Merge pull request #292581 from ZarrVenkat/main

Update firewall-limits.md

Author: prmerger-automator[bot]

includes/firewall-limits.md

@@ -20,7 +20,7 @@
 |Minimum AzureFirewallSubnet size |/26|
 |Port range in network and application rules|1 - 65535|
 |Public IP addresses|250 maximum. All public IP addresses can be used in DNAT rules and they all contribute to available SNAT ports.|
-|IP addresses in IP Groups|Maximum of 200 unique IP Groups per firewall policy.<br>Maximum 5000 individual IP addresses or IP prefixes per each IP Group.|
+|IP addresses in IP Groups|It is recommended to have a maximum of 50 unique IP Groups per classic firewall. <br>Maximum of 200 unique IP Groups per firewall policy.<br>Maximum 5000 individual IP addresses or IP prefixes per each IP Group.|
 |Route table|By default, AzureFirewallSubnet has a 0.0.0.0/0 route with the NextHopType value set to **Internet**.<br><br>Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override that with a 0.0.0.0/0 UDR with the **NextHopType** value set as **Internet** to maintain direct Internet connectivity. By default, Azure Firewall doesn't support forced tunneling to an on-premises network.<br><br>However, if your configuration requires forced tunneling to an on-premises network, Microsoft will support it on a case by case basis. Contact Support so that we can review your case. If accepted, we'll allow your subscription and ensure the required firewall Internet connectivity is maintained.|
 |FQDNs in network rules|For good performance, do not exceed more than 1000 FQDNs across all network rules per firewall.|
 |TLS inspection timeout|120 seconds|