Merge pull request #302092 from sujamiya/feature/fwconfigurednat.md

Stacyrch140 · web-flow · commit 072bc75cb385 · 2025-07-02T19:17:16.000-04:00
Feature/fwconfigurednat.md
diff --git a/articles/firewall/destination-nat-rules.md b/articles/firewall/destination-nat-rules.md
@@ -0,0 +1,97 @@
+---
+title: How to set up and monitor Azure Firewall DNAT rules for secure traffic management
+description: Learn how to configure and monitor Azure Firewall DNAT rules to securely manage incoming traffic by translating destination IP addresses and ports, including support for FQDN filtering for dynamic backend configurations.
+services: firewall
+author: sujamiya
+ms.service: azure-firewall
+ms.topic: concept-article
+ms.date: 4/29/2025
+ms.author: sujamiya
+ms.custom: ai-usage
+---
+
+# How to set up and monitor Azure Firewall DNAT rules for secure traffic management
+
+Azure Firewall DNAT (Destination Network Address Translation) rules are used to filter and rout inbound traffic. They allow you to translate the public-facing destination IP address and port of incoming traffic to a private IP address and port within your network. This is useful when you want to expose a service running on a private IP (such as a web server or SSH endpoint) to the internet or another network. 
+
+A DNAT rule specifies:
+- **Source**: The source IP address or IP group from which the traffic originates.
+- **Destination**: The destination IP address of the Azure Firewall instance.
+- **Protocol**: The protocol used for the traffic (TCP or UDP).
+- **Destination port**: The port on the Azure Firewall instance that receives the traffic.
+- **Translated address**: The private IP address or FQDN to which the traffic should be routed.
+- **Translated port**: The port on the translated address to which the traffic should be directed.
+
+When a packet matches the DNAT rule, Azure Firewall modifies the packet's destination IP address and port according to the rule before forwarding it to the specified backend server.
+
+Azure Firewall supports *FQDN filtering* in DNAT rules, allowing you to specify a fully qualified domain name (FQDN) as the target for translation instead of a static IP address. This enables dynamic backend configurations and simplifies management in scenarios where the backend server's IP address can change frequently.
+
+## Prerequisites
+
+- An Azure subscription. If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+- An Azure Firewall instance.
+- An Azure Firewall policy.
+
+## Create a DNAT rule
+
+1. In the Azure portal, navigate to your Azure Firewall instance.
+
+1. In the left pane, select **Rules**.
+
+1. Select **DNAT rules**.
+
+1. Select **+ Add DNAT rule collection**.
+
+1. In the **Add a rule collection** pane, provide the following information:
+
+   - **Name**: Enter a name for the DNAT rule collection.
+   - **Priority**: Specify a priority for the rule collection. Lower numbers indicate higher priority. The range is 100-65000.
+   - **Action**: Destination Network Address Translation (DNAT) (default).
+   - **Rule collection group**: This is the name of the rule collection group that contains the DNAT rule collection. You can select a default group or one you created earlier.
+   - **Rules**:
+       - **Name**: Enter a name for the DNAT rule.
+       - **Source type**: Select **IP Address** or [**IP Group**](create-ip-group.md).
+       - **Source**: Enter the source IP address or select an IP group.
+       - **Protocol**: Select the protocol (TCP or UDP).
+       - **Destination Ports**: Enter the destination port or port range (For example: single port 80, port range 80-100, or multiple ports 80,443).
+       - **Destination (Firewall IP address)**: Enter the destination IP address of the Azure Firewall instance.
+       - **Translated type**: Select **IP Address** or **FQDN**.
+       - **Translated address or FQDN**: Enter the translated IP address or FQDN.
+       - **Translated port**: Enter the translated port.
+
+1. Repeat step 5 for extra rules as needed.
+
+1. Select **Add** to create the DNAT rule collection.
+
+## Monitor and validate DNAT rules
+
+Once you've created DNAT rules, you can monitor and troubleshoot them using the **AZFWNatRule** log. This log provides detailed insights into the DNAT rules applied to incoming traffic, including:
+
+- **Timestamp**: The exact time the traffic flow occurred.
+- **Protocol**: The protocol used for communication (For example, TCP or UDP).
+- **Source IP and port**: Information about the originating traffic source.
+- **Destination IP and port**: The original destination details before translation.
+- **Translated IP and port**: The resolved IP address (if using FQDN) and the target port after translation.
+
+It's important to note the following when you're analyzing the **AZFWNatRule** log:
+
+- **Translated field**: For DNAT rules using FQDN filtering, the logs display the resolved IP address in the translated field instead of the FQDN.
+- **Private DNS zones**: Supported only within virtual networks (VNets). This feature isn't available for virtual WAN SKUs.
+- **Multiple IPs in DNS resolution**: If an FQDN resolves to multiple IP addresses in a private DNS zone or custom DNS servers, Azure Firewall's DNS proxy selects the first IP address from the list. This behavior is by design.
+- **FQDN resolution failures**:
+    - If Azure Firewall can't resolve an FQDN, the DNAT rule doesn't match, so the traffic isn't processed.
+    - These failures are logged in **AZFWInternalFQDNResolutionFailure** logs only if DNS proxy is enabled.
+    - Without DNS proxy enabled, resolution failures aren't logged.
