fixes

Author: Larry Franks

articles/machine-learning/how-to-prevent-data-loss-exfiltration.md

@@ -36,10 +36,6 @@ Azure Machine Learning has several inbound and outbound dependencies. Some of th
 * An Azure Machine Learning workspace with a private endpoint that connects to the VNet.
     * The storage account used by the workspace must also connect to the VNet using a private endpoint.
 
-## Limitations
-
-* If you have an Azure Machine Learning compute instance configured for __no public IP__ that was created _before_ October 15th, you must delete and recreate it after step 1 (opt in) below if you want to use data loss exfiltration protection with it. Older compute instances configured for no public IP were created using a different back-end infrastructure. Deleting and recreating the compute instance after opt in to the preview.
-
 ## 1. Opt in to the preview
 
 > [!IMPORTANT]
@@ -50,18 +46,28 @@ Use the form at [https://forms.office.com/r/1TraBek7LV](https://forms.office.com
 > [!TIP]
 > It may take one to two weeks to allowlist your subscription.
 
-## 2. Allow outbound network traffic
+## 2. Allow inbound and outbound network traffic
+
+### Inbound
+
+> [!IMPORTANT]
+> The following information __modifies__ the guidance provided in the [Inbound traffic](how-to-secure-training-vnet.md#inbound-traffic) section of the "Secure training environment with virtual networks" article.
+
+When using Azure Machine Learning __compute instance__ _with a public IP address_, allow inbound traffic from Azure Batch management (service tag `BatchNodeManagement.<region>`). A compute instance _with no public IP_ (preview) __doesn't__ require this inbound communication.
+
+### Outbound 
 
 > [!IMPORTANT]
 > The following information is __in addition__ to the guidance provided in the [Secure training environment with virtual networks](how-to-secure-training-vnet.md) and [Configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md) articles.
 
 Select the configuration that you're using:
 
-# [Network security group](#tab/nsg)
+# [Service tag routes](#tab/servicetag)
 
-__Allow__ outbound traffic over __TCP port 443__ to the following service tags. Replace `<region>` with the Azure region that contains your compute cluster or instance:
+__Allow__ outbound traffic to the following __service tags__. Replace `<region>` with the Azure region that contains your compute cluster or instance:
 
 * `BatchNodeManagement.<region>`
+* `AzureMachineLearning`
 * `Storage.<region>` - A Service Endpoint Policy will be applied in a later step to limit outbound traffic. 
 
 # [Firewall](#tab/firewall)
@@ -79,6 +85,8 @@ __Allow__ outbound traffic over __TCP port 443__ to the following FQDNs. Replace
 
 ---
 
+For more information, see [How to secure training environments](how-to-secure-training-vnet.md) and [Configure inbound and outbound network traffic](how-to-access-azureml-behind-firewall.md).
+
 ## 3. Enable storage endpoint for the subnet
 
 1. From the [Azure portal](https://portal.azure.com), select the __Azure Virtual Network__ for your Azure ML workspace.

articles/machine-learning/how-to-secure-training-vnet.md

@@ -120,12 +120,11 @@ In this article you learn how to secure the following training compute resources
 * If you create a compute instance and plan to use the no public IP address configuration, your Azure Machine Learning workspace's managed identity must be assigned the __Reader__ role for the virtual network that contains the workspace. For more information on assigning roles, see [Steps to assign an Azure role](../role-based-access-control/role-assignments-steps.md).
 
     > [!IMPORTANT]
-    > On October TBD, the public preview for no public IP configuration for compute cluster and compute instance moved to a new architecture. This new architecture removes limitations, such as the requirement for inbound access from the Azure Batch management and Azure Machine Learning services. However, the new architecture requires you to opt-in. Before opting in to this preview, you must have created a workspace and a compute instance on the subscription you plan to use. You can delete the compute instance and/or workspace after creating them.
+    > Using the __no public IP__ configuration requires you to opt-in to this preview. Before opting in, you must have created a workspace and a compute instance on the subscription you plan to use. You can delete the compute instance and/or workspace after creating them.
     >
     > Use the form at [https://forms.office.com/r/0Rw6mXTT07](https://forms.office.com/r/0Rw6mXTT07) to opt in to this Azure Machine Learning preview. Microsoft will contact you once your subscription has been allowlisted to the preview. It may take one to two weeks to allowlist your subscription.
-
-    > [!TIP]
-    > If you have existing compute instances configured for no public IP, you will need to delete and recreate them after your subscription has been allowlisted to take advantage of the new architecture. For existing compute clusters configured for no public IP, once the cluster has been reduced to 0 nodes (requires the minimum nodes to be configured as 0), it will take advantage of the new architecture the next time nodes are allocated after the subscription is allowlisted.
+    >
+    > If you have been using compute instances configured for no public IP without opting-in to the preview using the form, you will need to delete and recreate them after your subscription has been allowlisted to take advantage of the new architecture and region availability. For existing compute clusters configured for no public IP, once the cluster has been reduced to 0 nodes (requires the minimum nodes to be configured as 0), it will take advantage of the new architecture the next time nodes are allocated after the subscription is allowlisted.
 
 
 * If you have configured Azure Container Registry for your workspace behind the virtual network, you must use a compute cluster to build Docker images. If you use a compute cluster configured for no public IP address, you must provide some method for the cluster to access the public internet. Internet access is required when accessing images stored on the Microsoft Container Registry, packages installed on Pypi, Conda, etc. For more information, see [Enable Azure Container Registry](how-to-secure-workspace-vnet.md#enable-azure-container-registry-acr).

includes/machine-learning-no-public-ip-availibility.md

@@ -7,7 +7,9 @@ ms.author: sgilley
 ---
 
 > [!NOTE]
-> Support for compute instances and compute clusters without public IP addresses is currently available and in public preview for the following regions:
+> Once your Azure subscription has been allowlisted for the no public IP preview, support for compute instances and compute clusters without public IP addresses is currently available and in public preview for the following regions:
 > **Public**: France Central, East Asia, South East Asia, West Central US, South Central US, West US 2, West US 3, East US, East US 2, North Europe, West Europe, Central US, North Central US, West US, Australia East, Australia Southeast, Japan East, Japan West, Brazil Southeast, Brazil South, Canada Central, Canada East, Central India, South India, Korea Central, Korea South, Sweden Central, Sweden South, Switzerland North, Switzerland West, UK West, UK South, UAE North, Germany West Central, Norway East, South Africa North. 
 > **Government**: USGov Arizona, USGov Virginia, USGov Texas.
-> **Azure China**: China North 3.
+> **Azure China**: China North 3.
+>
+> If you have been using the no public IP preview without using the opt-in form, you can use the following regions: France Central, East Asia, West Central US, South Central US, West US 2, East US, North Europe, East US 2, Central US, West Europe, North Central US, West US, Australia East, Japan East, Japan West.