Updated private endpoint FW rules

Author: Thomas Weiss

articles/cosmos-db/how-to-configure-private-endpoints.md

@@ -4,7 +4,7 @@ description: Learn how to set up Azure Private Link to access an Azure Cosmos ac
 author: ThomasWeiss
 ms.service: cosmos-db
 ms.topic: conceptual
-ms.date: 05/14/2020
+ms.date: 05/27/2020
 ms.author: thweiss
 ---
 
@@ -613,9 +613,11 @@ The following situations and outcomes are possible when you use Private Link in
 
 * If you don't configure any firewall rules, then by default, all traffic can access an Azure Cosmos account.
 
-* If you configure public traffic or a service endpoint and you create private endpoints, then different types of incoming traffic are authorized by the corresponding type of firewall rule.
+* If you configure public traffic or a service endpoint and you create private endpoints, then different types of incoming traffic are authorized by the corresponding type of firewall rule. If a private endpoint is configured in a subnet where service endpoint is also configured:
+  * traffic to the database account mapped by the private endpoint is routed via private endpoint,
+  * traffic to other database accounts from the subnet is routed via service endpoint.
 
-* If you don't configure any public traffic or service endpoint and you create private endpoints, then the Azure Cosmos account is accessible only through the private endpoints. If you don't configure public traffic or a service endpoint, after all approved private endpoints are rejected or deleted, the account is open to the entire network.
+* If you don't configure any public traffic or service endpoint and you create private endpoints, then the Azure Cosmos account is accessible only through the private endpoints. If you don't configure public traffic or a service endpoint, after all approved private endpoints are rejected or deleted, the account is open to the entire network unless PublicNetworkAccess is set to Disabled (see section below).
 
 ## Blocking public network access during account creation