Adding ARM disclaimer and moving solution packs section up

Author: noakup

articles/azure-monitor/platform/media/private-link-security/ampls-limits.png

@@ -71,13 +71,13 @@ There are a number of limits you should consider when planning your Private Link
 
 * A VNet can only connect to 1 AMPLS object. That means the AMPLS object must provide access to all the Azure Monitor resources the VNet should have access to.
 * An Azure Monitor resource (Workspace or Application Insights component) can connect to 5 AMPLSs at most.
-* An AMPLS object can connect to 20 Azure Monitor resources at most.
+* An AMPLS object can connect to 50 Azure Monitor resources at most.
 * An AMPLS object can connect to 10 Private Endpoints at most.
 
 In the below topology:
 * Each VNet connects to 1 AMPLS object, so it can't connect to other AMPLSs.
 * AMPLS B connects to 2 VNets: using 2/10 of its possible Private Endpoint connections.
-* AMPLS A connects to 2 workspaces and 1 Application Insight component: using 3/20 of its possible Azure Monitor resources.
+* AMPLS A connects to 2 workspaces and 1 Application Insight component: using 3/50 of its possible Azure Monitor resources.
 * Workspace 2 connects to AMPLS A and AMPLS B: using 2/5 of its possible AMPLS connections.
 
 ![Diagram of AMPLS limits](./media/private-link-security/ampls-limits.png)
@@ -158,11 +158,24 @@ First, you can connect this Log Analytics resource to any Azure Monitor Private
 Second, you can control how this resource can be reached from outside of the private link scopes listed above. 
 If you set **Allow public network access for ingestion** to **No**, then machines outside of the connected scopes cannot upload data to this workspace. If you set **Allow public network access for queries** to **No**, then machines outside of the scopes cannot access data in this workspace. That data includes access to workbooks, dashboards, query API-based client experiences, insights in the Azure portal, and more. Experiences running outside the Azure portal, and that query Log Analytics data also have to be running within the private-linked VNET.
 
-Restricting access in this manner only applies to data in the workspace. Configuration changes, including turning these access settings on or off, are managed by Azure Resource Manager. Restrict access to Resource Manager using the appropriate roles, permissions, network controls, and auditing. For more information, see [Azure Monitor Roles, Permissions, and Security](roles-permissions-security.md).
+Restricting access in this manner does not apply to the Azure Resource Manager (ARM) and therefore has the following limitations:
+* Access to data - while blocking queries from public networks applies to most Log Analytics experiences, some experiences query data through ARM and won't be able to query data unless Private Link settings are applied to ARM as well (feature coming up soon). This includes, for example, Azure Monitor solutions, workbooks and Insights, and the LogicApp connector.
+* Workspace management - Workspace setting and configuration changes (including turning these access settings on or off) are managed by ARM. Restrict access to workspace management using the appropriate roles, permissions, network controls, and auditing. For more information, see [Azure Monitor Roles, Permissions, and Security](roles-permissions-security.md).
 
 > [!NOTE]
 > Logs and metrics uploaded to a workspace via [Diagnostic Settings](diagnostic-settings.md) go over a secure private Microsoft channel, and are not controlled by these settings.
 
+### Log Analytics solution packs download
+
+To allow the Log Analytics Agent to download solution packs, add the appropriate fully qualified domain names to your firewall allow list. 
+
+
+| Cloud environment | Agent Resource | Ports | Direction |
+|:--|:--|:--|:--|
+|Azure Public     | scadvisorcontent.blob.core.windows.net         | 443 | Outbound
+|Azure Government | usbn1oicore.blob.core.usgovcloudapi.net | 443 |  Outbound
+|Azure China 21Vianet      | mceast2oicore.blob.core.chinacloudapi.cn| 443 | Outbound
+
 ## Configure Application Insights
 
 Go to the Azure portal. In your Azure Monitor Application Insights component resource is a menu item **Network Isolation** on the left-hand side. You can control two different states from this menu.
@@ -231,17 +244,6 @@ Adding these tags allows you to perform actions such as querying log data, creat
 
 Bundle the JavaScript code in your script so that the browser does not attempt to download code from a CDN. An example is provided on [GitHub](https://github.com/microsoft/ApplicationInsights-JS#npm-setup-ignore-if-using-snippet-setup)
 
-### Log Analytics solution download
-
-To allow the Log Analytics Agent to download solution packs, add the appropriate fully qualified domain names to your firewall allow list. 
-
-
-| Cloud environment | Agent Resource | Ports | Direction |
-|:--|:--|:--|:--|
-|Azure Public     | scadvisorcontent.blob.core.windows.net         | 443 | Outbound
-|Azure Government | usbn1oicore.blob.core.usgovcloudapi.net | 443 |  Outbound
-|Azure China 21Vianet      | mceast2oicore.blob.core.chinacloudapi.cn| 443 | Outbound
-
 ### Browser DNS settings
 
 If you're connecting to your Azure Monitor resources over a Private Link, traffic to these resource must go through the private endpoint that is configured on your network. To enable the private endpoint, update your DNS settings as explained in [Connect to a private endpoint](#connect-to-a-private-endpoint). Some browsers use their own DNS settings instead of the ones you set. The browser might attempt to connect to Azure Monitor public endpoints and bypass the Private Link entirely. Verify that your browsers settings don't override or cache old DNS settings.