MicrosoftDocs
diff --git a/‎articles/machine-learning/concept-endpoints-online.md
Lines changed: 4 additions & 4 deletions b/‎articles/machine-learning/concept-endpoints-online.md
Lines changed: 4 additions & 4 deletions
diff --git a/‎articles/machine-learning/concept-endpoints.md
Lines changed: 1 addition & 3 deletions b/‎articles/machine-learning/concept-endpoints.md
Lines changed: 1 addition & 3 deletions
diff --git a/‎articles/machine-learning/concept-secure-network-traffic-flow.md
Lines changed: 12 additions & 13 deletions b/‎articles/machine-learning/concept-secure-network-traffic-flow.md
Lines changed: 12 additions & 13 deletions
@@ -9,7 +9,7 @@ ms.topic: conceptual
 author: santiagxf
 ms.author: fasantia
 ms.reviewer: mopeakande
-ms.custom: devplatv2
+ms.custom: devplatv2, moe-wsvnet
 ms.date: 04/01/2023
 #Customer intent: As an MLOps administrator, I want to understand what a managed endpoint is and why I need it.
 ---
@@ -88,9 +88,9 @@ Visual Studio Code enables you to interactively debug endpoints.
 
 Optionally, you can secure communication with a managed online endpoint by using private endpoints.
 
-You can configure security for inbound scoring requests and outbound communications with the workspace and other services separately. Inbound communications use the private endpoint of the Azure Machine Learning workspace. Outbound communications use private endpoints created per deployment.
+You can configure security for inbound scoring requests and outbound communications with the workspace and other services separately. Inbound communications use the private endpoint of the Azure Machine Learning workspace. Outbound communications use private endpoints created for the workspace's managed virtual network (preview).
 
-For more information, see [Secure online endpoints](how-to-secure-online-endpoint.md).
+For more information, see [Network isolation with managed online endpoints](concept-secure-online-endpoint.md).
 
 ## Managed online endpoints vs Kubernetes online endpoints
 
@@ -110,7 +110,7 @@ The following table highlights the key differences between managed online endpoi
 | **Cluster sizing (scaling)** | [Managed manual and autoscale](how-to-autoscale-endpoints.md), supporting additional nodes provisioning                                                             | [Manual and autoscale](how-to-kubernetes-inference-routing-azureml-fe.md#autoscaling), supporting scaling the number of replicas within fixed cluster boundaries                         |
 | **Compute type**              | Managed by the service                                                                                                            | Customer-managed Kubernetes cluster (Kubernetes)                                                                        |
 | **Managed identity**          | [Supported](how-to-access-resources-from-endpoints-managed-identities.md)                                                         | Supported                                                                                                               |
-| **Virtual Network (VNET)**    | [Supported via managed network isolation](how-to-secure-online-endpoint.md)                                                       | User responsibility                                                                                                     |
+| **Virtual Network**    | [Supported via managed network isolation](concept-secure-online-endpoint.md)                                                       | User responsibility                                                                                                     |
 | **Out-of-box monitoring & logging** | [Azure Monitor and Log Analytics powered](how-to-monitor-online-endpoints.md) (includes key metrics and log tables for endpoints and deployments) | User responsibility                                                                        |
 | **Logging with Application Insights (legacy)** | Supported                                                                                                        | Supported                                                                                                               |
 | **View costs**                | [Detailed to endpoint / deployment level](how-to-view-online-endpoints-costs.md)                                                  | Cluster level                                                                                                           |
 
@@ -88,12 +88,10 @@ The following table shows a summary of the different features available to onlin
 | Swagger support                       | Yes                                             | No                                            |
 | Authentication                        | Key and token                                   | Azure AD                                      |
 | Private network support               | Yes                                             | Yes                                           |
-| Managed network isolation<sup>1</sup> | Yes                                             | No                                            |
+| Managed network isolation | Yes                                             | No                                            |
 | Customer-managed keys                 | Yes                                             | No                                            |
 | Cost basis                            | None                                            | None                                          |
 
-<sup>1</sup> [*Managed network isolation*](how-to-secure-online-endpoint.md) allows you to manage the networking configuration of the endpoint independently of the configuration of the Azure Machine Learning workspace.
-
 #### Deployments
 
 The following table shows a summary of the different features available to online and batch endpoints at the deployment level. These concepts apply to each deployment under the endpoint.
 
