Merge pull request #52812 from KumudD/release-ignite-firewall

PRMerger10 · web-flow · commit 49512c71a221 · 2018-09-19T16:19:08.000-07:00
Firewall overview - minor known issue update
diff --git a/articles/firewall/overview.md b/articles/firewall/overview.md
@@ -62,7 +62,7 @@ Azure Firewall has the following known issues:
 |Conflict with Azure Security Center (ASC) Just-in-Time (JIT) feature|If a virtual machine is accessed using JIT, and is in a subnet with a user-defined route that points to Azure Firewall as a default gateway, ASC JIT doesn’t work. This is a result of asymmetric routing – a packet comes in via the virtual machine public IP (JIT opened the access), but the return path is via the firewall, which drops the packet because no session is established on the firewall.|To work around this issue, place the JIT virtual machines on a separate subnet that doesn’t have a user-defined route to the firewall.|
 |Hub and spoke with global peering doesn’t work|The hub and spoke model, where the hub and firewall are deployed in one Azure region, with the spokes in another Azure region, connected to the hub via Global VNet Peering is not supported.|For more information, see [Create, change, or delete a virtual network peering](https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints)|
 Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don’t work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-overview#limitations). We are exploring options to support this scenario in a future release.|
-|Destination NAT (DNAT) doesn’t work for port 80.|Destination Port field in NAT rule collection cannot include port 80.|We are working to fix this in the near future. Meanwhile, use any other port as the destination port in NAT rules. |
+|Destination NAT (DNAT) doesn’t work for port 80 and 22.|Destination Port field in NAT rule collection cannot include port 80 or port 22.|We are working to fix this in the near future. Meanwhile, use any other port as the destination port in NAT rules. Port 80 or 22 can still be used as the translated port (for example, you can map public ip:81 to private ip:80).|
 |
 
 ## Next steps

Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ Azure Firewall has the following known issues:`
`62`	`62`	\|Conflict with Azure Security Center (ASC) Just-in-Time (JIT) feature\|If a virtual machine is accessed using JIT, and is in a subnet with a user-defined route that points to Azure Firewall as a default gateway, ASC JIT doesn’t work. This is a result of asymmetric routing – a packet comes in via the virtual machine public IP (JIT opened the access), but the return path is via the firewall, which drops the packet because no session is established on the firewall.\|To work around this issue, place the JIT virtual machines on a separate subnet that doesn’t have a user-defined route to the firewall.\|
`63`	`63`	`\|Hub and spoke with global peering doesn’t work\|The hub and spoke model, where the hub and firewall are deployed in one Azure region, with the spokes in another Azure region, connected to the hub via Global VNet Peering is not supported.\|For more information, see [Create, change, or delete a virtual network peering](https://docs.microsoft.com/azure/virtual-network/virtual-network-manage-peering#requirements-and-constraints)\|`
`64`	`64`	Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic\|Network filtering rules for non-TCP/UDP protocols don’t work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.\|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](https://docs.microsoft.com/azure/load-balancer/load-balancer-standard-overview#limitations). We are exploring options to support this scenario in a future release.\|
`65`		`-\|Destination NAT (DNAT) doesn’t work for port 80.\|Destination Port field in NAT rule collection cannot include port 80.\|We are working to fix this in the near future. Meanwhile, use any other port as the destination port in NAT rules. \|`
	`65`	`+\|Destination NAT (DNAT) doesn’t work for port 80 and 22.\|Destination Port field in NAT rule collection cannot include port 80 or port 22.\|We are working to fix this in the near future. Meanwhile, use any other port as the destination port in NAT rules. Port 80 or 22 can still be used as the translated port (for example, you can map public ip:81 to private ip:80).\|`
`66`	`66`	`\|`
`67`	`67`
`68`	`68`	`## Next steps`