From 443e4658a13b14de8e43530fd176227711e34de8 Mon Sep 17 00:00:00 2001
From: Joe Clark <31087804+jc-clark@users.noreply.github.com>
Date: Fri, 2 Aug 2024 11:25:18 -0700
Subject: [PATCH] Add information about using an Azure VNET with GitHub IP
 allow list (#51865)

---
 data/reusables/actions/azure-vnet-networking-policies.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/data/reusables/actions/azure-vnet-networking-policies.md b/data/reusables/actions/azure-vnet-networking-policies.md
index c765f5e536..c46f22e9ef 100644
--- a/data/reusables/actions/azure-vnet-networking-policies.md
+++ b/data/reusables/actions/azure-vnet-networking-policies.md
@@ -3,3 +3,5 @@ Because the {% data variables.product.company_short %}-hosted runner's NIC is de
 For example, if your VNET is configured with an Azure ExpressRoute to provide access to on-premises resources (e.g. Artifactory) or connected to a VPN tunnel to provide access to other cloud-based resources, those access policies also apply to your runners. Additionally, any outbound rules applied to your VNET's network security group (NSG) also apply, giving you the ability to control outbound access for your runners.
 
 If you have enabled any network logs monitoring for your VNET, you can also monitor network traffic for your runners.
+
+{% data variables.product.company_short %}-hosted runners use whatever outbound control your network is using. If your network relies on Azure's default outbound access, the IPs are not predictable and cannot be added to the {% data variables.product.company_short %} IP allow list. For recommendations on using a stable outbound IP, see [Default outbound access](https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access) in the Azure documentation.