@@ -5,7 +5,7 @@ description: Learn how network traffic flows between components when your Azure
 services: machine-learning
 ms.service: machine-learning
 ms.subservice: enterprise-readiness
-ms.custom: event-tier1-build-2022
+ms.custom: event-tier1-build-2022, moe-wsvnet
 ms.topic: conceptual
 ms.author: jhirono
 author: jhirono
@@ -134,24 +134,23 @@ If you use Visual Studio Code on a compute instance, you must allow other outbou
 :::moniker range="azureml-api-2"
 ## Scenario: Use online endpoints
 
-__Inbound__ communication with the scoring URL of the online endpoint can be secured using the `public_network_access` flag on the endpoint. Setting the flag to `disabled` restricts the online endpoint to receiving traffic only from the virtual network. For secure inbound communications, the Azure Machine Learning workspace's private endpoint is used.
+Security for inbound and outbound communication are configured separately for managed online endpoints.
 
-__Outbound__ communication from a deployment can be secured on a per-deployment basis by using the `egress_public_network_access` flag. Outbound communication in this case is from the deployment to Azure Container Registry, storage blob, and workspace. Setting the flag to `true` will restrict communication with these resources to the virtual network.
+#### Inbound communication
 
-> [!NOTE]
-> For secure outbound communication, a private endpoint is created for each deployment where `egress_public_network_access` is set to `disabled`.
+__Inbound__ communication with the scoring URL of the online endpoint can be secured using the `public_network_access` flag on the endpoint. Setting the flag to `disabled` ensures that the online endpoint receives traffic only from a client's virtual network through the Azure Machine Learning workspace's private endpoint.
+
+The `public_network_access` flag of the Azure Machine Learning workspace also governs the visibility of the online endpoint. If this flag is `disabled`, then the scoring endpoints can only be accessed from virtual networks that contain a private endpoint for the workspace. If it is `enabled`, then the scoring endpoint can be accessed from the virtual network and public networks.
 
-Visibility of the endpoint is also governed by the `public_network_access` flag of the Azure Machine Learning workspace. If this flag is `disabled`, then the scoring endpoints can only be accessed from virtual networks that contain a private endpoint for the workspace. If it is `enabled`, then the scoring endpoint can be accessed from the virtual network and public networks.
+#### Outbound communication
 
-### Supported configurations
+__Outbound__ communication from a deployment can be secured at the workspace level by enabling managed virtual network isolation for your Azure Machine Learning workspace (preview). Enabling this setting causes Azure Machine Learning to create a managed virtual network for the workspace. Any deployments in the workspace's managed virtual network can use the virtual network's private endpoints for outbound communication.
+[!INCLUDE [machine-learning-preview-generic-disclaimer](includes/machine-learning-preview-generic-disclaimer.md)]
+
+The [legacy network isolation method for securing outbound communication](concept-secure-online-endpoint.md#secure-outbound-access-with-legacy-network-isolation-method) worked by disabling a deployment's `egress_public_network_access` flag. We strongly recommend that you secure outbound communication for deployments by using a [workspace managed virtual network](concept-secure-online-endpoint.md) instead. Unlike the legacy approach, the `egress_public_network_access` flag for the deployment no longer applies when you use a workspace managed virtual network with your deployment (preview). Instead, outbound communication will be controlled by the rules set for the workspace's managed virtual network.
 
-| Configuration | Inbound </br> (Endpoint property) | Outbound </br> (Deployment property) | Supported? |
-| -------- | -------------------------------- | --------------------------------- | --------- |
-| secure inbound with secure outbound | `public_network_access` is disabled | `egress_public_network_access` is disabled   | Yes |
-| secure inbound with public outbound | `public_network_access` is disabled | `egress_public_network_access` is enabled  | Yes |
-| public inbound with secure outbound | `public_network_access` is enabled | `egress_public_network_access` is disabled    | Yes |
-| public inbound with public outbound | `public_network_access` is enabled | `egress_public_network_access` is enabled  | Yes |
 :::moniker-end
+
 ## Scenario: Use Azure Kubernetes Service
 
 For information on the outbound configuration required for Azure Kubernetes Service, see the connectivity requirements section of [How to secure inference](how-to-secure-inferencing-vnet.md).