Merge pull request openshift#8485 from patrickdillon/azure-byo-vnet-sg-docs

openshift-merge-bot[bot] · web-flow · commit 6e1f41ab7d2d · 2024-07-23T04:04:41.000Z
no-jira: docs/user/azure: fix byo vnet security groups
diff --git a/docs/user/azure/customization.md b/docs/user/azure/customization.md
@@ -44,7 +44,7 @@ The installer can use an existing VNet and subnets when provisioning an OpenShif
 
 ### Cluster Isolation
 
-When pre-existing subnets are provided, the installer will not create a network security group (NSG) or alter an existing one attached to the subnet. This restriction means that no security rules are created. If multiple clusters are installed to the same VNet and isolation is desired, it must be enforced through an administrative task after the cluster is installed.
+When pre-existing subnets are provided, the installer will not create a network security group (NSG) or alter an existing one attached to the subnet. Because cluster components do not modify the user-provided network security groups, which the Kubernetes controllers update, a pseudo-network security group is created for the Kubernetes controller to modify without impacting the rest of the environment. If multiple clusters are installed to the same VNet and isolation is desired, it must be enforced through an administrative task after the cluster is installed.
 
 ## Examples
 
