freshness review - March 2025

duongau · duongau · commit 4d1b383d6931 · 2025-03-17T14:10:36.000-07:00
diff --git a/articles/firewall/tutorial-firewall-dnat.md b/articles/firewall/tutorial-firewall-dnat.md
@@ -5,84 +5,82 @@ services: firewall
 author: duongau
 ms.service: azure-firewall
 ms.topic: how-to
-ms.date: 08/31/2023
+ms.date: 03/17/2025
 ms.author: duau
 ms.custom: mvc
 #Customer intent: As an administrator, I want to deploy and configure Azure Firewall DNAT so that I can control inbound Internet access to resources located in a subnet.
 ---
 
 # Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the Azure portal
 
-You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets or intranet traffic between private networks (preview). When you configure DNAT, the NAT rule collection action is set to **Dnat**. Each rule in the NAT rule collection can then be used to translate your firewall public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
+You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets or intranet traffic between private networks (preview). When you configure DNAT, the NAT rule collection action is set to **DNAT**. Each rule in the NAT rule collection can then be used to translate your firewall's public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, it's recommended to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
 
 > [!NOTE]
-> This article uses classic Firewall rules to manage the firewall. The preferred method is to use [Firewall Policy](../firewall-manager/policy-overview.md). To complete this procedure using Firewall Policy, see [Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal](tutorial-firewall-dnat-policy.md)
+> This article uses classic Firewall rules to manage the firewall. The preferred method is to use [Firewall Policy](../firewall-manager/policy-overview.md). To complete this procedure using Firewall Policy, see [Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal](tutorial-firewall-dnat-policy.md).
 
 ## Prerequisites
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
-
-
 ## Create a resource group
 
 1. Sign in to the [Azure portal](https://portal.azure.com).
 2. On the Azure portal home page, select **Resource groups**, then select **Create**.
-4. For **Subscription**, select your subscription.
-1. For **Resource group**, type **RG-DNAT-Test**.
+3. For **Subscription**, select your subscription.
+4. For **Resource group**, type **RG-DNAT-Test**.
 5. For **Region**, select a region. All other resources that you create must be in the same region.
 6. Select **Review + create**.
-1. Select **Create**.
+7. Select **Create**.
 
 ## Set up the network environment
 
-For this article, you create a two peered VNets:
+For this article, you create two peered VNets:
 
-- **VN-Hub** - the firewall is in this VNet.
-- **VN-Spoke** - the workload server is in this VNet.
+- **VN-Hub** - the firewall is in this virtual network.
+- **VN-Spoke** - the workload server is in this virtual network.
 
 First, create the VNets and then peer them.
 
-### Create the Hub VNet
+### Create the Hub virtual network
 
 1. From the Azure portal home page, select **All services**.
 2. Under **Networking**, select **Virtual networks**.
 3. Select **Create**.
-7. For **Resource group**, select **RG-DNAT-Test**.
-1. For **Name**, type **VN-Hub**.
-1. For **Region**, select the same region that you used before.
-1. Select **Next**.
-1. On the **Security** tab, select **Next**.
-1. For **IPv4 Address space**, accept the default **10.0.0.0/16**.
-1. Under **Subnets**, select **default**.
-1. For **Subnet template**, select  **Azure Firewall**.
+4. For **Resource group**, select **RG-DNAT-Test**.
+5. For **Name**, type **VN-Hub**.
+6. For **Region**, select the same region that you used before.
+7. Select **Next**.
+8. On the **Security** tab, select **Next**.
+9. For **IPv4 Address space**, accept the default **10.0.0.0/16**.
+10. Under **Subnets**, select **default**.
+11. For **Subnet template**, select **Azure Firewall**.
 
-     The firewall will be in this subnet, and the subnet name **must** be AzureFirewallSubnet.
-     > [!NOTE]
-     > The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see [Azure Firewall FAQ](firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).
+   The firewall is in this subnet, and the subnet name **must** be AzureFirewallSubnet.
+   > [!NOTE]
+   > The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see [Azure Firewall FAQ](firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).
 
