revise Jonathan's note about content share and vnet

Author: ggailey777

articles/app-service/overview-vnet-integration.md

@@ -142,9 +142,9 @@ When you're using virtual network integration, you can configure how parts of th
 
 #### Content share
 
-Bringing your own storage for content in often used in Functions where [content share](./../azure-functions/configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) is configured as part of the Functions app.
+Bringing your own storage for content in often used in Azure Functions where a [content share](./../azure-functions/configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) is configured along with the function app.
 
-To route content share traffic through the virtual network integration, you must ensure that the routing setting is configured. Learn [how to configure content share routing](./configure-vnet-integration-routing.md#content-share). 
+An additional setting is required to also route traffic to this content share through the virtual network integration. For more information, see [how to configure content share routing](./configure-vnet-integration-routing.md#content-share). 
 
 In addition to configuring the routing, you must also ensure that any firewall or Network Security Group configured on traffic from the subnet allow traffic to port 443 and 445.
 

articles/azure-functions/configure-networking-how-to.md

@@ -93,8 +93,7 @@ You're now ready to route your function app's traffic to go through the virtual
 
 1. Enable [content share routing](../app-service/overview-vnet-integration.md#content-share) to enable your function app to communicate with your new storage account through its virtual network. In the same page as the previous step, under **Configuration routing**, select **Content storage**.
 
-> [!IMPORTANT]
-> If multiple Function Apps in the same App Service Plan use the same Azure Files account with the same credentials, they should also all use the same value for content share routing to ensure that traffic is consistently routed through the intended network. A mismatch in settings may result in traffic being routed through public networks, resulting in access being blocked by storage account network rules.
+[!INCLUDE [functions-content-over-vnet-shared-storage-note](../../includes/functions-content-over-vnet-shared-storage-note.md)]
 
 ### 4. Update application settings
 

articles/azure-functions/functions-app-settings.md

@@ -624,9 +624,6 @@ Azure Files doesn't support using managed identity when accessing the file share
 > [!IMPORTANT]
 > WEBSITE_CONTENTOVERVNET is a legacy app setting that has been replaced by the [vnetContentShareEnabled](#vnetcontentshareenabled) site property.
 
-> [!IMPORTANT]
-> If multiple Function Apps in the same App Service Plan use the same Azure Files account with the same credentials, they should also all use the same value for WEBSITE_CONTENTOVERVNET to ensure that traffic is consistently routed through the intended network. A mismatch in settings may result in traffic being routed through public networks, resulting in access being blocked by storage account network rules.
-
 A value of `1` enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network. Only required when using `WEBSITE_CONTENTSHARE` and `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`. To learn more, see [Restrict your storage account to a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network).
 
 |Key|Sample value|
@@ -635,6 +632,8 @@ A value of `1` enables your function app to scale when you have your storage acc
 
 This app setting is required on the [Elastic Premium](functions-premium-plan.md) and [Dedicated (App Service) plans](dedicated-plan.md) (Standard and higher). Not supported when running on a [Consumption plan](consumption-plan.md). 
 
+[!INCLUDE [functions-content-over-vnet-shared-storage-note](../../includes/functions-content-over-vnet-shared-storage-note.md)]
+
 ## WEBSITE\_CONTENTSHARE
 
 The name of the file share that Functions uses to store function app code and configuration files. This content is required by event-driven scaling plans. Used with `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`. Default is a unique string generated by the runtime, which begins with the function app name. For more information, see [Storage account connection setting](storage-considerations.md#storage-account-connection-setting).
@@ -835,11 +834,10 @@ When running locally, you instead use the [`FUNCTIONS_WORKER_RUNTIME_VERSION`](f
 
 ### vnetContentShareEnabled
 
-> [!IMPORTANT]
-> If multiple Function Apps in the same App Service Plan use the same Azure Files account with the same credentials, they should also all use the same value for vnetContentShareEnabled to ensure that traffic is consistently routed through the intended network. A mismatch in settings may result in traffic being routed through public networks, resulting in access being blocked by storage account network rules.
-
 Apps running in a Premium plan use a file share to store content. The name of this content share is stored in the [`WEBSITE_CONTENTSHARE`](#website_contentshare) app setting and its connection string is stored in [`WEBSITE_CONTENTAZUREFILECONNECTIONSTRING`](#website_contentazurefileconnectionstring). To route traffic between your function app and content share through a virtual network, you must also set `vnetContentShareEnabled` to `true`. Enabling this site property is a requirement when [restricting your storage account to a virtual network](configure-networking-how-to.md#restrict-your-storage-account-to-a-virtual-network) in the Elastic Premium and Dedicated hosting plans.
 
+[!INCLUDE [functions-content-over-vnet-shared-storage-note](../../includes/functions-content-over-vnet-shared-storage-note.md)]
+
 This site property replaces the legacy [`WEBSITE_CONTENTOVERVNET`](#website_contentovervnet) setting.
 
 ### vnetImagePullEnabled

includes/functions-content-over-vnet-shared-storage-note.md

@@ -0,0 +1,10 @@
+---
+author: ggailey777
+ms.service: azure-functions
+ms.topic: include
+ms.date: 07/03/2024
+ms.author: glenga
+---
+
+> [!NOTE]
+> Multiple function apps hosted in the same plan can also use the same storage account for the content share (defined by `WEBSITE_CONTENTAZUREFILECONNECTIONSTRING` and `WEBSITE_CONTENTSHARE`). In such a scenario, all of these apps should also use the same value for `vnetContentShareEnabled` (formerly `WEBSITE_CONTENTOVERVNET`) to guarantee that traffic is consistently routed through the intended network. A mismatch in this setting between apps using the same content share might result in traffic being routed through public networks, which causes access to be blocked by storage account network rules.