diff --git a/modules/hub-spoke-aks/hub-spoke-aks.bicep b/modules/hub-spoke-aks/hub-spoke-aks.bicep
index 71bd071..04067a7 100644
--- a/modules/hub-spoke-aks/hub-spoke-aks.bicep
+++ b/modules/hub-spoke-aks/hub-spoke-aks.bicep
@@ -1,3 +1,4 @@
+//az deployment group create --resource-group <resource-group-name> --template-file default-aks.bicep --parameters @default-aks.parameters.json
 //https://learn.microsoft.com/en-us/azure/azure-resource-manager/bicep/bicep-extensibility-kubernetes-provider
 //PRIVATE clusters are not supported as of now: https://github.com/Azure/bicep-extensibility/issues/130
 
@@ -53,5 +54,6 @@ module kubernetes '../aks-vote-app/aks-vote-app.bicep' = {
   name: 'buildbicep-deploy'
   params: {
     kubeConfig: aksDeploy.outputs.kubeconfig
+    privateLoadBalancer: true //this is needed in order to test DNAT rule from the firewall to the internal load balancer
   }
 }
diff --git a/scenarios/firewall-01.md b/scenarios/firewall-01.md
index 061644d..829baab 100644
--- a/scenarios/firewall-01.md
+++ b/scenarios/firewall-01.md
@@ -21,12 +21,13 @@ _Download the [draw.io file](../images/firewall-01.drawio) of this schema._
 # Step 1 - get the Azure Firewall public IP Address
 Go to Azure portal > Firewalls > `lab-firewall` > Firewall public IP > `lab-firewall-ip` > IP Address > IP (**x.x.x.x**)
 
-# Step 2 - get the the IP of the front-end pod
-Go to Azure Portal > `aks-01` > Workloads > `azure-vote-front` > pods > `azure-vote-front-##########-#####` > Pod IP (**y.y.y.y**) 
+# Step 2 - get the the IP of the front-end internal load balancer
+Go to Azure Portal > `aks-01` > Services and ingresses > `azure-vote-front` > Services > `azure-vote-front` > External IP (**10.13.1.y**)
+_Please note that the IP is a private IP, even if the label states 'External IP'. External in this context refers to the IP given to the Azure load balancer instance, while Internal refers to the Kubernetes assigned IP only reachable from inside the cluster._
 
 # Step 3 - configure Azure Firewall DNAT policy
 
-Go to Azure Portal > `hub-firewall-policy` > DNAT Rules > Add Rule Collection
+Go to Azure Portal > `my-firewall-policy` > DNAT Rules > Add Rule Collection
 * Name: `my-dnat-rule-collection`
 * Collection Type: `DNAT`
 * priority: `1000`
@@ -38,7 +39,7 @@ Go to Azure Portal > `hub-firewall-policy` > DNAT Rules > Add Rule Collection
 * Destination Type: `IP`
 * Destination IP: **x.x.x.x** (public IP)
 * Translated type: `IP`
-* Translated IP: **y.y.y.y** (pod IP)
+* Translated IP: **y.y.y.y** (load balancer IP)
 * Translated port: `80`
 * click **Add**