Merge pull request #270223 from vhorne/fw-priv-dnat-prev

updates for private dnat preview

Author: prmerger-automator[bot]

articles/firewall/firewall-faq.yml

@@ -40,7 +40,7 @@ sections:
 
           * *Application rules*: Configure fully qualified domain names (FQDNs) that can be accessed from a Virtual Network.
           * *Network rules*: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.
-          * *NAT rules*: Configure DNAT rules to allow incoming Internet connections.
+          * *NAT rules*: Configure DNAT rules to allow incoming Internet or intranet (preview) connections.
 
           For more information, see [Configure Azure Firewall rules](rule-processing.md).
 

articles/firewall/firewall-known-issues.md

@@ -29,7 +29,6 @@ Azure Firewall Standard has the following known issues:
 |FQDN tags require a protocol: port to be set|Application rules with FQDN tags require port: protocol definition.|You can use **https** as the port: protocol value. We're working to make this field optional when FQDN tags are used.|
 |Moving a firewall to a different resource group or subscription isn't supported|Moving a firewall to a different resource group or subscription isn't supported.|Supporting this functionality is on our road map. To move a firewall to a different resource group or subscription, you must delete the current instance and recreate it in the new resource group or subscription.|
 |Threat intelligence alerts may get masked|Network rules with destination 80/443 for outbound filtering masks threat intelligence alerts when configured to alert only mode.|Create outbound filtering for 80/443 using application rules. Or, change the threat intelligence mode to **Alert and Deny**.|
-|Azure Firewall DNAT doesn't work for private IP destinations|Azure Firewall DNAT support is limited to Internet egress/ingress. DNAT doesn't currently work for private IP destinations. For example, spoke to spoke.|A fix is being investigated.<br><br>Private DNAT is currently in private preview. Watch the [Azure Firewall preview features](firewall-preview.md) article for the public preview announcement.|
 |With secured virtual hubs, availability zones can only be configured during deployment.| You can't configure Availability Zones after a firewall with secured virtual hubs has been deployed.|This is by design.|
 |SNAT on inbound connections|In addition to DNAT, connections via the firewall public IP address (inbound) are SNATed to one of the firewall private IPs. This requirement today (also for Active/Active NVAs) to ensure symmetric routing.|To preserve the original source for HTTP/S, consider using [XFF](https://en.wikipedia.org/wiki/X-Forwarded-For) headers. For example, use a service such as [Azure Front Door](../frontdoor/front-door-http-headers-protocol.md#from-the-front-door-to-the-backend) or [Azure Application Gateway](../application-gateway/rewrite-http-headers-url.md) in front of the firewall. You can also add WAF as part of Azure Front Door and chain to the firewall.
 |SQL FQDN filtering support only in proxy mode (port 1433)|For Azure SQL Database, Azure Synapse Analytics, and Azure SQL Managed Instance:<br><br>SQL FQDN filtering is supported in proxy-mode only (port 1433).<br><br>For Azure SQL IaaS:<br><br>If you're using nonstandard ports, you can specify those ports in the application rules.|For SQL in redirect mode (the default if connecting from within Azure), you can instead filter access using the SQL service tag as part of Azure Firewall network rules.

articles/firewall/firewall-preview.md

@@ -1,6 +1,6 @@
 ---
 title: Azure Firewall preview features
-description: Learn about Azure Firewall preview features that are currently publicly available.
+description: Learn about Azure Firewall preview features that are publicly available now.
 services: firewall
 author: vhorne
 ms.service: azure-firewall
@@ -49,6 +49,13 @@ You can now update multiple IP Groups in parallel at the same time. This is usef
 
 For more information, see [IP Groups in Azure Firewall](ip-groups.md#parallel-ip-group-updates-preview).
 
+### Private IP address DNAT rules (preview)
+
+You can now configure a firewall policy DNAT rule with the private IP address of the firewall. Previously, DNAT rules only worked with Azure Firewall public IP addresses.
+This feature enables connectivity between overlapped IP networks, which is a common scenario for organizations when onboarding new partners to their network or integrating new acquisitions.
+Another scenario where the private IP address DNAT rule can be configured is for hybrid scenarios connecting on-premises networks with the Azure cloud to enable communication between private resources with no direct routing.
+
+
 ## Next steps
 
 To learn more about Azure Firewall, see [What is Azure Firewall?](overview.md).

articles/firewall/rule-processing.md

@@ -135,7 +135,7 @@ If still no match is found within application rules, then the packet is evaluate
 
