Merge pull request #230726 from MicrosoftDocs/release-ga-azure-firewall-basic

Release ga azure firewall basic--scheduled release at 10AM of 3/15

Author: huypub

articles/firewall/basic-features.md

@@ -0,0 +1,98 @@
+---
+title: Azure Firewall Basic features
+description: Learn about Azure Firewall Basic features
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: conceptual
+ms.date: 03/15/2023
+ms.author: victorh
+---
+
+# Azure Firewall Basic features
+
+[Azure Firewall](overview.md) Basic is a managed, cloud-based network security service that protects your Azure Virtual Network resources. 
+
+:::image type="content" source="media/overview/firewall-basic-diagram.png" alt-text="Diagram showing Firewall Basic.":::
+
+Azure Firewall Basic includes the following features: 
+- Built-in high availability
+- Availability Zones
+- Application FQDN filtering rules
+- Network traffic filtering rules
+- FQDN tags
+- Service tags
+- Threat intelligence in alert mode
+- Outbound SNAT support
+- Inbound DNAT support
+- Multiple public IP addresses
+- Azure Monitor logging
+- Certifications
+ 
+## Built-in high availability
+
+High availability is built in, so no extra load balancers are required and there's nothing you need to configure.
+
+## Availability Zones
+
+Azure Firewall can be configured during deployment to span multiple Availability Zones for increased availability. You can also associate Azure Firewall to a specific zone for proximity reasons.  For more information on availability, see the Azure Firewall [Service Level Agreement (SLA)](https://www.microsoft.com/licensing/docs/view/Service-Level-Agreements-SLA-for-Online-Services?lang=1).
+
+There's no extra cost for a firewall deployed in more than one Availability Zone. However, there are added costs for inbound and outbound data transfers associated with Availability Zones. For more information, see [Bandwidth pricing details](https://azure.microsoft.com/pricing/details/bandwidth/).
+
+Azure Firewall Availability Zones are available in regions that support Availability Zones. For more information, see [Regions that support Availability Zones in Azure](../reliability/availability-zones-service-support.md).
+
+## Application FQDN filtering rules
+
+You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature doesn't require TLS termination.
+
+## Network traffic filtering rules
+
+You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
+
+Azure Firewall supports stateful filtering of Layer 3 and Layer 4 network protocols. Layer 3 IP protocols can be filtered by selecting Any protocol in the Network rule and select the wild-card * for the port.
+
+## FQDN tags
+
+[FQDN tags](fqdn-tags.md) make it easy for you to allow well-known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.
+
+## Service tags
+
+A [service tag](service-tags.md) represents a group of IP address prefixes to help minimize complexity for security rule creation. You can't create your own service tag, nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.
+
+## Threat intelligence 
+
+[Threat intelligence-based filtering](threat-intel.md) can be enabled for your firewall to alert traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
+
+## Outbound SNAT support
+
+All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations. Azure Firewall doesn't SNAT when the destination IP is a private IP range per [IANA RFC 1918](https://www.rfc-editor.org/rfc/rfc1918).
+
+If your organization uses a public IP address range for private networks, Azure Firewall will SNAT the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. You can configure Azure Firewall to not SNAT your public IP address range. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
+
+You can monitor SNAT port utilization in Azure Firewall metrics. Learn more and see our recommendation on SNAT port utilization in our [firewall logs and metrics documentation](logs-and-metrics.md#metrics).
+
+## Inbound DNAT support
+
+Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
+
+## Multiple public IP addresses
+
+You can associate [multiple public IP addresses](deploy-multi-public-ip-powershell.md) with your firewall. 
+
+This enables the following scenarios:
+
+- DNAT - You can translate multiple standard port instances to your backend servers. For example, if you have two public IP addresses, you can translate TCP port 3389 (RDP) for both IP addresses.
+- SNAT - More ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. At this time, Azure Firewall randomly selects the source public IP address to use for a connection. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall. Consider using a [public IP address prefix](../virtual-network/ip-services/public-ip-address-prefix.md) to simplify this configuration.
+
+## Azure Monitor logging
+
+All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your event hub, or send them to Azure Monitor logs. For Azure Monitor log samples, see [Azure Monitor logs for Azure Firewall](firewall-workbook.md).
+
+For more information, see [Tutorial: Monitor Azure Firewall logs and metrics](firewall-diagnostics.md).
+
+Azure Firewall Workbook provides a flexible canvas for Azure Firewall data analysis. You can use it to create rich visual reports within the Azure portal. For more information, see [Monitor logs using Azure Firewall Workbook](firewall-workbook.md).
+
+## Certifications
+
+Azure Firewall is Payment Card Industry (PCI), Service Organization Controls (SOC), and International Organization for Standardization (ISO) compliant. For more information, see [Azure Firewall compliance certifications](compliance-certifications.md).
+

