Merge pull request #6936 from aahill/data-loss

prmerger-automator[bot] · web-flow · commit 0662ce2ffc5c · 2025-09-04T18:09:22.000Z
Data loss article update
diff --git a/articles/ai-services/cognitive-services-data-loss-prevention.md b/articles/ai-services/cognitive-services-data-loss-prevention.md
@@ -19,14 +19,22 @@ Azure AI services data loss prevention capabilities allow customers to configure
 
 Before you make a request, you need an Azure account and an Azure AI services subscription. If you already have an account, go ahead and skip to the next section. If you don't have an account, we have a guide to get you set up in minutes: [Create an AI Foundry resource](multi-service-resource.md?pivots=azportal).
 
+## Access control guidance for Azure AI Services
+
+* You can limit inbound and outbound access to AI services by implementing a [network security perimeter](/azure/private-link/network-security-perimeter-concepts). For additional information on how to implement a network security perimeter for Azure AI Services, see [Add network security perimeter (preview) to Azure AI Services](../ai-foundry/openai/how-to/network-security-perimeter.md).
+
+* Define the permitted FQDNs for outbound connections from the AI services resource and apply egress controls accordingly using the information in this guide.
+
+* If you want to restrict outbound access for your AI Services resource that's hosted publically and using role-based or key-based access, then restrict outbound access to the list of FQDNs using the `allowedFqdnList` property. But if you want to restrict inbound and outbound for your AI Services resource that's hosted publically and using role-based access only, then restrict outbound access using a network security perimeter. For more information, see [Add an Azure OpenAI service to a network security perimeter (preview)](../ai-foundry/openai/how-to/network-security-perimeter.md).
+
 ## Enabling data loss prevention
 
 There are two parts to enable data loss prevention. First, the resource property `restrictOutboundNetworkAccess` must be set to `true`. When this is set to true, you also need to provide the list of approved URLs. The list of URLs is added to the `allowedFqdnList` property. The `allowedFqdnList` property contains an array of comma-separated URLs.
 
 >[!NOTE]
 >
 > * The `allowedFqdnList`  property value supports a maximum of 1000 URLs.
-> * The property supports fully qualified domain names (i.e., `www.contoso.com`) as values.
+> * The property supports fully qualified domain names (for example `www.contoso.com`) as values.
 > * It can take up to 15 minutes for the updated list to take effect. 
 
 # [Azure CLI](#tab/azure-cli)
