diff --git a/docs/reference-architectures/dmz/secure-vnet-dmz.md b/docs/reference-architectures/dmz/secure-vnet-dmz.md
index 0cbb24de290..29469b2f1f7 100644
--- a/docs/reference-architectures/dmz/secure-vnet-dmz.md
+++ b/docs/reference-architectures/dmz/secure-vnet-dmz.md
@@ -63,7 +63,7 @@ The Internet facing load balancer requires each NVA in the public DMZ inbound su
 
 ## Manageability considerations
 
-All monitoring and management for the NVAs in the public DMZ should be be performed by the jumpbox in the management subnet. As discussed in [Implementing a DMZ between Azure and your on-premises datacenter][implementing-a-secure-hybrid-network-architecture], define a single network route from the on-premises network through the gateway to the jumpbox, in order to restrict access.
+All monitoring and management for the NVAs in the public DMZ should be performed by the jumpbox in the management subnet. As discussed in [Implementing a DMZ between Azure and your on-premises datacenter][implementing-a-secure-hybrid-network-architecture], define a single network route from the on-premises network through the gateway to the jumpbox, in order to restrict access.
 
 If gateway connectivity from your on-premises network to Azure is down, you can still reach the jumpbox by deploying a public IP address, adding it to the jumpbox, and logging in from the Internet.
 
@@ -121,4 +121,4 @@ A deployment for a reference architecture that implements these recommendations
 [visio-download]: https://archcenter.azureedge.net/cdn/dmz-reference-architectures.vsdx
 
 
-[0]: ./images/dmz-public.png "Secure hybrid network architecture"
\ No newline at end of file
+[0]: ./images/dmz-public.png "Secure hybrid network architecture"