articles/firewall/choose-firewall-sku.md

@@ -0,0 +1,21 @@
+---
+title: Choosing the right Azure Firewall SKU to meet your needs
+description: Learn about the different Azure Firewall SKUs and how to choose the right one for your needs.
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: conceptual
+ms.date: 03/15/2023
+ms.author: victorh
+---
+
+# Choosing the right Azure Firewall SKU to meet your needs
+
+Azure Firewall now supports three different SKUs to cater to a wide range of customer use cases and preferences.
+
+- Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). It supports advanced threat protection capabilities like malware and TLS inspection.
+- Azure Firewall Standard is recommended for customers looking for Layer 3–Layer 7 firewall and needs auto-scaling to handle peak traffic periods of up to 30 Gbps. It supports enterprise features like threat intelligence, DNS proxy, custom DNS, and web categories.
+- Azure Firewall Basic is recommended for SMB customers with throughput needs of 250 Mbps.
+- Let’s take a closer look at the features across the three Azure Firewall SKUs.
+
+:::image type="content" source="media/choose-firewall-sku/azure-firewall-sku-table.png" alt-text="Table of Azure Firewall Sku features." lightbox="media/choose-firewall-sku/azure-firewall-sku-table-large.png":::

articles/firewall/deploy-firewall-basic-portal-policy.md

@@ -1,6 +1,6 @@
 ---
-title: 'Deploy & configure Azure Firewall Basic (preview) and policy using the Azure portal'
-description: In this how-to, you learn how to deploy and configure Azure Firewall Basic (preview) and policy rules using the Azure portal. 
+title: 'Deploy & configure Azure Firewall Basic and policy using the Azure portal'
+description: In this how-to, you learn how to deploy and configure Azure Firewall Basic and policy rules using the Azure portal. 
 services: firewall
 author: vhorne
 ms.service: firewall
@@ -11,11 +11,7 @@ ms.custom: mvc
 #Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.
 ---
 
-# Deploy and configure Azure Firewall Basic (preview) and policy using the Azure portal
-
-> [!IMPORTANT]
-> Azure Firewall Basic is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+# Deploy and configure Azure Firewall Basic and policy using the Azure portal
 
 Azure Firewall Basic provides the essential protection SMB customers need at an affordable price point. This solution is recommended for SMB customer environments with less than 250 Mbps throughput requirements. It is recommended to deploy the [Standard SKU](tutorial-firewall-deploy-portal-policy.md) for environments with more than 250 Mbps throughput requirements and the [Premium SKU](premium-portal.md) for advanced threat protection. 
 
@@ -35,6 +31,9 @@ For this how-to, you create a simplified single VNet with three subnets for easy
 * **AzureFirewallManagementSubnet** - for service management traffic.
 * **Workload-SN** - the workload server is in this subnet. This subnet's network traffic goes through the firewall.
 
+> [!NOTE]
+> As the Azure Firewall Basic has limited traffic compared to the Azure Firewall Standard or Premium SKU, it requires the **AzureFirewallManagementSubnet** to separate customer traffic from Microsoft management traffic to ensure no disruptions on it. This management traffic is needed for updates and health metrics communication that occurs automatically to and from Microsoft only. No other connections are allowed on this IP.
+
 For production deployments, a [hub and spoke model](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.
 
