update peer-to-peer encryption img

Author: cachai2

articles/container-apps/media/networking/peer-to-peer-encryption-traffic-diagram.png

@@ -282,10 +282,13 @@ You can fully secure your ingress and egress networking traffic workload profile
 
 Azure Container Apps supports peer-to-peer TLS encryption within the environment. Enabling this feature encrypts all network traffic within the environment with a private certificate that is valid within the Azure Container Apps environment scope. These certificates are automatically managed by Azure Container Apps. 
 
-Below is an example ingress pattern for an environment with peer-to-peer encryption enabled.
-
+Below is an example environment with peer-to-peer encryption enabled.
 :::image type="content" source="media/networking/peer-to-peer-encryption-traffic-diagram.png" alt-text="Diagram of how traffic is encrypted/decrypted with peer-to-peer encryption enabled.":::
 
+<sup>1</sup> Inbound TLS traffic is terminated at the ingress proxy on the edge of the environment.
+<sup>2</sup> Traffic to and from the ingress proxy within the environment is TLS encrypted with the private CA and decrypted by the receiver. 
+<sup>3</sup> Calls made from app A to app B are first sent to the edge ingress proxy, and are TLS encrypted.
+
 Applications within a Container Apps environment are automatically authenticated. However, the Container Apps runtime doesn't support authorization for access control between applications using the built-in peer-to-peer encryption.
 
 When your apps are communicating with a client outside of the environment, two-way authentication with mTLS is supported. To learn more, see [configure client certificates](client-certificate-authorization.md).