Merge pull request #216918 from mbender-ms/avnm-nip-update-sa

prmerger-automator[bot] · web-flow · commit ce89ffdc156c · 2022-11-03T17:22:46.000Z
Virtual Network Manager - Update for Network Intent Policies
diff --git a/articles/virtual-network-manager/concept-security-admins.md b/articles/virtual-network-manager/concept-security-admins.md
@@ -75,7 +75,7 @@ Security admin rules are similar to NSG rules in structure and the parameters th
 
 ## Network intent policies and security admin rules
 
- A network intent policy is applied to some network services to ensure the network traffic is working as needed for these services. By default, deployed security admin rules aren't applied on virtual networks with services that use network intent policies such as SQL managed instance service. If you deploy a service in a virtual network with existing security admin rules, those security admin rules will be removed from those virtual networks. 
+A network intent policy is applied to some network services to ensure the network traffic is working as needed for these services. By default, a security admin configuration will not apply security admin rules to virtual networks with services that use network intent policies such as SQL managed instance service. With this default option, if you deploy a service using network intent policies in a virtual network with existing security admin rules applied, those security admin rules will be removed from those virtual networks. You can also elect for your security admin configuration to handle virtual networks with services that use network intent policies differently to instead apply security admin rules to those virtual networks unless the security admin rule is of a "deny" action type. With either option, your security admin rules will not block traffic to or from virtual networks with services that use network intent policies, ensuring that these services continue to function as expected.
 
 If you need to apply security admin rules on virtual networks with services that use network intent policies, contact AVNMFeatureRegister@microsoft.com to enable this functionality. Overriding the default behavior described above could break the network intent policies created for those services. For example, creating a deny admin rule can block some traffic allowed by the SQL managed instance service, which is defined by their network intent policies. Make sure to review your environment before applying a security admin configuration. For an example of how to allow the traffic of services that use network intent policies, see [How can I explicitly allow SQLMI traffic before having deny rules](faq.md#how-can-i-explicitly-allow-azure-sql-managed-instance-traffic-before-having-deny-rules)
 ## Security admin fields
