Merge pull request #100104 from asudbring/lboverviewedit

NSG clarification in comparison table

Author: PRMerger9

articles/load-balancer/load-balancer-overview.md

@@ -68,7 +68,7 @@ Load Balancer supports both Basic and Standard SKUs. These SKUs differ in scenar
 The complete scenario configuration might differ slightly depending on SKU. Load Balancer documentation calls out when an article applies only to a specific SKU. To compare and understand the differences, see the following table. For more information, see [Azure Standard Load Balancer overview](load-balancer-standard-overview.md).
 
 >[!NOTE]
-> Microsoft reccomends Standard Load Balancer.
+> Microsoft recommends Standard Load Balancer.
 Standalone VMs, availability sets, and virtual machine scale sets can be connected to only one SKU, never both. Load Balancer and the public IP address SKU must match when you use them with public IP addresses. Load Balancer and public IP SKUs aren't mutable.
 
 [!INCLUDE [comparison table](../../includes/load-balancer-comparison-table.md)]

includes/load-balancer-comparison-table.md

@@ -19,7 +19,7 @@
 | Availability Zones | Zone-redundant and zonal front ends for inbound and outbound traffic. Outbound flows mappings survive zone failure. Cross-zone load balancing. | Not available |
 | Diagnostics | Azure Monitor. Multi-dimensional metrics including byte and packet counters. Health probe status. Connection attempts (TCP SYN). Outbound connection health (SNAT successful and failed flows). Active data plane measurements. | Azure Log Analytics for public Load Balancer only. SNAT exhaustion alert. Back-end pool health count. |
 | HA Ports | Internal Load Balancer | Not available |
-| Secure by default | Public IP, public Load Balancer endpoints, and internal Load Balancer endpoints are closed to inbound flows unless allowed by a network security group. | Open by default. Network security group optional. |
+| Secure by default | Public IP, public Load Balancer endpoints, and internal Load Balancer endpoints are closed to inbound flows unless allowed by a network security group. Please note that internal traffic from the VNET to the internal load balancer is still allowed. | Open by default. Network security group optional. |
 | [Outbound connections](../articles/load-balancer/load-balancer-outbound-connections.md) | You can explicitly define pool-based outbound NAT with [outbound rules](../articles/load-balancer/load-balancer-outbound-rules-overview.md). You can use multiple front ends with per load-balancing rule opt-out. An outbound scenario _must_ be explicitly created for the virtual machine, availability set, or virtual machine scale set to use outbound connectivity. Virtual network service endpoints can be reached without defining outbound connectivity and don't count towards data processed. Any public IP addresses, including Azure PaaS services not available as virtual network service endpoints, must be reached by using outbound connectivity and count towards data processed. When only an internal Load Balancer serves virtual machine, availability set, or virtual machine scale set, outbound connections over default SNAT aren't available. Use [outbound rules](../articles/load-balancer/load-balancer-outbound-rules-overview.md) instead. Outbound SNAT programming depends on the transport protocol  of the inbound load-balancing rule. | Single front end, selected at random when multiple front ends are present. When only internal Load Balancer serves a virtual machine, availability set, or virtual machine scale set, default SNAT is used. |
 | [Outbound Rules](../articles/load-balancer/load-balancer-outbound-rules-overview.md) | Declarative outbound NAT configuration, using public IP addresses or public IP prefixes or both. Configurable outbound idle timeout (4-120 minutes). Custom SNAT port allocation | Not available |
 | [TCP Reset on Idle](../articles/load-balancer/load-balancer-tcp-reset.md) | Enable TCP Reset (TCP RST) on Idle Timeout on any rule | Not available |