diff --git a/docs/ha-mode.md b/docs/ha-mode.md
index 851f50693d1264c955b249b63d650377b6c392a8..792c18a19fb6f1a4d1b1855c96c3815046ae66ea 100644
--- a/docs/ha-mode.md
+++ b/docs/ha-mode.md
@@ -49,9 +49,11 @@ type. The following diagram shows how traffic to the apiserver is directed.
 
 ![Image](figures/loadbalancer_localhost.png?raw=true)
 
-..note:: Kubernetes master nodes still use insecure localhost access because
+  Note: Kubernetes master nodes still use insecure localhost access because
   there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
-  services.
+  services. This makes backends receiving unencrypted traffic and may be a
+  security issue when interconnecting different nodes, or maybe not, if those
+  belong to the isolated management network without external access.
 
 A user may opt to use an external loadbalancer (LB) instead. An external LB
 provides access for external clients, while the internal LB accepts client
@@ -81,24 +83,19 @@ loadbalancer_apiserver:
 This domain name, or default "lb-apiserver.kubernetes.local", will be inserted
 into the `/etc/hosts` file of all servers in the `k8s-cluster` group. Note that
 the HAProxy service should as well be HA and requires a VIP management, which
-is out of scope of this doc.
+is out of scope of this doc. Specifying an external LB overrides any internal
+localhost LB configuration.
 
-Specifying an external LB overrides any internal localhost LB configuration.
-Note that for this example, the `kubernetes-apiserver-http` endpoint
-has backends receiving unencrypted traffic, which may be a security issue
-when interconnecting different nodes, or maybe not, if those belong to the
-isolated management network without external access.
-
-In order to achieve HA for HAProxy instances, those must be running on the
-each node in the `k8s-cluster` group as well, but require no VIP, thus
-no VIP management.
+  Note: In order to achieve HA for HAProxy instances, those must be running on
+  the each node in the `k8s-cluster` group as well, but require no VIP, thus
+  no VIP management.
 
 Access endpoints are evaluated automagically, as the following:
 
 | Endpoint type                | kube-master   | non-master          |
 |------------------------------|---------------|---------------------|
-| Local LB                     | http://lc:p   | http://lc:sp        |
-| External LB, no internal     | http://lc:p   | https://lb:lp       |
+| Local LB                     | http://lc:p   | https://lc:sp       |
+| External LB, no internal     | https://lb:lp | https://lb:lp       |
 | No ext/int LB (default)      | http://lc:p   | https://m[0].aip:sp |
 
 Where: