inbound rule](../images/part-1/30-workload-ssh-acl-inbound.png)
    2. Create an ACL outbound rule to allow ssh access from the Management VPC
@@ -13,16 +13,19 @@ In this section, you will install the Apache server on a workload VSI.
    2. Create an ACL outbound rule to allow ssh access from the Workload VPC
       ![Management SSH ACL Outbound rule](../images/part-1/30-mgmt-ssh-acl-outbound.png)
 3. Access the workload VSI by doing the following:
-   1. Copy the private key labeled _lab_key_ to the bastion host
+   1. Navigate to [Virtual server instances for VPC](https://cloud.ibm.com/vpc-ext/compute/vs). Take note of the private IP ("Reserved IP") for the VSI labeled *initials-workload-server-1* (10.40.10.4 in this example).
+   ![private IP](../images/part-1/30-private-ip.png)
+   2. From your machine, copy the private key labeled *lab_key* to the bastion host
       `scp -i lab-key lab-key root@<Floating IP address of bastion host>:/root`
-   2. SSH to the bastion host
-      `ssh -i key root@<Floating IP of Virtual server instance>`
-   3. Change permissions of the private key
+   3. SSH to the bastion host
+      `ssh -i ./lab-key root@<Floating IP of Virtual server instance>`
+   4. Change permissions of the private key
       `chmod 600 lab-key`
-   4. SSH to the workload VSI
-      `ssh -i lab-key root@<Private IP address of the workload VSI>`
+   5. SSH to the workload VSI
+      `ssh -i ./lab-key root@<Private IP address of the workload VSI>`
 4. Install the Apache web server by issuing the following commands:
    ```shell
    apt-get update
    apt-get install apache2 --yes
    ```
+5. (Optional) You may repeat the steps 3 and 4 for the workload VSIs *<initials>-workload-server-2* and *<initials>-workload-server-3*

Diff for: docs/part1/10-project.md

@@ -1,6 +1,6 @@
 # Exposing the web application to the internet
 
-In this section, you will expose the web application to the internet so you can access it.
+In this section, we will expose the web pages to the internet through a VPC load balancer so anyone can access them.
 
 1.  Create a public load balancer to expose the web application. Access the [Load balancers for VPC](https://cloud.ibm.com/vpc-ext/network/loadBalancers) page and click **Create**.
 2.  Set the following for the load balancer:
@@ -28,9 +28,10 @@ In this section, you will expose the web application to the internet so you can
       ![ACL inbound rule](../images/part-1/40-acl-inbound.png)
     - Create an outbound rule
       ![ACL outbound rule](../images/part-1/40-acl-outbound.png)
-5.  You web application is exposed:
+5.  It can take several minutes for your load balancer to provision. Check and wait until the status is set to Active in [Load balancers for VPC](https://cloud.ibm.com/vpc-ext/network/loadBalancers). You may need click the refresh button in the page periodically.
+6.  You web application is exposed:
     - Retrieve the FQDN of your Load balancer
       - [Access the Load Balancer list](https://cloud.ibm.com/vpc-ext/network/loadBalancers) and click your provisioned load balancer
       - Copy the value under _Hostname_
-    - Issue the following command:
+    - On your machine, open up a web browser pointing to `http://<Hostname of your load balancer>` . You may also test connectivity by issuing the following command:
       `curl http://<Hostname of your load balancer>`