Minor update

Author: dingmeng-xue

articles/spring-apps/basic-standard/how-to-start-stop-service.md

@@ -27,10 +27,10 @@ To reduce your costs further, you can completely stop your Azure Spring Apps ser
 
 The ability to stop and start your Azure Spring Apps service instance has the following limitations:
 
-- You can stop and start your Azure Spring Apps service instance to help you save costs. However, you shouldn't stop and start a running instance for service recovery - for example, to recover from an invalid virtual network configuration.
-- The state of a stopped Azure Spring Apps service instance is preserved for up to 90 days. If your cluster is stopped for more than 90 days, you can't recover the cluster state.
+- You can stop and start your Azure Spring Apps service instance to help you save costs. However, stopping and then starting a service instance won't automatically fix system errors or recover invalid settings. For example, it cannot recover from an invalid virtual network configuration.
 - You can only start, view, or delete a stopped Azure Spring Apps service instance. You must start your service instance before performing any update operation, such as creating or scaling an app.
-- If an Azure Spring Apps service instance has been stopped or started successfully, you have to wait for at least 30 minutes to start or stop the instance again. However, if your last operation failed, you can try again to start or stop without having to wait.
+- The state of a stopped Azure Spring Apps service instance is preserved for up to 90 days. If the service instance is stopped for more than 90 days, you cannot perform any operations on this instance except deleting it.
+- If an Azure Spring Apps service instance has been stopped or started successfully, you have to wait for at least 30 minutes to start or stop the instance again. However, if your last operation failed, you can try again without waiting.
 - For virtual network instances, the start operation may fail due to invalid virtual network configurations. For more information, see [Customer responsibilities for running Azure Spring Apps in a virtual network](./vnet-customer-responsibilities.md).
 
 ## Prerequisites

articles/spring-apps/basic-standard/vnet-customer-responsibilities.md

@@ -94,6 +94,14 @@ Azure Firewall provides the FQDN tag `AzureKubernetesService` to simplify the fo
 
 You need to open some outgoing ports in your server's firewall to allow the Application Insights SDK or the Application Insights Agent to send data to the portal. For more information, see the [Outgoing ports](/azure/azure-monitor/ip-addresses#outgoing-ports) section of [IP addresses used by Azure Monitor](/azure/azure-monitor/ip-addresses).
 
+## VirtualNetwork Service Tag
+
+Azure network security groups can filter network traffic within an Azure virtual network. When you enable inbound network traffic using the VirtualNetwork service tag, it automatically includes all IP address ranges of the workload virtual network and any peered transit virtual networks.
+
+For Azure Spring Apps running on AKS, the AKS infrastructure manages the IP address prefixes for workloads on all AKS node pools. These prefixes are implicitly included in the VirtualNetwork service tag. This design ensures that applications remain accessible within the virtual network, even if their IP addresses fall outside the defined IP range of the virtual network.
+
+If you decide not to allow traffic using the VirtualNetwork service tag, you must configure specific rules to allow communication between the Azure Spring Apps service runtime subnet and the apps subnet. Furthermore, you need to explicitly allow traffic from the Azure Spring Apps reserved CIDR range, which is used by the underlying AKS infrastructure. You cannot add only partial of the CIDR range to allow list because the address prefix for workloads is dynamic. 
+
 ## Next steps
 
 - [Access your application in a private network](access-app-virtual-network.md)