-11. Select **Save**.
-1. Select **Review + create**.
-1. Select **Create**.
+12. Select **Save**.
+13. Select **Review + create**.
+14. Select **Create**.
 
-### Create a spoke VNet
+### Create a spoke virtual network
 
 1. From the Azure portal home page, select **All services**.
 2. Under **Networking**, select **Virtual networks**.
 3. Select **Create**.
-1. For **Resource group**, select **RG-DNAT-Test**.
-1. For **Name**, type **VN-Spoke**.
-1. For **Region**, select the same region that you used before.
-1. Select **Next**.
-1. On the **Security** tab, select **Next**.
-1. For **IPv4 Address space**, edit the default and type **192.168.0.0/16**.
-1. Under **Subnets**, select **default**.
-1. For the subnet **Name** type **SN-Workload**.
-1. For **Starting address**, type **192.168.1.0**.
-1. For **Subnet size**, select **/24**.
-1. Select **Save**.
-1. Select **Review + create**.
-1. Select **Create**.
+4. For **Resource group**, select **RG-DNAT-Test**.
+5. For **Name**, type **VN-Spoke**.
+6. For **Region**, select the same region that you used before.
+7. Select **Next**.
+8. On the **Security** tab, select **Next**.
+9. For **IPv4 Address space**, edit the default and type **192.168.0.0/16**.
+10. Under **Subnets**, select **default**.
+11. For the subnet **Name**, type **SN-Workload**.
+12. For **Starting address**, type **192.168.1.0**.
+13. For **Subnet size**, select **/24**.
+14. Select **Save**.
+15. Select **Review + create**.
+16. Select **Create**.
 
 ### Peer the VNets
 
@@ -92,9 +90,9 @@ Now peer the two VNets.
 2. Under **Settings**, select **Peerings**.
 3. Select **Add**.
 4. Under **This virtual network**, for the **Peering link name**, type **Peer-HubSpoke**.
-5. Under **Remote virtual network**, for **Peering link name**, type **Peer-SpokeHub**. 
-1. Select **VN-Spoke** for the virtual network.
-1. Accept all the other defaults, and then select **Add**.
+5. Under **Remote virtual network**, for **Peering link name**, type **Peer-SpokeHub**.
+6. Select **VN-Spoke** for the virtual network.
+7. Accept all the other defaults, and then select **Add**.
 
 ## Create a virtual machine
 
@@ -106,22 +104,23 @@ Create a workload virtual machine, and place it in the **SN-Workload** subnet.
 **Basics**
 
 1. For **Subscription**, select your subscription.
-1. For **Resource group**, select **RG-DNAT-Test**.
-1. For **Virtual machine name**, type **Srv-Workload**.
-1. For **Region**, select the same location that you used previously.
-1. Type a username and password.
-1. Select **Next: Disks**.
+2. For **Resource group**, select **RG-DNAT-Test**.
+3. For **Virtual machine name**, type **Srv-Workload**.
+4. For **Region**, select the same location that you used previously.
+5. Type a username and password.
+6. Select **Next: Disks**.
 
 **Disks**
+
 1. Select **Next: Networking**.
 
 **Networking**
 
 1. For **Virtual network**, select **VN-Spoke**.
 2. For **Subnet**, select **SN-Workload**.
 3. For **Public IP**, select **None**.
-4. For **Public inbound ports**, select **None**. 
-2. Leave the other default settings and select **Next: Management**.
+4. For **Public inbound ports**, select **None**.
+5. Leave the other default settings and select **Next: Management**.
 
 **Management**
 
@@ -130,94 +129,94 @@ Create a workload virtual machine, and place it in the **SN-Workload** subnet.
 **Monitoring**
 
 1. For **Boot diagnostics**, select **Disable**.
-1. Select **Review + Create**.
+2. Select **Review + Create**.
 
 **Review + Create**
 
-Review the summary, and then select **Create**. This takes a few minutes to complete.
+Review the summary, and then select **Create**. This process takes a few minutes to complete.
 
