Update firewall-faq.yml

Author: Stacyrch140

articles/firewall/firewall-faq.yml

@@ -72,7 +72,7 @@ sections:
 
       - question: What is the added value of Azure Firewall with virtual network service endpoints?
         answer: |
-          Virtual Network service endpoints are an alternative to Private Link to control network access to Azure PaaS services. Even if the client still uses public IP addresses to access the PaaS service, the source subnet is made visible so that the destination PaaS service can implement filter rules and restrict access on a per-subnet basis. You can find a detailed comparison beetween both mechanisms in [Compare Private Endpoints and Service Endpoints](../virtual-network/vnet-integration-for-azure-services.md).
+          Virtual Network service endpoints are an alternative to Private Link to control network access to Azure PaaS services. Even if the client still uses public IP addresses to access the PaaS service, the source subnet is made visible so that the destination PaaS service can implement filter rules and restrict access on a per-subnet basis. You can find a detailed comparison between both mechanisms in [Compare Private Endpoints and Service Endpoints](../virtual-network/vnet-integration-for-azure-services.md).
           
           Azure Firewall application rules can be used to make sure that no data exfiltration to rogue services takes place, and to implement access policies with an increased granularity beyond the subnet level. Usually, virtual network service endpoints need to be enabled in the subnet of the client that will connect to an Azure service. However, when inspecting traffic to service endpoints with Azure Firewall, you need to enable the corresponding service endpoint in the Azure Firewall subnet instead and disable them on the subnet of the actual client (usually a spoke virtual network). This way you can use Application Rules in Azure Firewall to control to which Azure services your Azure workloads will have access to.