MicrosoftDocs
diff --git a/‎articles/firewall/firewall-faq.yml
Lines changed: 2 additions & 2 deletions b/‎articles/firewall/firewall-faq.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/firewall/forced-tunneling.md
Lines changed: 12 additions & 19 deletions b/‎articles/firewall/forced-tunneling.md
Lines changed: 12 additions & 19 deletions
diff --git a/‎articles/firewall/management-nic.md
Lines changed: 91 additions & 0 deletions b/‎articles/firewall/management-nic.md
Lines changed: 91 additions & 0 deletions
diff --git a/‎articles/firewall/media/forced-tunneling/forced-tunneling-configuration.png
12.8 KB b/‎articles/firewall/media/forced-tunneling/forced-tunneling-configuration.png
12.8 KB
diff --git a/‎articles/firewall/media/management-nic/firewall-management-ip.png
49.6 KB b/‎articles/firewall/media/management-nic/firewall-management-ip.png
49.6 KB
diff --git a/‎articles/firewall/media/management-nic/firewall-management-nic.png
65.5 KB b/‎articles/firewall/media/management-nic/firewall-management-nic.png
65.5 KB
diff --git a/‎articles/firewall/media/management-nic/firewall-management-subnet.png
19.8 KB b/‎articles/firewall/media/management-nic/firewall-management-subnet.png
19.8 KB
diff --git a/‎articles/firewall/media/management-nic/firewall-with-management-ip.png
47.3 KB b/‎articles/firewall/media/management-nic/firewall-with-management-ip.png
47.3 KB
diff --git a/‎articles/firewall/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/firewall/toc.yml
Lines changed: 2 additions & 0 deletions
@@ -81,7 +81,7 @@ sections:
         answer: |
           You can use Azure PowerShell *deallocate* and *allocate* methods. For a firewall configured for forced tunneling, the procedure is slightly different.
 
-          For example, for a firewall NOT configured for forced tunneling:
+          For example, for a firewall configured with the Management NIC NOT enabled:
 
           ```azurepowershell
           # Stop an existing firewall
@@ -103,7 +103,7 @@ sections:
           Set-AzFirewall -AzureFirewall $azfw
           ```
 
-          For a firewall configured for forced tunneling, stopping is the same. But starting requires the management public IP to be re-associated back to the firewall:
+          For a firewall configured with the Management NIC enabled, stopping is the same. But starting requires the management public IP to be re-associated back to the firewall:
 
           ```azurepowershell
           # Stop an existing firewall
 
@@ -5,46 +5,39 @@ services: firewall
 author: vhorne
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 03/22/2024
+ms.date: 09/10/2024
 ms.author: victorh
 ---
 
 # Azure Firewall forced tunneling
 
-When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you might have a default route advertised via BGP or using User Defined Route (UDR) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet. To support this configuration, you must create Azure Firewall with forced tunneling configuration enabled. This is a mandatory requirement to avoid service disruption. 
+When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet. For example, you could have a default route advertised via BGP or using User Defined Routes (UDRs) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet. To support this configuration, you must create an Azure Firewall with the Firewall Management NIC enabled.
 
-If you have a pre-existing firewall, you must stop/start the firewall in forced tunneling mode to support this configuration. Stopping/starting the firewall can be used to configure forced tunneling the firewall without the need to redeploy a new one. You should do this during maintenance hours to avoid disruptions. For more information, see the [Azure Firewall FAQ](firewall-faq.yml#how-can-i-stop-and-start-azure-firewall) about stopping and restarting a firewall in forced tunnelling mode.
+:::image type="content" source="media/forced-tunneling/forced-tunneling-configuration.png" lightbox="media/forced-tunneling/forced-tunneling-configuration.png" alt-text="Screenshot showing configure forced tunneling."::: 
 
