Update application security group restrictions

anharazi · web-flow · commit 894200543937 · 2021-03-22T10:30:09.000-07:00
NSG rules can now have ASG arrays enabled through REST api.
diff --git a/articles/virtual-network/application-security-groups.md b/articles/virtual-network/application-security-groups.md
@@ -52,7 +52,7 @@ The rules that specify an application security group as the source or destinatio
 Application security groups have the following constraints:
 
 -    There are limits to the number of application security groups you can have in a subscription, as well as other limits related to application security groups. For details, see [Azure limits](../azure-resource-manager/management/azure-subscription-service-limits.md?toc=%2fazure%2fvirtual-network%2ftoc.json#azure-resource-manager-virtual-networking-limits).
-- You can specify one application security group as the source and destination in a security rule. You cannot specify multiple application security groups in the source or destination.
+- Through the Portal, you can only specify one application security group as the source and destination in a security rule. You can only specify multiple application security groups in the source or destination through the REST API (including Powershell / Azure CLI).
 - All network interfaces assigned to an application security group have to exist in the same virtual network that the first network interface assigned to the application security group is in. For example, if the first network interface assigned to an application security group named *AsgWeb* is in the virtual network named *VNet1*, then all subsequent network interfaces assigned to *ASGWeb* must exist in *VNet1*. You cannot add network interfaces from different virtual networks to the same application security group.
 - If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. For example, if *AsgLogic* contained network interfaces from *VNet1*, and *AsgDb* contained network interfaces from *VNet2*, you could not assign *AsgLogic* as the source and *AsgDb* as the destination in a rule. All network interfaces for both the source and destination application security groups need to exist in the same virtual network.
 
