Merge pull request #106032 from vhorne/fw-lb

Fw lb

Author: Jak-MS

articles/firewall/integrate-lb.md

@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: article
-ms.date: 11/19/2019
+ms.date: 02/28/2020
 ms.author: victorh
 ---
 
@@ -23,7 +23,7 @@ With a public load balancer, the load balancer is deployed with a public fronten
 
 ### Asymmetric routing
 
-Asymmetric routing is where a packet takes one path to the destination and takes another path when returning to the source. This issue occurs when a subnet has a default route going to the firewall's private IP address and you're using a public load balancer. In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Since the firewall is stateful, it drops the returning packet because the firewall is not aware of such an established session.
+Asymmetric routing is where a packet takes one path to the destination and takes another path when returning to the source. This issue occurs when a subnet has a default route going to the firewall's private IP address and you're using a public load balancer. In this case, the incoming load balancer traffic is received via its public IP address, but the return path goes through the firewall's private IP address. Since the firewall is stateful, it drops the returning packet because the firewall isn't aware of such an established session.
 
 ### Fix the routing issue
 
@@ -34,9 +34,23 @@ To avoid this problem, create an additional host route for the firewall's public
 
 ![Asymmetric routing](media/integrate-lb/Firewall-LB-asymmetric.png)
 
-For example, the following routes are for a firewall at public IP address 13.86.122.41, and private IP address 10.3.1.4.
+### Route table example
 
-![Route table](media/integrate-lb/route-table.png)
+For example, the following routes are for a firewall at public IP address 20.185.97.136, and private IP address 10.0.1.4.
+
+> [!div class="mx-imgBorder"]
+> ![Route table](media/integrate-lb/route-table.png)
+
+### NAT rule example
+
+In the following example, a NAT rule translates RDP traffic to the firewall at 20.185.97.136 over to the load balancer at 20.42.98.220:
+
+> [!div class="mx-imgBorder"]
+> ![NAT rule](media/integrate-lb/nat-rule02.png)
+
+### Health probes
+
+Remember, you need to have a web service running on the hosts in the load balancer pool if you use TCP health probes to port 80, or HTTP/HTTPS probes.
 
 ## Internal load balancer
 
@@ -52,6 +66,8 @@ To further enhance the security of your load-balanced scenario, you can use netw
 
 For example, you can create an NSG on the backend subnet where the load-balanced virtual machines are located. Allow incoming traffic originating from the firewall IP address/port.
 
+![Network security group](media/integrate-lb/nsg-01.png)
+
 For more information about NSGs, see [Security groups](../virtual-network/security-overview.md).
 
 ## Next steps