-After deployment finishes, note the private IP address for the virtual machine. It is used later when you configure the firewall. Select the virtual machine name. Select **Overview**, and under **Networking** note the private IP address.
+After the deployment finishes, note the private IP address of the virtual machine. You need this IP address later when configuring the firewall. Select the virtual machine name, go to **Overview**, and under **Networking**, note the private IP address.
 
-[!INCLUDE [ephemeral-ip-note.md](~/reusable-content/ce-skilling/azure/includes/ephemeral-ip-note.md)]
+> [!INCLUDE [ephemeral-ip-note.md](~/reusable-content/ce-skilling/azure/includes/ephemeral-ip-note.md)]
 
 ## Deploy the firewall
 
 1. From the portal home page, select **Create a resource**.
-1. Search for **Firewall**, and then select **Firewall**.
-1. Select **Create**. 
-1. On the **Create a Firewall** page, use the following table to configure the firewall:
-
-   |Setting  |Value  |
-   |---------|---------|
-   |Subscription     |\<your subscription\>|
-   |Resource group     |Select **RG-DNAT-Test** |
-   |Name     |**FW-DNAT-test**|
-   |Region     |Select the same location that you used previously|
-   |Firewall SKU|**Standard**|
-   |Firewall management|**Use Firewall rules (classic) to manage this firewall**|
-   |Choose a virtual network     |**Use existing**: VN-Hub|
-   |Public IP address     |**Add new**, Name: **fw-pip**.|
+2. Search for **Firewall**, and then select **Firewall**.
+3. Select **Create**.
+4. On the **Create a Firewall** page, use the following table to configure the firewall:
+
+   | Setting               | Value                           |
+   |-----------------------|---------------------------------|
+   | Subscription          | \<your subscription\>           |
+   | Resource group        | Select **RG-DNAT-Test**         |
+   | Name                  | **FW-DNAT-test**                |
+   | Region                | Select the same location used previously |
+   | Firewall SKU          | **Standard**                    |
+   | Firewall management   | **Use Firewall rules (classic) to manage this firewall** |
+   | Choose a virtual network | **Use existing**: VN-Hub     |
+   | Public IP address     | **Add new**, Name: **fw-pip**   |
 
 5. Accept the other defaults, and then select **Review + create**.
-6. Review the summary, and then select **Create** to create the firewall.
+6. Review the summary, and then select **Create** to deploy the firewall.
 
-   This takes a few minutes to deploy.
-7. After deployment completes, go to the **RG-DNAT-Test** resource group, and select the **FW-DNAT-test** firewall.
-8. Note the firewall's private and public IP addresses. You'll use them later when you create the default route and NAT rule.
+   This process takes a few minutes to complete.
+7. After deployment completes, go to the **RG-DNAT-Test** resource group and select the **FW-DNAT-test** firewall.
+8. Note the firewall's private and public IP addresses. You use them later when creating the default route and NAT rule.
 
 ## Create a default route
 
-For the **SN-Workload** subnet, you configure the outbound default route to go through the firewall.
+For the **SN-Workload** subnet, configure the outbound default route to go through the firewall.
 
 > [!IMPORTANT]
-> You do not need to configure an explicit route back to the firewall at the destination subnet. Azure Firewall is a stateful service and handles the packets and sessions automatically. If you create this route, you'll create an asymmetrical routing environment that interrupts the stateful session logic and results in dropped packets and connections.
+> You don't need to configure an explicit route back to the firewall at the destination subnet. Azure Firewall is a stateful service and handles the packets and sessions automatically. Creating this route would result in an asymmetrical routing environment, interrupting the stateful session logic and causing dropped packets and connections.
 