 In this how-to, you learn how to:
@@ -54,17 +53,6 @@ If you prefer, you can complete this procedure using [Azure PowerShell](deploy-p
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
-### Enable Firewall Basic
-
-For the preview, you must enable the Firewall Basic feature on your subscription.
-
-```azurepowershell
-Connect-AzAccount
-Select-AzSubscription -Subscription "subscription_id or subscription_name"
-Register-AzProviderFeature -FeatureName AzureFirewallBasic -ProviderNamespace Microsoft.Network
-Register-AzResourceProvider -ProviderNamespace Microsoft.Network
-```
-
 ## Create a resource group
 
 The resource group contains all the resources for the how-to.
@@ -92,7 +80,7 @@ Deploy the firewall and create associated network infrastructure.
    |Resource group     |**Test-FW-RG** |
    |Name     |**Test-FW01**|
    |Region     |Select the same location that you used previously|
-   |Firewall Tier|**Basic (Preview)**|
+   |Firewall Tier|**Basic**|
    |Firewall management|**Use a Firewall Policy to manage this firewall**|
    |Firewall policy|**Add new**:<br>**fw-test-pol**<br>Your selected region<br>Policy tier should default to **Basic** 
    |Choose a virtual network     |**Create new**<br> Name: **Test-FW-VN**<br>Address space: **10.0.0.0/16**<br>Subnet address space: **10.0.0.0/26**|

articles/firewall/media/choose-firewall-sku/azure-firewall-sku-table-large.png

@@ -37,66 +37,18 @@ To learn about Firewall Standard features, see [Azure Firewall Standard features
 
 To learn about Firewall Premium features, see [Azure Firewall Premium features](premium-features.md).
 
-## Azure Firewall Basic (preview)
-
-> [!IMPORTANT]
-> Azure Firewall Basic is currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+## Azure Firewall Basic
 
 Azure Firewall Basic is intended for small and medium size (SMB) customers to secure their Azure cloud 
 environments. It provides the essential protection SMB customers need at an affordable price point.
 
 :::image type="content" source="media/overview/firewall-basic-diagram.png" alt-text="Diagram showing Firewall Basic.":::
 
-Azure Firewall Basic is similar to Firewall Standard, but has the following limitations:
+Azure Firewall Basic is similar to Firewall Standard, but has the following main limitations:
 
 - Supports Threat Intel *alert mode* only.
 - Fixed scale unit to run the service on two virtual machine backend instances.
-- Recommended for environments with maximum throughput of 250 Mbps. The throughput may increase for feature general availability (GA).
-
-### Supported regions
-
-Azure Firewall Basic is available in the following regions during the preview:
-
-- East US
-- East US 2
-- West US
-- West US 2
-- West US 3
-- Central US
-- North Central US
-- South Central US
-- West Central US
-- East US 2 EUAP
-- Central US EUAP
-- North Europe
-- West Europe
-- East Asia
-- Southeast Asia
-- Japan East
-- Japan West
-- Australia East
-- Australia Southeast
-- Australia Central
-- Brazil South
-- South India
-- Central India
-- West India
-- Canada Central
-- Canada East
-- UK South
-- UK West
-- Korea Central
-- Korea South
-- France Central
-- South Africa North
-- UAE North
-- Switzerland North
-- Germany West Central
-- Norway East
-- Jio India West
-- Sweden Central
-- Qatar Central
+- Recommended for environments with an estimated throughput of 250 Mbps.
 
 To deploy a Basic Firewall, see [Deploy and configure Azure Firewall Basic (preview) and policy using the Azure portal](deploy-firewall-basic-portal-policy.md).
 
@@ -153,11 +105,11 @@ Azure Firewall Standard has the following known issues:
 |NAT rules with ports between 64000 and 65535 are unsupported|Azure Firewall allows any port in the 1-65535 range in network and application rules, however NAT rules only support ports in the 1-63999 range.|This is a current limitation.
 |Configuration updates may take five minutes on average|An Azure Firewall configuration update can take three to five minutes on average, and parallel updates aren't supported.|A fix is being investigated.|
 |Azure Firewall uses SNI TLS headers to filter HTTPS and MSSQL traffic|If browser or server software doesn't support the Server Name Indicator (SNI) extension, you can't connect through Azure Firewall.|If browser or server software doesn't support SNI, then you may be able to control the connection using a network rule instead of an application rule. See [Server Name Indication](https://wikipedia.org/wiki/Server_Name_Indication) for software that supports SNI.|
-|Can't add firewall policy tags using the portal or Azure Resource Manager (ARM) templates|Azure Firewall Policy has a patch support limitation that prevents you from adding a tag using the Azure portal or ARM templates. The following  error is generated: *Could not save the tags for the resource*.|A fix is being investigated. Or, you can use the Azure PowerShell cmdlet `Set-AzFirewallPolicy` to update tags.|
+|Can't add firewall policy tags using the portal or Azure Resource Manager (ARM) templates|Azure Firewall Policy has a patch support limitation that prevents you from adding a tag using the Azure portal or ARM templates. The following  error is generated: *Couldn't save the tags for the resource*.|A fix is being investigated. Or, you can use the Azure PowerShell cmdlet `Set-AzFirewallPolicy` to update tags.|
 |IPv6 not currently supported|If you add an IPv6 address to a rule, the firewall fails.|Use only IPv4 addresses. IPv6 support is under investigation.|
 |Updating multiple IP Groups fails with conflict error.|When you update two or more IP Groups attached to the same firewall, one of the resources goes into a failed state.|This is a known issue/limitation. <br><br>When you update an IP Group, it triggers an update on all firewalls that the IPGroup is attached to. If an update to a second IP Group is started while the firewall is still in the *Updating* state, then the IPGroup update fails.<br><br>To avoid the failure, IP Groups attached to the same firewall must be updated one at a time. Allow enough time between updates to allow the firewall to get out of the *Updating* state.|
 |Removing RuleCollectionGroups using ARM templates not supported.|Removing a RuleCollectionGroup using ARM templates isn't supported and results in failure.|This isn't a supported operation.|
-|DNAT rule for allow *any* (*) will SNAT traffic.|If a DNAT rule allows *any* (*) as the Source IP address, then an implicit Network rule will match VNet-VNet traffic and will always SNAT the traffic.|This is a current limitation.|
+|DNAT rule for allow *any* (*) will SNAT traffic.|If a DNAT rule allows *any* (*) as the Source IP address, then an implicit Network rule matches VNet-VNet traffic and will always SNAT the traffic.|This is a current limitation.|
 |Adding a DNAT rule to a secured virtual hub with a security provider isn't supported.|This results in an asynchronous route for the returning DNAT traffic, which goes to the security provider.|Not supported.|
 | Error encountered when creating more than 2000 rule collections. | The maximal number of NAT/Application or Network rule collections is 2000 (Resource Manager limit). | This is a current limitation. |
 |Unable to see Network Rule Name in Azure Firewall Logs|Azure Firewall network rule log data doesn't show the Rule name for network traffic.|Network rule name logging is in preview. For for information, see [Azure Firewall preview features](firewall-preview.md#network-rule-name-logging-preview).|

articles/firewall/media/choose-firewall-sku/azure-firewall-sku-table.png

@@ -47,12 +47,16 @@ items:
     href: sample-powershell.md
 - name: Concepts
   items:
+    - name: Azure Firewall Basic features
+      href: basic-features.md
     - name: Azure Firewall Standard features
       href: features.md
     - name: Azure Firewall Premium features
       href: premium-features.md
     - name: Azure Firewall preview features
       href: firewall-preview.md
+    - name: Choose an Azure Firewall SKU
+      href: choose-firewall-sku.md
     - name: IDPS signature rule categories
       href: idps-signature-categories.md
     - name: Azure Firewall Premium in the portal