Merge pull request #100593 from vhorne/fw-snat

Jak-MS · web-flow · commit 0c2e84a63348 · 2020-02-18T11:31:19.000-06:00
start SNAT article
diff --git a/articles/firewall/firewall-faq.md b/articles/firewall/firewall-faq.md
@@ -120,7 +120,7 @@ Yes. However, configuring the UDRs to redirect traffic between subnets in the sa
 
 ## Does Azure Firewall outbound SNAT between private networks?
 
-Azure Firewall doesn’t SNAT when the destination IP address is a private IP range per [IANA RFC 1918](https://tools.ietf.org/html/rfc1918). If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet.
+Azure Firewall doesn’t SNAT when the destination IP address is a private IP range per [IANA RFC 1918](https://tools.ietf.org/html/rfc1918). If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. You can configure Azure Firewall to **not** SNAT your public IP address range. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
 
 ## Is forced tunneling/chaining to a Network Virtual Appliance supported?
 
diff --git a/articles/firewall/overview.md b/articles/firewall/overview.md
@@ -6,7 +6,7 @@ ms.service: firewall
 services: firewall
 ms.topic: overview
 ms.custom: mvc
-ms.date: 01/28/2020
+ms.date: 02/18/2020
 ms.author: victorh
 Customer intent: As an administrator, I want to evaluate Azure Firewall so I can determine if I want to use it.
 ---
@@ -66,7 +66,9 @@ Threat intelligence-based filtering can be enabled for your firewall to alert an
 
 ## Outbound SNAT support
 
-All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations. Azure Firewall doesn’t SNAT when the destination IP is a private IP range per [IANA RFC 1918](https://tools.ietf.org/html/rfc1918). If your organization uses a public IP address range for private networks, Azure Firewall will SNAT the traffic to one of the firewall private IP addresses in AzureFirewallSubnet.
+All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations. Azure Firewall doesn’t SNAT when the destination IP is a private IP range per [IANA RFC 1918](https://tools.ietf.org/html/rfc1918). 
+
+If your organization uses a public IP address range for private networks, Azure Firewall will SNAT the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. You can configure Azure Firewall to **not** SNAT your public IP address range. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
 
 ## Inbound DNAT support
 
diff --git a/articles/firewall/snat-private-range.md b/articles/firewall/snat-private-range.md
@@ -0,0 +1,55 @@
+---
+title: Azure Firewall SNAT private IP address ranges
+description: You can configure IP address private ranges so the firewall won't SNAT traffic to those IP addresses. 
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: article
+ms.date: 01/09/2020
+ms.author: victorh
+---
+
+# Azure Firewall SNAT private IP address ranges
+
+Azure Firewall doesn’t SNAT when the destination IP address is in a private IP address range per [IANA RFC 1918](https://tools.ietf.org/html/rfc1918). 
+
+If your organization uses a public IP address range for private networks, Azure Firewall will SNAT the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. However, you can configure Azure Firewall to **not** SNAT your public IP address range.
+
+## Configure SNAT private IP address ranges
+
+You can use Azure PowerShell to specify an IP address range that the firewall won't SNAT.
+
+### New firewall
+
+For a new firewall, the Azure PowerShell command is:
+
+`New-AzFirewall -Name $GatewayName -ResourceGroupName $RG -Location $Location -VirtualNetworkName $vnet.Name -PublicIpName $LBPip.Name -PrivateRange @("IANAPrivateRanges","IPRange1", "IPRange2")`
+
+> [!NOTE]
+> IANAPrivateRanges is expanded to the current defaults on Azure Firewall while the other ranges are added to it.
+
+For more information, see [New-AzFirewall](https://docs.microsoft.com/powershell/module/az.network/new-azfirewall?view=azps-3.3.0).
+
+### Existing firewall
+
+To configure an existing firewall, use the following Azure PowerShell commands:
+
+```azurepowershell
+$azfw = Get-AzFirewall -ResourceGroupName "Firewall Resource Group name"
+$azfw.PrivateRange = @(“IANAPrivateRanges”,“IPRange1”, “IPRange2”)
+Set-AzFirewall -AzureFirewall $azfw
+```
+
+### Templates
+
+You can add the following to the `additionalProperties` section:
+
+```
+"additionalProperties": {
+                    "Network.SNAT.PrivateRanges": "IANAPrivateRanges , IPRange1, IPRange2"
+                },
+```
+
+## Next steps
+
+- Learn how to [deploy and configure an Azure Firewall](tutorial-firewall-deploy-portal.md).
diff --git a/articles/firewall/toc.yml b/articles/firewall/toc.yml
@@ -61,6 +61,8 @@
       href: integrate-lb.md
     - name: Application rules with SQL FQDNs
       href: sql-fqdn-filtering.md
+    - name: SNAT private ranges
+      href: snat-private-range.md
     - name: Create IP Groups
       href: create-ip-group.md
 - name: Reference
