Update articles/synapse-analytics/security/workspace-data-exfiltration-protection.md

Co-authored-by: William Assaf MSFT <[email protected]>

Author: MaxMeng1985

articles/synapse-analytics/security/workspace-data-exfiltration-protection.md

@@ -14,7 +14,7 @@ This article will explain data exfiltration protection in Azure Synapse Analytic
 
 ## Securing data egress from Synapse workspaces
 Azure Synapse Analytics workspaces support enabling data exfiltration protection for workspaces. With exfiltration protection, you can guard against malicious insiders accessing your Azure resources and exfiltrating sensitive data to locations outside of your organization’s scope. 
-At the time of workspace creation, you can choose to configure the workspace with a managed virtual network and additional protection against data exfiltration. When a workspace is created with a [managed virtual network](./synapse-workspace-managed-vnet.md), Data integration and Spark resources are deployed in the managed virtual network. The workspace’s dedicated SQL pools and serverless SQL pools have multi-tenant capabilities and as such, need to exist outside the managed virtual network. For workspaces with data exfiltration protection, resources within the managed virtual network always communicate over [managed private endpoints](./synapse-workspace-managed-private-endpoints.md). The Synapse SQL resources can connect to and query any authorized Azure resources (storage account) using OPENROSETS or EXTERNAL TABLE since the ingress traffic is not controlled by the data exfiltration protection. However, the egress traffic (CREATE EXTERNAL TABLE AS SELECT) will be controlled by the data exfiltration protection.
+At the time of workspace creation, you can choose to configure the workspace with a managed virtual network and additional protection against data exfiltration. When a workspace is created with a [managed virtual network](./synapse-workspace-managed-vnet.md), Data integration and Spark resources are deployed in the managed virtual network. The workspace’s dedicated SQL pools and serverless SQL pools have multi-tenant capabilities and as such, need to exist outside the managed virtual network. For workspaces with data exfiltration protection, resources within the managed virtual network always communicate over [managed private endpoints](./synapse-workspace-managed-private-endpoints.md). When data exfiltration protection is enabled, Synapse SQL resources can connect to and query any authorized Azure Storage using OPENROWSETS or EXTERNAL TABLE, since the ingress traffic is not controlled by the data exfiltration protection. However, the egress traffic via [CREATE EXTERNAL TABLE AS SELECT](/sql/t-sql/statements/create-external-table-as-select-transact-sql?view=azure-sqldw-latest&preserve-view=true) will be controlled by the data exfiltration protection.
 
 > [!Note]
 > You cannot change the workspace configuration for managed virtual network and data exfiltration protection after the workspace is created.