updating docs to show you can make existing subnets private

brianlehr · brianlehr · commit 6127036e9ad9 · 2024-12-09T16:21:07.000-08:00
diff --git a/articles/virtual-network/ip-services/default-outbound-access.md b/articles/virtual-network/ip-services/default-outbound-access.md
@@ -71,33 +71,27 @@ There are multiple ways to turn off default outbound access. The following secti
  
 * Creating a subnet to be Private prevents any virtual machines on the subnet from utilizing default outbound access to connect to public endpoints.
  
-* The parameter to create a Private subnet can only be set during the creation of a subnet.
- 
 * VMs on a Private subnet can still access the Internet using explicit outbound connectivity.
  
     > [!NOTE]
     > Certain services won't function on a virtual machine in a Private Subnet without an explicit method of egress (examples are Windows Activation and Windows Updates).
  
 #### Add the Private subnet feature
  
-* From the Azure portal, ensure the option to enable Private subnet is selected when creating a subnet as part of the Virtual Network create experience as shown below:
+* From the Azure portal, ensure the option to enable Private subnet is selected as part of the Virtual Network subnet create/modify experience as shown below:
  
 :::image type="content" source="./media/default-outbound-access/private-subnet-portal.png"  alt-text="Screenshot of Azure portal showing Private subnet option.":::
  
-* Using PowerShell, when creating a subnet with [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig), use the `DefaultOutboundAccess` option and choose "$false"
+* Using PowerShell, when creating a subnet with [New-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/new-azvirtualnetworksubnetconfig), use the `DefaultOutboundAccess` option and choose "$false". After creation, a subnet can be set using [Set-AzVirtualNetworkSubnetConfig](/powershell/module/az.network/set-azvirtualnetworksubnetconfig).
 
-* Using CLI, when creating a subnet with [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create), use the `--default-outbound` option and choose "false"
+* Using CLI, when creating a subnet with [az network vnet subnet create](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-create), use the `--default-outbound` option and choose "false". After creation, a subnet can be set using [az network vnet subnet update](/cli/azure/network/vnet/subnet?view=azure-cli-latest#az-network-vnet-subnet-update).
  
-* Using an Azure Resource Manager template, set the value of `defaultOutboundAccess` parameter to be "false"
+* Using an Azure Resource Manager template, set the value of `defaultOutboundAccess` parameter to be "false".
 
 #### Private subnet limitations
  
 * In order to utilize to activate/update virtual machine operation systems, including Windows, it's a requirement to have an explicit outbound connectivity method.
 
-* Delegated subnets can't be marked as Private.
-
-* Existing subnets can't currently be converted to Private.
-
 * In configurations using a User Defined Route (UDR) with a default route (0/0) that sends traffic to an upstream firewall/network virtual appliance, any traffic that bypasses this route (for example, to Service Tagged destinations) breaks in a Private subnet.
  
 ### Add an explicit outbound connectivity method
@@ -121,8 +115,6 @@ NAT gateway is the recommended approach to have explicit outbound connectivity.
 
 ## Constraints
 
-* Public connectivity is required for Windows Activation and Windows Updates.  It's recommended to set up an explicit form of public outbound connectivity.
-
 * Default outbound access IP doesn't support fragmented packets.
 
 * Default outbound access IP doesn't support ICMP pings.
