Clarify DNS resolution requirements for private DNS zones

Add important note about DNS resolution requirements for private DNS zones.

Author: craigshoemaker

articles/container-apps/private-endpoints-with-dns.md

@@ -63,6 +63,10 @@ When configuring your network security group (NSG) or firewall, the DNS requirem
 > [!IMPORTANT]
 > For organizations with strict DNS security requirements (such as banking and healthcare), Dedicated workload profiles provide the option to completely control DNS traffic flow through your custom DNS servers without requiring Azure Platform DNS access.
 
+
+> [!IMPORTANT]
+> Users of private DNS zones MUST NOT block or override the resolution of `*.hcp.<LOCATION>.azmk8s.io`, `mcr.microsoft.com` and other DNS requirements that are shared with AKS and listed on [Azure Global required FQDN / application rules](/azure/aks/outbound-rules-control-egress#azure-global-required-network-rules). Failure to ensure resolvability of required entries disrupts your Container Apps environment operation and networking.
+
 ### VNet-scope ingress
 
 If you plan to use VNet-scope [ingress](ingress-overview.md) in an internal environment, configure your domains in one of the following ways: