Included NSGenabled and RTenabled

Author: erjosito

articles/private-link/disable-private-endpoint-network-policy.md

@@ -14,16 +14,17 @@ ms.devlang: azurecli
 ---
 # Manage network policies for private endpoints
 
-By default, network policies are disabled for a subnet in a virtual network. To utilize network policies like UDR and NSG support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.
+By default, network policies are disabled for a subnet in a virtual network. To utilize network policies like User-Defined Routes and Network Security Groups support, network policy support must be enabled for the subnet. This setting is only applicable to private endpoints within the subnet. This setting affects all private endpoints within the subnet. For other resources in the subnet, access is controlled based on security rules in the network security group.
+
+Network policies can be enabled either for Network Security Groups only, for User-Defined Routes only, or for both.
+
+If you enable network security policies for User-Defined Routes, the /32 routes that are generated by the private endpoint and propagated to all the subnets in its own VNet and directly peered VNets will be invalidated if you have User-Defined Routing, which is useful if you want all traffic (including traffic addressed to the private endpoint) to go through a firewall, since otherwise the /32 route would bypass any other route.
 
 You can use the following to enable or disable the setting:
 
 * Azure portal
-
 * Azure PowerShell
-
 * Azure CLI
-
 * Azure Resource Manager templates
 
 The following examples describe how to enable and disable `PrivateEndpointNetworkPolicies` for a virtual network named **myVNet** with a **default** subnet of **10.1.0.0/24** hosted in a resource group named **myResourceGroup**.
@@ -42,7 +43,7 @@ The following examples describe how to enable and disable `PrivateEndpointNetwor
 
 5. Select the **default** subnet.
 
-6. In the properties for the **default** subnet, select **Enabled** in **NETWORK POLICY FOR PRIVATE ENDPOINTS**.
+6. In the properties for the **default** subnet, enable the checkboxes for "Network Security Groups", "Route tables" or both  in **NETWORK POLICY FOR PRIVATE ENDPOINTS**.
 
 7. Select **Save**.
 
@@ -61,7 +62,7 @@ $sub = @{
     Name = 'default'
     VirtualNetwork = $vnet
     AddressPrefix = '10.1.0.0/24'
-    PrivateEndpointNetworkPoliciesFlag = 'Enabled'
+    PrivateEndpointNetworkPoliciesFlag = 'Enabled'  # Can be either 'Disabled', 'NetworkSecurityGroupEnabled', 'RouteTableEnabled', or 'Enabled'
 }
 Set-AzVirtualNetworkSubnetConfig @sub
 
@@ -70,7 +71,7 @@ $vnet | Set-AzVirtualNetwork
 
 # [**CLI**](#tab/network-policy-cli)
 
-Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update) to enable the policy.
+Use [az network vnet subnet update](/cli/azure/network/vnet/subnet#az-network-vnet-subnet-update) to enable the policy. The Azure CLI only supports the values `true` or `false`, it does not allow yet to enable the policies selectively only for User-Defined Routes or Network Security Groups:
 
 ```azurecli
 az network vnet subnet update \
@@ -82,7 +83,7 @@ az network vnet subnet update \
 
 # [**JSON**](#tab/network-policy-json)
 
-This section describes how to enable subnet private endpoint policies using an Azure Resource Manager template.
+This section describes how to enable subnet private endpoint policies using an Azure Resource Manager template. The possible values for the `privateEndpointNetworkPolicies` are `Disabled`, `NetworkSecurityGroupEnabled`, `RouteTableEnabled`, and `Enabled`.
 
 ```json
 {