Standard Load Balancer should support using an "internal" IP address for probing the ports.
The Standard Load Balancer and HA ports are are recommended for load balancing firewall appliances. However, the Load Balancer probe uses a common IP address for internal and external load balancers. This means that only the internal or external ports can be load balanced, which means that a messy Zookeeper alternative must be built to monitor the firewall availability.
Typically this is addressed by SNAT’ing the probe source on the interface within the VM. This is how virtual appliances (firewalls, etc) typically address this scenario. Changing the probe source is non trivial and not likely in the near term.
James Bland commented
Also came across this problem. It would be good for instance if the Internal Load Balancer's probes came from it's Internal IP address, not 18.104.22.168
Jeremy Wilton commented
Agreed, the load balancers use the same public IP to probe ( 22.214.171.124 ) as it does for various Azure services. The problem this presents is that when using a firewall appliance with load balancers for HA you have to implement some workaround to make sure the probe response doesn't go out your default route and instead out the way it came in.
For Palo Alto it required us to use multiple virtual routers ( since policy based forwarding doesn't work on the firewall's IPs ) when really this can be avoided by allowing the user to configure a private IP for the probes.
I've also posted this and tagged a PM in a Yammer group...