Update security_groups.md

Updates the Backend Security Groups configuration documentation to clarify important requirements for using Custom Shared Backend Security Groups.

Author: tucktuck9

docs/deploy/security_groups.md

@@ -38,10 +38,14 @@ Backend Security Groups control traffic between AWS Load Balancers and their tar
 
 **Enable or Disable:** Use `--enable-backend-security-group` (default `true`) to enable/disable the shared backend security group.
 
-You can turn off the shared backend security group feature by setting it to `false`. However, if you have a high number of Ingress resources with frontend security groups auto-generated by the controller, you might run into security group rule limits on the instance/ENI security groups.
+Note that while you can turn off the shared backend security group feature by setting it to `false`, if you have a high number of Ingress resources with frontend security groups auto-generated by the controller, you might run into security group rule limits on the instance/ENI security groups.
 
 **Specification:** Use `--backend-security-group` to pass in a security group ID to use as a custom shared backend security group. 
 
+**Important Notes:**
+* The Custom Shared Backend Security Group (`--backend-security-group` option) only works when the automatic addition of Inbound Rules to the Node/ENI Security Group is enabled.
+* If a Custom Frontend Security Group is configured, you must set the annotation `service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "true"` for the Custom Shared Backend Security Group to work correctly.
+
 If `--backend-security-group` is left empty, a security group with the following attributes will be created:
 
   ```yaml