updates for customer IP address

Author: vhorne

articles/firewall-manager/media/secure-cloud-network/3-azure-firewall-parameters-with-zones.png

@@ -87,7 +87,7 @@ Azure Firewall Manager has the following known issues:
 |Branch to branch traffic with private traffic filtering enabled|Branch to branch traffic can be inspected by Azure Firewall in secured hub scenarios if Routing Intent is enabled. |Enable Routing Intent on your Virtual WAN Hub by setting Inter-hub to **Enabled** in Azure Firewall Manager. See [Routing Intent documentation](../virtual-wan/how-to-routing-policies.md) for more information about this feature. The only Virtual WAN routing configuration that enables branch to branch private traffic is routing intent. |
 |All Secured Virtual Hubs sharing the same virtual WAN must be in the same resource group.|This behavior is aligned with Virtual WAN Hubs today.|Create multiple Virtual WANs to allow Secured Virtual Hubs to be created in different resource groups.|
 |Bulk IP address addition fails|The secure hub firewall goes into a failed state if you add multiple public IP addresses.|Add smaller public IP address increments. For example, add 10 at a time.|
-|DDoS Protection not supported with secured virtual hubs|DDoS Protection isn't integrated with vWANs.|Investigating|
+|DDoS Protection not supported with secured virtual hubs|DDoS Protection isn't integrated with vWANs.|Investigating<br><br>You can now associate a public IP address created in your tenants to secured hubs. The public IP addressess can be configured with Azure DDoS Protection. For more information, see [Customer provided public IP address support in secured hubs (preview)](../firewall/secured-hub-customer-public-ip.md).|
 |Activity logs not fully supported|Firewall policy doesn't currently support Activity logs.|Investigating|
 |Description of rules not fully supported|Firewall policy doesn't display the description of rules in an ARM export.|Investigating|
 |Azure Firewall Manager overwrites static and custom routes causing downtime in virtual WAN hub.|You shouldn't use Azure Firewall Manager to manage your settings in deployments configured with custom or static routes. Updates from Firewall Manager can potentially overwrite static or custom route settings.|If you use static or custom routes, use the Virtual WAN page to manage security settings and avoid configuration via Azure Firewall Manager.<br><br>For more information, see [Scenario: Azure Firewall - custom](../virtual-wan/scenario-route-between-vnets-firewall.md).|

articles/firewall-manager/overview.md

@@ -103,7 +103,7 @@ Create your secured virtual hub using Firewall Manager.
    :::image type="content" source="./media/secure-cloud-network/3-azure-firewall-parameters-with-zones.png" alt-text="Screenshot of configuring Azure Firewall parameters." lightbox="./media/secure-cloud-network/3-azure-firewall-parameters-with-zones.png":::
 
 
-16. Type **1** in the **Specify number of Public IP addressees** text box.
+16. Type **1** in the **Specify number of Public IP addressees** text box or associate an existing public IP address (preview) with this firewall.
 16. Under **Firewall Policy** ensure the **Default Deny Policy** is selected. You refine your settings later in this article.
 17. Select **Next: Security Partner Provider**.
 

articles/firewall-manager/secure-cloud-network.md

@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 10/10/2023
+ms.date: 01/15/2025
 ms.author: victorh
 ---
 
@@ -57,6 +57,13 @@ This is also relevant for hybrid scenarios, connecting on-premises datacenters t
 
 For more information, see [Private IP DNAT Support and Scenarios with Azure Firewall](https://techcommunity.microsoft.com/t5/azure-network-security-blog/private-ip-dnat-support-and-scenarios-with-azure-firewall/ba-p/4230073).
 
+## Customer provided public IP address support in secured hubs (preview)
+
+Virtual WAN hub deployments can now associate customer tenant public IP addresses with Secured Hub Azure Firewall. The capability is available to new deployments of Secured Hub Firewalls (preview). 
+
+For existing secured virtual WAN hubs, delete the hub firewall and redeploy a new Firewall during scheduled maintenance hours. You can use the Azure portal or Azure PowerShell to configure this.  
+
+For more information, see [Customer provided public IP address support in secured hubs (preview)](secured-hub-customer-public-ip.md).
 
 ## Next steps
 

articles/firewall/firewall-preview.md

@@ -0,0 +1,50 @@
+---
+title: Customer provided public IP address support in secured hubs (preview)
+description: Learn about customer provided public IP address support in secured hubs.
+services: firewall
+author: vhorne
+ms.service: azure-firewall
+ms.topic: concept-article
+ms.date: 01/15/2025
+ms.author: victorh
+---
+
+# Customer provided public IP address support in secured hubs (preview)
+
+> [!IMPORTANT]
+> Customer provided public IP address support in secured hubs is currently in PREVIEW.
+> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+Virtual WAN hub deployments can now associate customer tenant public IP addresses with secured hub Azure Firewalls.
+
+The capability is available only to new deployments of secured hub Firewalls. For existing secured virtual WAN hubs, delete the hub firewall and redeploy a new Firewall during scheduled maintenance hours. You can use the Azure portal or Azure PowerShell to configure it.   
+
+The capability has the following benefits: 
+
+- You own and control the lifecycle of the Azure Firewall public IP addresses. 
+
+- Secured hub firewalls can enable enhanced DDoS mitigation features to defend against DDoS attacks. 
+
+- You can allocate Azure Firewall public IP addresses from an IP address prefix pool. 
+
+## Configuration
+
+You can configure this feature using either the Azure portal or Azure PowerShell.
+
+### Azure portal
+
+You can associate a preexisting public IP address with a secured hub firewall. You should allocate public IP addresses from an IP prefix pool to simplify downstream security access control lists (ACLs).  
+
+:::image type="content" source="media/secured-hub-customer-public-ip/new-secured-hub-customer-public-ip.png" alt-text="Screenshot showing new secured virtual hub.":::
+
+### Azure PowerShell
+
+```azurepowershell
+$publicip = Get-AzPublicIpAddress -ResourceGroupName $rgName -Name $PIPName
+$virtualhub = get-azvirtualhub -ResourceGroupName $rgName -name $vwanhub
+New-AzFirewall -Name $azfwname -ResourceGroupName $rgName -Location westcentralus -SkuName AZFW_Hub -SkuTier $Tier -PublicIpAddress $publicip -VirtualHubId $virtualhub.Id
+```
+
+## Next steps
+
+- [Tutorial: Secure your virtual hub using Azure Firewall Manager](../firewall-manager/secure-cloud-network.md)

articles/firewall/media/secured-hub-customer-public-ip/new-secured-hub-customer-public-ip.png

@@ -167,6 +167,8 @@ items:
        href: premium-deploy-certificates-enterprise-ca.md
      - name: Use Azure Policy
        href: firewall-azure-policy.md
+     - name: Secured hub customer public IP
+       href: secured-hub-customer-public-ip.md
   - name: Protect
     items:
     - name: Protect Azure Virtual Desktop