Merge pull request #312207 from asudbring/tsk555750-sfi-bastion

prmerger-automator[bot] · web-flow · commit bcc1e099e0cf · 2026-02-24T23:37:26.000Z
Add security note for WAF PowerShell tutorial VMSS instances
diff --git a/articles/web-application-firewall/ag/tutorial-restrict-web-traffic-powershell.md b/articles/web-application-firewall/ag/tutorial-restrict-web-traffic-powershell.md
@@ -6,7 +6,7 @@ author: halkazwini
 ms.author: halkazwini
 ms.service: azure-web-application-firewall
 ms.topic: how-to 
-ms.date: 03/26/2021
+ms.date: 02/24/2026
 ms.custom: devx-track-azurepowershell
 # Customer intent: "As a cloud engineer, I want to set up a Web Application Firewall using PowerShell on an application gateway, so that I can secure my application against web exploits and attacks effectively."
 ---
@@ -177,6 +177,9 @@ $appgw = New-AzApplicationGateway `
 
 In this example, you create a virtual machine scale set to provide servers for the backend pool in the application gateway. You assign the scale set to the backend pool when you configure the IP settings. 
 
+> [!NOTE]
+> The virtual machine scale set instances in the backend pool don't have public IP addresses and aren't directly accessible from the internet. Management access to the instances, if needed, can be configured through [Azure Bastion](/azure/bastion/bastion-overview).
+
 Replace *\<username>* and *\<password>* with your values before you run this script.
 
 ```azurepowershell-interactive