 1. From the Azure portal home page, select **Create a resource**.
 2. Search for **Route table** and select it.
 3. Select **Create**.
-5. For **Subscription**, select your subscription.
-1. For **Resource group**, select **RG-DNAT-Test**.
-1. For **Region**, select the same region that you used previously.
-1. For **Name**, type **RT-FWroute**.
-1. Select **Review + create**.
-1. Select **Create**.
-1. Select **Go to resource**.
-1. Select **Subnets**, and then select **Associate**.
-1. For **Virtual network**, select **VN-Spoke**.
-1. For **Subnet**, select **SN-Workload**.
-1. Select **OK**.
-1. Select **Routes**, and then select **Add**.
-1. For **Route name**, type **FW-DG**.
-1. For **Destination type**, select **IP Addresses**.
-1. For **Destination IP addresses/CIDR ranges**, type **0.0.0.0/0**.
-1. For **Next hop type**, select **Virtual appliance**.
-
-    Azure Firewall is actually a managed service, but virtual appliance works in this situation.
-18. For **Next hop address**, type the private IP address for the firewall that you noted previously.
-19. Select **Add**.
+4. For **Subscription**, select your subscription.
+5. For **Resource group**, select **RG-DNAT-Test**.
+6. For **Region**, select the same region used previously.
+7. For **Name**, type **RT-FWroute**.
+8. Select **Review + create**.
+9. Select **Create**.
+10. Select **Go to resource**.
+11. Select **Subnets**, and then select **Associate**.
+12. For **Virtual network**, select **VN-Spoke**.
+13. For **Subnet**, select **SN-Workload**.
+14. Select **OK**.
+15. Select **Routes**, and then select **Add**.
+16. For **Route name**, type **FW-DG**.
+17. For **Destination type**, select **IP Addresses**.
+18. For **Destination IP addresses/CIDR ranges**, type **0.0.0.0/0**.
+19. For **Next hop type**, select **Virtual appliance**.
+
+    Azure Firewall is a managed service, but selecting virtual appliance works in this situation.
+20. For **Next hop address**, type the private IP address of the firewall noted previously.
+21. Select **Add**.
 
 ## Configure a NAT rule
 
-1. Open the **RG-DNAT-Test** resource group, and select the **FW-DNAT-test** firewall. 
-2. On the **FW-DNAT-test** page, under **Settings**, select **Rules (classic)**. 
-3. Select **Add NAT rule collection**. 
-4. For **Name**, type **RC-DNAT-01**. 
-5. For **Priority**, type **200**. 
+1. Open the **RG-DNAT-Test** resource group, and select the **FW-DNAT-test** firewall.
+2. On the **FW-DNAT-test** page, under **Settings**, select **Rules (classic)**.
+3. Select **Add NAT rule collection**.
+4. For **Name**, type **RC-DNAT-01**.
+5. For **Priority**, type **200**.
 6. Under **Rules**, for **Name**, type **RL-01**.
 7. For **Protocol**, select **TCP**.
-1. For **Source type**, select **IP address**.
-1. For **Source**, type *. 
-1. For **Destination Addresses**, type the firewall's public or private IP address. 
-1. For **Destination ports**, type **3389**. 
-1. For **Translated Address** type the private IP address for the Srv-Workload virtual machine. 
-1. For **Translated port**, type **3389**. 
-1. Select **Add**.
+8. For **Source type**, select **IP address**.
+9. For **Source**, type *.
+10. For **Destination Addresses**, type the firewall's public or private IP address.
+11. For **Destination ports**, type **3389**.
+12. For **Translated Address**, type the private IP address of the Srv-Workload virtual machine.
+13. For **Translated port**, type **3389**.
+14. Select **Add**.
 
-This takes a few minutes to complete.
+This process takes a few minutes to complete.
 
 ## Test the firewall
 
-1. Connect a remote desktop to firewall public IP address. You should be connected to the **Srv-Workload** virtual machine.
+1. Connect a remote desktop to the firewall's public IP address. You should be connected to the **Srv-Workload** virtual machine.
 2. Close the remote desktop.
 
 ## Clean up resources