-You might prefer not to expose a public IP address directly to the Internet. In this case, you can deploy Azure Firewall in forced tunneling mode without a public IP address. This configuration creates a management interface with a public IP address that is used by Azure Firewall for its operations. The public IP address is used exclusively by the Azure platform and can't be used for any other purpose. The tenant data path network can be configured without a public IP address, and Internet traffic can be forced tunneled to another firewall or blocked.
+You might prefer not to expose a public IP address directly to the Internet. In this case, you can deploy Azure Firewall with the Management NIC enabled without a public IP address. When the Management NIC is enabled, it creates a management interface with a public IP address that is used by Azure Firewall for its operations. The public IP address is used exclusively by the Azure platform and can't be used for any other purpose. The tenant data path network can be configured without a public IP address, and Internet traffic can be forced tunneled to another firewall or blocked.
 
-Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses. Azure Firewall doesn’t SNAT when the destination IP address is a private IP address range per IANA RFC 1918. This logic works perfectly when you egress directly to the Internet. However, with forced tunneling enabled, Internet-bound traffic is SNATed to one of the firewall private IP addresses in the AzureFirewallSubnet. This hides the source address from your on-premises firewall. You can configure Azure Firewall to not SNAT regardless of the destination IP address by adding *0.0.0.0/0* as your private IP address range. With this configuration, Azure Firewall can never egress directly to the Internet. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
+Azure Firewall provides automatic SNAT for all outbound traffic to public IP addresses. Azure Firewall doesn’t SNAT when the destination IP address is a private IP address range per IANA RFC 1918. This logic works perfectly when you egress directly to the Internet. However, with forced tunneling configured, Internet-bound traffic might be SNATed to one of the firewall private IP addresses in the AzureFirewallSubnet. This hides the source address from your on-premises firewall. You can configure Azure Firewall to not SNAT regardless of the destination IP address by adding *0.0.0.0/0* as your private IP address range. With this configuration, Azure Firewall can never egress directly to the Internet. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
+
+Azure Firewall also supports split tunneling, which is the ability to selectively route traffic. For example, you can configure Azure Firewall to direct all traffic to your on-premises network while routing traffic to the Internet for KMS activation, ensuring the KMS server is activated. You can do this using route tables on the AzureFirewallSubnet. For more information, see [Configuring Azure Firewall in Forced Tunneling mode - Microsoft Community Hub](https://techcommunity.microsoft.com/t5/azure-network-security-blog/configuring-azure-firewall-in-forced-tunneling-mode/ba-p/3581955).  
 
 > [!IMPORTANT]
 > If you deploy Azure Firewall inside of a Virtual WAN Hub (Secured Virtual Hub), advertising the default route over Express Route or VPN Gateway is not currently supported. A fix is being investigated.
 
 > [!IMPORTANT]
-> DNAT isn't supported with forced tunneling enabled. Firewalls deployed with forced tunneling enabled can't support inbound access from the Internet because of asymmetric routing.
+> DNAT isn't supported with forced tunneling enabled. Firewalls deployed with Forced Tunneling enabled can't support inbound access from the Internet because of asymmetric routing. However, firewalls with a Management NIC still support DNAT.
 
 ## Forced tunneling configuration
 
-You can configure forced tunneling during Firewall creation by enabling forced tunneling mode as shown in the following screenshot. To support forced tunneling, Service Management traffic is separated from customer traffic. Another dedicated subnet named **AzureFirewallManagementSubnet** (minimum subnet size /26) is required with its own associated public IP address. This public IP address is for management traffic. It's used exclusively by the Azure platform and can't be used for any other purpose.
-
-In forced tunneling mode, the Azure Firewall service incorporates the Management subnet (AzureFirewallManagementSubnet) for its *operational* purposes. By default, the service associates a system-provided route table to the Management subnet. The only route allowed on this subnet is a default route to the Internet and *Propagate gateway* routes must be disabled. Avoid associating customer route tables to the Management subnet when you create the firewall. 
-
-:::image type="content" source="media/forced-tunneling/forced-tunneling-configuration.png" alt-text="Configure forced tunneling":::
-
-Within this configuration, the *AzureFirewallSubnet* can now include routes to any on-premises firewall or NVA to process traffic before it's passed to the Internet. You can also publish these routes via BGP to *AzureFirewallSubnet* if **Propagate gateway routes** is enabled on this subnet.
+When the Firewall Management NIC is enabled, the *AzureFirewallSubnet* can now include routes to any on-premises firewall or NVA to process traffic before it's passed to the Internet. You can also publish these routes via BGP to *AzureFirewallSubnet* if **Propagate gateway routes** is enabled on this subnet.
 
