accessing private network from deployment scripts

Author: mumian

articles/azure-resource-manager/bicep/deployment-script-bicep.md

@@ -5,7 +5,7 @@ services: azure-resource-manager
 author: mumian
 ms.service: azure-resource-manager
 ms.topic: conceptual
-ms.date: 01/18/2023
+ms.date: 01/24/2023
 ms.author: jgao
 ---
 
@@ -630,6 +630,10 @@ When you use Azure PowerShell deployment scripts, you can use the `Invoke-RestMe
 
 The identity that your deployment script uses needs to be authorized to work with the Microsoft Graph API, with the appropriate permissions for the operations it performs. You must authorize the identity outside of your Bicep file, such as by pre-creating a user-assigned managed identity and assigning it an app role for Microsoft Graph. For more information, [see this quickstart example](https://github.com/Azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.resources/deployment-script-azcli-graph-azure-ad).
 
+## Access private virtual network
+
+The supporting resources including the container instance can't be deployed to a private virtual network. To access a private virtual network from your deployment script, you can create another virtual network with a publicly accessible virtual machine or a container instance, and create a peering from this virtual network to the private virtual network.
+
 ## Next steps
 
 In this article, you learned how to use deployment scripts. To walk through a Learn module: