feedback

Author: Larry Franks

articles/machine-learning/how-to-secure-training-vnet.md

@@ -85,9 +85,11 @@ In this article you learn how to secure the following training compute resources
     * One network security group (NSG). This NSG contains the following rules, which are specific to compute cluster and compute instance:
 
         > [!IMPORTANT]
-        > Azure Machine Learning compute cluster and instance rely on Azure Batch. In addition to the subnet level NSGs, NSGs are also created at the network interface (NIC) level. When evaluating network traffic, it is evaluated against *union* of subnet and NIC level NSG.
+        > Compute instance and compute cluster automatically create an NSG with the required rules.
+        > 
+        > If you have another NSG at the subnet level, the rules in the subnet level NSG mustn't conflict with the rules in the automatically created NSG.
         >
-        > Use caution when modifying these NSGs, as it is possible to break communication between the cluster/instance and Azure Batch. For more information, see [Network security groups: Batch default](/azure/batch/batch-virtual-network#network-security-groups-batch-default).
+        > To learn how the NSGs filter your network traffic, see [How network security groups filter network traffic](/azure/virtual-network/network-security-group-how-it-works).
 
         * Allow inbound TCP traffic on ports 29876-29877 from the `BatchNodeManagement` service tag.
         * Allow inbound TCP traffic on port 44224 from the `AzureMachineLearning` service tag.