Merge pull request #248345 from mbender-ms/avnm-faq-update

virtual network manager - update FAQ for PEs

Author: v-regandowner

articles/virtual-network-manager/concept-security-admins.md

@@ -35,6 +35,10 @@ Here are some scenarios where security admin rules can be used:
 | **Enforcing application-level security** | Security admin rules can be used to enforce application-level security by blocking traffic to or from specific applications or services. |
 
 With Azure Virtual Network Manager, you have a centralized location to manage security admin rules. Centralization allows you to define security policies at scale and apply them to multiple virtual networks at once.
+
+> [!NOTE]
+> Currently, security admin rules do not apply to private endpoints that fall under the scope of a managed virtual network.
+
 ## How do security admin rules work?
 
 Security admin rules allow or deny traffic on specific ports, protocols, and source/destination IP prefixes in a specified direction. When you define a security admin rule, you specify the following conditions:
@@ -45,6 +49,7 @@ Security admin rules allow or deny traffic on specific ports, protocols, and sou
 - The protocol to be used
 
 To enforce security policies across multiple virtual networks, you [create and deploy a security admin configuration](how-to-block-network-traffic-portal.md). This configuration contains a set of rule collections, and each rule collection contains one or more security admin rules. Once created, you associate the rule collection with the network groups requiring security admin rules. The rules are then applied to all virtual networks contained in the network groups when the configuration is deployed. A single configuration provides a centralized and scalable enforcement of security policies across multiple virtual networks.
+
 ### Evaluation of security admin rules and network security groups (NSGs)
 
 Security admin rules and network security groups (NSGs) can be used to enforce network security policies in Azure. However, they have different scopes and priorities.

articles/virtual-network-manager/faq.md

@@ -104,6 +104,9 @@ Yes,
 
 In Azure, VNet peering and connected groups are two methods of establishing connectivity between virtual networks (VNets). While VNet peering works by creating a 1:1 mapping between each peered VNet, connected groups use a new construct that establishes connectivity without such a mapping. In a connected group, all virtual networks are connected without individual peering relationships.  For example, if VNetA, VNetB, and VNetC are part of the same connected group, connectivity is enabled between each VNet without the need for individual peering relationships.
 
+### Do security admin rules apply to Azure Private Endpoints?
+
+Currently, security admin rules don't apply to Azure Private Endpoints that fall under the scope of a virtual network managed by Azure Virtual Network Manager.
 ### How can I explicitly allow Azure SQL Managed Instance traffic before having deny rules?
 
 Azure SQL Managed Instance has some network requirements. If your security admin rules can block the network requirements, you can use the below sample rules to allow SQLMI traffic with higher priority than the deny rules that can block the traffic of SQL Managed Instance.