links/notes

Author: Larry Franks

articles/machine-learning/how-to-access-azureml-behind-firewall.md

@@ -79,7 +79,7 @@ __Outbound traffic__
 | `AzureFrontDoor.FrontEnd`</br>* Not needed in Azure China. | 443 | Global entry point for [Azure Machine Learning studio](https://ml.azure.com). Store images and environments for AutoML. |
 | `MicrosoftContainerRegistry.<region>` | 443 | Access docker images provided by Microsoft. |
 | `Frontdoor.FirstParty` | 443 | Access docker images provided by Microsoft. |
-| `AzureMonitor` | 443 | Used to log monitoring and metrics to Azure Monitor. |
+| `AzureMonitor` | 443 | Used to log monitoring and metrics to Azure Monitor. Only needed if you haven't [secured Azure Monitor](how-to-secure-workspace-vnet.md#secure-azure-monitor-and-application-insights) for the workspace. |
 
 > [!IMPORTANT]
   > If a compute instance or compute cluster is configured for no public IP, they can't access the public internet by default. However, they do need to communicate with the resources listed above. To enable outbound communication, you have two possible options:
@@ -425,7 +425,7 @@ For information on restricting access to models deployed to AKS, see [Restrict e
 
 __Monitoring, metrics, and diagnostics__
 
-To support logging of metrics and other monitoring information to Azure Monitor and Application Insights, allow outbound traffic to the following hosts:
+If you haven't [secured Azure Monitor](how-to-secure-workspace-vnet.md#secure-azure-monitor-and-application-insights) for the workspace, you must allow outbound traffic to the following hosts:
 
 > [!NOTE]
 > The information logged to these hosts is also used by Microsoft Support to be able to diagnose any problems you run into with your workspace.

includes/machine-learning-public-internet-access.md

@@ -34,7 +34,7 @@ Azure Machine Learning requires both inbound and outbound access to the public i
 | Inbound | TCP: 44224 | `AzureMachineLearning` | Create, update, and delete of Azure Machine Learning compute instance/cluster. **Required if instance/cluster configured with a Public IP option.**|
 | Outbound | TCP: 8787 | `AzureMachineLearning` | Using Azure Machine Learning services.<br> **Port 8787 is required if you use RStudio.** |
 | Outbound | TCP: 445 | `Storage.region` | Access data stored in the Azure Storage Account for compute cluster and compute instance. This outbound can be used to exfiltrate data. For more information, see [Data exfiltration protection](../articles/machine-learning/how-to-prevent-data-loss-exfiltration.md).<br>**445 is only required if you have a firewall between your virtual network for Azure ML and a private endpoint for your storage accounts.**|
-| Outbound | TCP: 443 | `AzureMonitor` | Used to log monitoring and metrics to App Insights and Azure Monitor. |
+| Outbound | TCP: 443 | `AzureMonitor` | Used to log monitoring and metrics to App Insights and Azure Monitor. Only needed if you haven't [secured Azure Monitor](how-to-secure-workspace-vnet.md#secure-azure-monitor-and-application-insights) for the workspace. |
 | Outbound | TCP: 443 | `Keyvault.region` | Access the key vault for the Azure Batch service. Only needed if your workspace was created with the [hbi_workspace](/python/api/azureml-core/azureml.core.workspace%28class%29#create-name--auth-none--subscription-id-none--resource-group-none--location-none--create-resource-group-true--sku--basic---friendly-name-none--storage-account-none--key-vault-none--app-insights-none--container-registry-none--cmk-keyvault-none--resource-cmk-uri-none--hbi-workspace-false--default-cpu-compute-target-none--default-gpu-compute-target-none--exist-ok-false--show-output-true-) flag enabled. |
 
 -----