+
+### Key considerations
+
+The following considerations are important when using DNAT rules with FQDN filtering:
+
+- **Private DNS zones**: Only supported within the virtual network and not with Azure Virtual WAN.
+- **Multiple IPs in DNS resolution**: Azure Firewall's DNS proxy always selects the first IP address from the resolved list (Private DNS zone or custom DNS server). This is an expected behavior.
+
+Analyzing these logs can help diagnose connectivity issues and ensure traffic is routed correctly to the intended backend.
+
+## Next steps
+
+- Learn how to monitor Azure Firewall logs and metrics using [Azure Monitor](monitor-firewall.md).
diff --git a/articles/firewall/domain-filtering-overview.md b/articles/firewall/domain-filtering-overview.md
@@ -0,0 +1,72 @@
+---
+title: Azure Firewall FQDN filtering
+description: Learn about Azure Firewall FQDN filtering and how it works with DNAT rules, network rules, and application rules.
+services: firewall
+author: sujamiya
+ms.service: azure-firewall
+ms.topic: concept-article
+ms.date: 7/01/2025
+ms.author: sujamiya
+ms.custom: ai-usage
+---
+
+# Azure Firewall FQDN filtering
+
+A fully qualified domain name (FQDN) is the complete domain name of a host on the internet, such as www.microsoft.com. In Azure Firewall and Firewall policy, FQDNs can be used to filter traffic in DNAT, network, and application rules, depending on the type and direction of traffic being inspected. 
+
+
+## How it works
+
+Azure Firewall handles FQDN-based filtering depending on the rule type: 
+
+- **Application rules** use FQDNs to filter HTTP/S and MSSQL traffic. They rely on an application-level transparent proxy and the Server Name Indication (SNI) header to differentiate between FQDNs that resolve to the same IP address. In other words, FQDNs are matched and filtered against the original domain requested by the client, not based on the resolved IP address. 
+- **Network and DNAT rules** filter traffic based on the resolved IP addresses of the FQDNs, using Azure DNS or a custom DNS server. Azure Firewall dynamically maintains and updates the list of associated IP addresses for the FQDNs, ensuring that traffic is routed correctly even if the underlying IP addresses change.
+
+When DNS resolution is used, Azure Firewall:
+
+- Resolves the FQDN to its corresponding IP address.
+- Uses the resolved IP address to apply the appropriate rule type (DNAT or network)
+- Refreshes FQDN-to-IP mappings every 15 seconds.
+- Removes IP addresses that are no longer resolved or utilized after 15 minutes.  
+
+## Differences between FQDN filtering in DNAT rules, and network rules, and application rules
+
+### DNAT rules
+
+DNAT (Destination Network Address Translation) rules are used to route inbound traffic to backend servers. These rules allow you to specify an IP address or FQDN as the target for translation. Using FQDNs in DNAT rules enables you to specify a fully qualified domain name for the backend server, which is particularly useful in dynamic environments where the backend server's IP address may change frequently.
+
+**Key characteristics:**
+
+- Enable inbound traffic routing to backend servers.
+- Support FQDN-based targeting for dynamic environments.
+- Useful for scenarios requiring flexible backend server configurations.
+
+
+### Network rules
+
+Network rules are used for filtering traffic based on any TCP or UDP protocol, such as Network Time Protocol (NTP), Secure Shell (SSH), and Remote Desktop Protocol (RDP). Unlike application rules, network rules don't depend on an application-level proxy or the SNI header.
+
+> [!NOTE]  
+> Network rules with FQDN filtering don't support the use of wildcard characters. This limitation is intentional by design.
+
+**Key characteristics:**
+
+- Applicable to all TCP and UDP protocols.
+- Ideal for non-HTTP/S or MSSQL traffic.
+- Operate at the network layer without protocol-specific inspection.
+
+### Application rules
+
+Application rules are designed for filtering HTTP/S and MSSQL traffic. They rely on an application-level transparent proxy and the Server Name Indication (SNI) header to differentiate between FQDNs that resolve to the same IP address. These rules are ideal for scenarios where you need to control access to web services or databases.
+
+**Key characteristics:**
+
+- Best suited for HTTP/S and MSSQL protocols.
+- Use FQDN tags for Azure services like Azure Backup and HDInsight.
+- Provide finer granularity for supported protocols.
+
+By understanding the differences between these rule types, you can effectively configure Azure Firewall to meet your organization's security and traffic management needs.
+
+## Next steps
+
+- Learn how Azure Firewall policy rule sets are structured [Azure Firewall Policy rule sets](policy-rule-sets.md).
diff --git a/articles/firewall/toc.yml b/articles/firewall/toc.yml
@@ -24,6 +24,8 @@ items:
       href: policy-rule-sets.md
     - name: Policy Analytics
       href: policy-analytics.md
+  - name: FQDN filtering
+    href: domain-filtering-overview.md
   - name: Infrastructure FQDNs
     href: infrastructure-fqdns.md
   - name: IDPS signature rule categories
@@ -151,6 +153,8 @@ items:
   items:
   - name: Add or modify rules using PowerShell
     href: deploy-rules-powershell.md
+  - name: DNAT rule for filtering inbound traffic
+    href: destination-nat-rules.md
   - name: DNS proxy
     items:
     - name: Overview
