Adding technical requirement

whhender · whhender · commit b49bebfcb5ed · 2025-07-03T15:06:19.000-04:00
diff --git a/articles/data-factory/secure-your-azure-data-factory.md b/articles/data-factory/secure-your-azure-data-factory.md
@@ -24,7 +24,7 @@ Network security is essential for protecting your Azure Data Factory from unauth
     - [Join Azure-SSIS integration runtime to a virtual network](join-azure-ssis-integration-runtime-virtual-network.md)
     - [Join your Azure integration runtime to a managed virtual network](tutorial-managed-virtual-network-migrate.md)
 
-* **Control traffic flow with Network Security Groups (NSGs)**: Apply NSGs to control inbound and outbound traffic for virtual machines and subnets within VNets. Use a "deny by default, permit by exception" approach to restrict traffic flow and protect sensitive resources. If you've joined Azure Data Factory to a virtual network, on the NSG that is automatically created by Azure Data Factory, Port 3389 is open to all traffic by default. Lock the port down to make sure that only your administrators have access. To manage your NSGs, see [Network security groups](../virtual-network/network-security-groups-overview.md).
+* **Control traffic flow with Network Security Groups (NSGs)**: NSGs help you manage which network traffic can reach your SSIS or self-hosted integration runtimes in your virtual network. (NSGs don't work with managed virtual networks.) Set up NSGs to allow only the traffic you need, blocking everything else by default. If your Data Factory uses a virtual network, Azure creates an NSG for you, and Port 3389 is open to everyone by default. Make sure to restrict this port so only your admins can use it. To manage your NSGs, select [Network security groups](../virtual-network/network-security-groups-overview.md).
 
 * [Secure your self-hosted integration runtime nodes by enabling remote access from intranet with TLS/SSL certificates](tutorial-enable-remote-access-intranet-tls-ssl-certificate.md) - Multiple self-hosted integration runtime nodes can be deployed to balance load and provide high availability, and enabling remote access from intranet with TLS/SSL certificates ensures secure communication between integration runtime nodes.
 