 For example, you can create a default route on the *AzureFirewallSubnet* with your VPN gateway as the next hop to get to your on-premises device. Or you can enable **Propagate gateway routes** to get the appropriate routes to the on-premises network.
 
-:::image type="content" source="media/forced-tunneling/route-propagation.png" alt-text="Virtual network gateway route propagation":::
-
-If you enable forced tunneling, Internet-bound traffic is SNATed to one of the firewall private IP addresses in AzureFirewallSubnet, hiding the source from your on-premises firewall.
+If you configure forced tunneling, Internet-bound traffic is SNATed to one of the firewall private IP addresses in AzureFirewallSubnet, hiding the source from your on-premises firewall.
 
 If your organization uses a public IP address range for private networks, Azure Firewall SNATs the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. However, you can configure Azure Firewall to **not** SNAT your public IP address range. For more information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md).
 
-Once you configure Azure Firewall to support forced tunneling, you can't undo the configuration. If you remove all other IP configurations on your firewall, the management IP configuration is removed as well, and the firewall is deallocated. The public IP address assigned to the management IP configuration can't be removed, but you can assign a different public IP address.
+## Related content
 
-## Next steps
+- [Azure Firewall Management NIC](management-nic.md)
 
-- [Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal](tutorial-hybrid-portal.md)
@@ -0,0 +1,91 @@
+---
+title: Azure Firewall Management NIC
+description: You can configure a Management NIC to support the Forced Tunneling and Packet Capture features.
+services: firewall
+author: vhorne
+ms.date: 11/6/2024
+ms.service: azure-firewall
+ms.topic: concept-article
+ms.author: victorh
+---
+
+# Azure Firewall Management NIC
+
+> [!NOTE]
+> This feature was previously called Forced Tunneling. Originally, a Management NIC was required only for Forced Tunneling. However, upcoming Firewall features will also require a Management NIC, so it has been decoupled from Forced Tunneling. All relevant documentation has been updated to reflect this.
+
+An Azure Firewall Management NIC separates firewall management traffic from customer traffic. Upcoming Firewall features will also require a Management NIC. To support any of these capabilities, you must create an Azure Firewall with the Firewall Management NIC enabled or enable it on an existing Azure Firewall. This is a mandatory requirement to avoid service disruption.
+
+## What happens when you enable the Management NIC
+
+If you enable a Management NIC, the firewall routes its management traffic via the AzureFirewallManagementSubnet (minimum subnet size /26) with its associated public IP address. You assign this public IP address for the firewall to manage traffic. It's used exclusively by the Azure platform and can't be used for any other purpose. All traffic required for firewall operational purposes is incorporated into the AzureFirewallManagementSubnet. 
+
+By default, the service associates a system-provided route table to the Management subnet. The only route allowed on this subnet is a default route to the Internet and *Propagate gateway routes* must be disabled. Avoid associating customer route tables to the Management subnet, as this can cause service disruptions if configured incorrectly. If you do associate a route table, then ensure it has a default route to the Internet to avoid service disruptions.
+
+:::image type="content" source="media/management-nic/firewall-management-nic.png" alt-text="Screenshot showing the firewall management NIC dialog.":::
+
+## Enable the Management NIC on existing firewalls
+
+For Standard and Premium firewall versions, the Firewall Management NIC must be manually enabled during the create process as shown previously, but all Basic Firewall versions and all Secured Hub firewalls always have a Management NIC enabled. 