 ### DNAT rules and Network rules
 
-Inbound Internet connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in [Filter inbound traffic with Azure Firewall DNAT using the Azure portal](../firewall/tutorial-firewall-dnat.md). NAT rules are applied in priority before network rules. If a match is found, the traffic is translated according to the DNAT rule and allowed by the firewall. So the traffic isn't subject to any further processing by other network rules. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards.
+Inbound Internet or intranet (preview) connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in [Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the Azure portal](../firewall/tutorial-firewall-dnat.md). NAT rules are applied in priority before network rules. If a match is found, the traffic is translated according to the DNAT rule and allowed by the firewall. So the traffic isn't subject to any further processing by other network rules. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards.
 
 Application rules aren't applied for inbound connections. So, if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF). For more information, see [What is Azure Web Application Firewall](../web-application-firewall/overview.md)?
 

articles/firewall/tutorial-firewall-dnat-policy.md

@@ -1,5 +1,5 @@
 ---
-title: 'Tutorial: Filter inbound Internet traffic with Azure Firewall DNAT policy using the portal'
+title: 'Tutorial: Filter inbound Internet or intranet traffic with Azure Firewall DNAT policy using the portal'
 description: In this tutorial, you learn how to deploy and configure Azure Firewall policy DNAT using the Azure portal. 
 services: firewall
 author: vhorne
@@ -11,9 +11,9 @@ ms.custom: mvc
 #Customer intent: As an administrator, I want to deploy and configure Azure Firewall policy DNAT so that I can control inbound Internet access to resources located in a subnet.
 ---
 
-# Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal
+# Tutorial: Filter inbound Internet or intranet traffic with Azure Firewall policy DNAT using the Azure portal
 
-You can configure Azure Firewall policy Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the *rule collection action* is set to **DNAT**. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
+You can configure Azure Firewall policy Destination Network Address Translation (DNAT) to translate and filter inbound Internet or intranet (preview) traffic to your subnets. When you configure DNAT, the *rule collection action* is set to **DNAT**. Each rule in the NAT rule collection can then be used to translate your firewall public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
 
 In this tutorial, you learn how to:
 
@@ -209,7 +209,7 @@ This rule allows you to connect a remote desktop to the Srv-Workload virtual mac
 1. For **Protocol**, select **TCP**.
 1. For **Destination Ports**, type **3389**.
 1. For **Destination Type**, select **IP Address**.
-1. For **Destination**, type the firewall public IP address.
+1. For **Destination**, type the firewall public or private IP address.
 1. For **Translated address**, type the **Srv-Workload** private IP address.
 1. For **Translated port**, type **3389**.
 1. Select **Add**.

articles/firewall/tutorial-firewall-dnat.md

@@ -1,5 +1,5 @@
 ---
-title: Filter inbound Internet traffic with Azure Firewall DNAT using the portal
+title: Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the portal
 description: In this article, you learn how to deploy and configure Azure Firewall DNAT using the Azure portal. 
 services: firewall
 author: vhorne
@@ -11,9 +11,9 @@ ms.custom: mvc
 #Customer intent: As an administrator, I want to deploy and configure Azure Firewall DNAT so that I can control inbound Internet access to resources located in a subnet.
 ---
 
-# Filter inbound Internet traffic with Azure Firewall DNAT using the Azure portal
+# Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the Azure portal
 
-You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to **Dnat**. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private/public IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
+You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets or intranet traffic between private networks (preview). When you configure DNAT, the NAT rule collection action is set to **Dnat**. Each rule in the NAT rule collection can then be used to translate your firewall public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
 
 > [!NOTE]
 > This article uses classic Firewall rules to manage the firewall. The preferred method is to use [Firewall Policy](../firewall-manager/policy-overview.md). To complete this procedure using Firewall Policy, see [Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal](tutorial-firewall-dnat-policy.md)
@@ -207,7 +207,7 @@ For the **SN-Workload** subnet, you configure the outbound default route to go t
 7. For **Protocol**, select **TCP**.
 1. For **Source type**, select **IP address**.
 1. For **Source**, type *. 
-1. For **Destination Addresses**, type the firewall's public IP address. 
+1. For **Destination Addresses**, type the firewall's public or private IP address. 
 1. For **Destination ports**, type **3389**. 
 1. For **Translated Address** type the private IP address for the Srv-Workload virtual machine. 
 1. For **Translated port**, type **3389**.