add a note

Author: halkazwini

articles/network-watcher/vnet-flow-logs-policy.md

@@ -26,7 +26,7 @@ In this article, you learn how to use two built-in policies to manage your setup
 
 The **Audit flow logs configuration for every virtual network** policy audits all existing virtual networks  in a scope by checking all Azure Resource Manager objects of type `Microsoft.Network/virtualNetwork` for linked flow logs via the flow log property of the virtual network. It then flags any virtual network that doesn't have flow logging enabled.
 
-To audit your flow logs using the built-in policy, take the following steps:
+To audit your flow logs using the built-in policy, follow these steps:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
@@ -66,7 +66,10 @@ To audit your flow logs using the built-in policy, take the following steps:
 
 The **Deploy a flow log resource with target virtual network** policy checks all existing virtual networks in a scope by checking all Azure Resource Manager objects of type `Microsoft.Network/networkSecurityGroups`. It then checks for linked flow logs via the flow log property of the virtual network. If the property doesn't exist, the policy deploys a flow log.
 
-To assign the *deployIfNotExists* policy:
+> [!IMPORTANT]
+> We recommend disabling network security group flow logs before enabling virtual network flow logs on the same underlying workloads to avoid duplicate traffic recording and additional costs. For example, if you enable network security group flow logs on the network security group of a subnet, then you enable virtual network flow logs on the same subnet or parent virtual network, you might get duplicate logging (both network security group flow logs and virtual network flow logs generated for all supported workloads in that particular subnet).
+
+To assign the *deployIfNotExists* policy, follow these steps:
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 
@@ -132,6 +135,8 @@ To assign the *deployIfNotExists* policy:
 
     :::image type="content" source="./media/vnet-flow-logs-policy/deploy-policy-compliance-details-compliant.png" alt-text="Screenshot that shows there aren't any noncompliant virtual networks after the deployment policy deployed flow logs in the defined scope." lightbox="./media/vnet-flow-logs-policy/deploy-policy-compliance-details-compliant.png":::
 
+    You can view the deployed virtual network flow logs by going to **Flow logs** in **Network Watcher**.
+
  ## Related content
 
 - [Virtual network flow logs](vnet-flow-logs-overview.md).