+
+For a pre-existing firewall, you must stop the firewall and then restart it with the Firewall Management NIC enabled to support Forced tunneling. Stopping/starting the firewall can be used to enable the Firewall Management NIC without the need to delete an existing firewall and redeploy a new one. You should always start/stop the firewall during maintenance hours to avoid disruptions, including when attempting to enable the Firewall Management NIC. 
+
+Use the following steps:
+
+1. Create the `AzureFirewallManagementSubnet` on the Azure portal and use the appropriate IP address range for the virtual network.
+
+   :::image type="content" source="media/management-nic/firewall-management-subnet.png" alt-text="Screenshot showing add a subnet.":::
+1. Create the new management public IP address with the same properties as the existing firewall public IP address: SKU, Tier, and Location.
+
+   :::image type="content" source="media/management-nic/firewall-management-ip.png" lightbox="media/management-nic/firewall-management-ip.png" alt-text="Screenshot showing the public IP address creation.":::
+   
+1. Stop the firewall
+
+   Use the information in [Azure Firewall FAQ](firewall-faq.yml#how-can-i-stop-and-start-azure-firewall) to stop the firewall:
+   
+   ```azurepowershell
+   $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
+   $azfw.Deallocate()
+   Set-AzFirewall -AzureFirewall $azfw
+   ```
+   
+   
+1. Start the firewall with the management public IP address and subnet.
+
+   Start a firewall with one public IP address and a Management public IP address:
+   
+   ```azurepowershell
+   $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
+   $vnet = Get-AzVirtualNetwork -Name "VNet Name" -ResourceGroupName "RG Name" 
+   $pip = Get-AzPublicIpAddress -Name "azfwpublicip" -ResourceGroupName "RG Name"
+   $mgmtPip = Get-AzPublicIpAddress -Name "mgmtpip" -ResourceGroupName "RG Name" 
+   $azfw.Allocate($vnet, $pip, $mgmtPip)
+   $azfw | Set-AzFirewall
+   ```
+   
+   Start a firewall with two public IP addresses and a Management public IP address:
+   
+   ```azurepowershell
+   $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
+   $vnet = Get-AzVirtualNetwork -Name "VNet Name" -ResourceGroupName "RG Name" 
+   $pip1 = Get-AzPublicIpAddress -Name "azfwpublicip" -ResourceGroupName "RG Name"
+   $pip2 = Get-AzPublicIpAddress -Name "azfwpublicip2" -ResourceGroupName "RG Name"
+   $mgmtPip = Get-AzPublicIpAddress -Name "mgmtpip" -ResourceGroupName "RG Name" 
+   $azfw.Allocate($vnet,@($pip1,$pip2), $mgmtPip)
+   $azfw | Set-AzFirewall
+   ```
+   
+   > [!NOTE]
+   > You must reallocate a firewall and public IP to the original resource group and subscription. When stop/start is performed, the private IP address of the firewall may change to a different IP address within the subnet. This can affect the connectivity of previously configured route tables.
+
+Now when you view the firewall in the Azure portal, you see the assigned Management public IP address:
+
+:::image type="content" source="media/management-nic/firewall-with-management-ip.png" lightbox="media/management-nic/firewall-with-management-ip.png" alt-text="Screenshot showing the firewall with a management IP address.":::
+
+
+> [!NOTE]
+> If you remove all other IP address configurations on your firewall, the management IP address configuration is removed as well, and the firewall is deallocated. The public IP address assigned to the management IP address configuration can't be removed, but you can assign a different public IP address.
+
+## Related content
+
+- [Azure Firewall forced tunneling](forced-tunneling.md)
@@ -103,6 +103,8 @@ items:
       href: ip-groups.md
     - name: Forced tunneling
       href: forced-tunneling.md
+    - name: Management NIC
+      href: management-nic.md
     - name: Certifications
       href: compliance-certifications.md
     - name: Central management