IP group updates

vhorne · vhorne · commit 3702a199972e · 2020-04-03T08:10:47.000-07:00
diff --git a/articles/firewall/ip-groups.md b/articles/firewall/ip-groups.md
@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: conceptual
-ms.date: 02/18/2020
+ms.date: 04/03/2020
 ms.author: victorh
 ---
 
@@ -49,7 +49,7 @@ You can see all the IP addresses in the IP Group and the rules or resources that
 
 1. To view or edit the IP addresses, select **IP Addresses** under **Settings** on the left pane.
 2. To add a single or multiple IP address(es), select **Add IP Addresses**. This opens the **Drag or Browse** page for an upload, or you can enter the address manually.
-3.	Selecting the ellipses (**…**) to the right to edit or delete IP addresses. To edit or delete multiple IP addresses, select the boxes and select **Edit** or **Delete** at the top.
+3.    Selecting the ellipses (**…**) to the right to edit or delete IP addresses. To edit or delete multiple IP addresses, select the boxes and select **Edit** or **Delete** at the top.
 4. Finally, can export the file in the CSV file format.
 
 > [!NOTE]
@@ -67,24 +67,47 @@ You can now select **IP Group** as a **Source type** or **Destination type** for
 
 ## Region availability
 
-IP Groups are currently available in the following regions:
-
-- West US
-- West US 2
-- East US
-- East US 2
-- Central US
-- North Central US
-- West Central US
-- South Central US
-- Canada Central
-- North Europe
-- West Europe
-- France Central
-- UK South
-- Australia East
-- Australia Central
-- Australia Southeast
+IP Groups are available in all public cloud regions.
+
+## IP address limits
+
+For 50 IP Groups or less, you can have a maximum of 5000 individual IP addresses each per firewall instance. For 51 to 100 IP Groups, you can have 500 individual IP address each per firewall instance.
+
+### Examples
+
+#### Example 1: supported
+
+|IP Groups  |# IP addresses  |Notation  |Rule  |
+|---------|---------|---------|---------|
+|IPGroup1 |4096     |10.0.0.0/20  |Rule1|
+|IPGroup2     |3|196.0.0.0 - 196.0.0.2|Rule1|
+|IPGroup3     |1|1.2.3.4|Rule1|
+|     |**Total 8192**|         |         |
+|     |         |         |         |
+
+#### Example 2: supported
+
+|IP Groups  |# IP addresses  |Notation  |Rule  |
+|---------|---------|---------|---------|
+|IPGroup1 |4096     |10.0.0.0/20  |Rule1|
+|IPGroup2     |4096|11.0.0.0/20|Rule1|
+|     |**Total 8192**|         |         |
+
+#### Example 3: not supported
+
+|IP Groups  |# IP addresses  |Notation  |Rule  |
+|---------|---------|---------|---------|
+|IPGroup1 |8192     |10.0.0.0/20, 11.0.0.0/20  |Rule1|
+|     |**Total 8192**|||
+
+#### Example 4: supported
+
+|IP Groups  |# IP addresses  |Notation  |Rule  |
+|---------|---------|---------|---------|
+|IPGroup1 |4096     |10.0.0.0/20  |Rule1|
+|IPGroup2     |4096|11.0.0.0/20|Rule2|
+|     |**Total 8192**|         |         |
+
 
 ## Related Azure PowerShell cmdlets
 
diff --git a/includes/firewall-limits.md b/includes/firewall-limits.md
@@ -5,7 +5,7 @@
  author: vhorne
  ms.service: firewall
  ms.topic: include
- ms.date: 04/01/2020
+ ms.date: 04/03/2020
  ms.author: victorh
  ms.custom: include file
 ---
@@ -18,6 +18,7 @@
 |Minimum AzureFirewallSubnet size |/26|
 |Port range in network and application rules|0-64,000. Work is in progress to relax this limitation.|
 |Public IP addresses|100 maximum (Currently, SNAT ports are added only for the first five public IP addresses.)|
+|IP Groups IP addresses|50 IP Groups or less: maximum 5000 individual IP addresses each per firewall instance.<br>51 - 100 IP Groups: 500 individual IP address each per firewall instance.<br><br>For more information see [IP Groups (preview) in Azure Firewall](../articles/firewall/ip-groups.md#ip-address-limits)
 |Route table|By default, AzureFirewallSubnet has a 0.0.0.0/0 route with the NextHopType value set to **Internet**.<br><br>Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override that with a 0.0.0.0/0 UDR with the **NextHopType** value set as **Internet** to maintain direct Internet connectivity. By default, Azure Firewall doesn't support forced tunneling to an on-premises network.<br><br>However, if your configuration requires forced tunneling to an on-premises network, Microsoft will support it on a case by case basis. Contact Support so that we can review your case. If accepted, we'll allow your subscription and ensure the required firewall Internet connectivity is maintained.|
 
 <sup>1</sup>If you need to increase these limits, contact Azure Support.
