adding note

Larry Franks · Larry Franks · commit 0ba2f9df7a42 · 2022-08-04T13:42:27.000-04:00
diff --git a/articles/machine-learning/how-to-secure-training-vnet.md b/articles/machine-learning/how-to-secure-training-vnet.md
@@ -84,6 +84,11 @@ In this article you learn how to secure the following training compute resources
 
     * One network security group (NSG). This NSG contains the following rules, which are specific to compute cluster and compute instance:
 
+        > [!IMPORTANT]
+        > Azure Machine Learning compute cluster and instance rely on Azure Batch. In addition to the subnet level NSGs, NSGs are also created at the network interface (NIC) level. When evaluating network traffic, it is evaluated against *union* of subnet and NIC level NSG.
+        >
+        > Use caution when modifying these NSGs, as it is possible to break communication between the cluster/instance and Azure Batch. For more information, see [Network security groups: Batch default](/azure/batch/batch-virtual-network#network-security-groups-batch-default).
+
         * Allow inbound TCP traffic on ports 29876-29877 from the `BatchNodeManagement` service tag.
         * Allow inbound TCP traffic on port 44224 from the `AzureMachineLearning` service tag.
 
