In 2016, we installed 2 Fortigates using the Azure Fortigate NGFW High Availability (HA) in the Marketplace.
We have one public load balancer.

We want to add an internal load balancer so we can control the outgoing trafic to Internet.
We want to assign the 0 route to that load balancer for our subnets.

We noticed that Fortigate supports that internal load balancer. We used the template Fortigate NGFW High Availability (HA) in the Marketplace just to see what is new and how it works.

If we want to have an internal load balancer knowing that we have 2 Fortigates in Production, what is the best way?

Questions :
• Why the new ILB has 4 backends? 2 IP’s from the NIC0 and 2 from NIC1. Is it to have routes to be able to connect to the fortigate GUI from the NIC0 interfaces or from the NIC1 interfaces?
• Why the new ILB has 2 frontends? Same reason as the backends?
• Where to route the 0 route? To the internal frontend?
• Why there are two routes to the internal frontend?
• With just the public load balancer now, we use load balancing rules (80, 443, 22) for the public load balancer. I see that with the new architecture with the public load balancer, only inbound NAT rules are used. Why? Is it to be able to see the source IP of the connections?
• How can we go to the new architecture with the internal load balancer?
o We add an internal load balancer
o We set the frontends and backends
o We add a probe port
o We add load balancing rules (80, 443, 22)
o We assign subnets in the route tables

thanks