Merge pull request #299501 from varunkalyana/patch-2

Rule processing logic- (removed preview on DNAT)

Author: prmerger-automator[bot]

articles/firewall/firewall-known-issues.md

@@ -31,6 +31,7 @@ Azure Firewall Standard has the following known issues:
 |Issue  |Description  |Mitigation  |
 |---------|---------|---------|
 |DNAT support for private IP addresses limited to Standard and Premium versions|Support for DNAT on Azure Firewall private IP address is intended for enterprises, so is limited to the Standard and Premium Firewall versions.| None|
+|Azure Firewall deallocation and allocation process isn't supported when private IP DNAT rules are configured| The Azure Firewall allocation process will fail when private DNAT rules are configured | 1. Deallocate the Azure Firewall </br>2. Delete all the private IP DNAT rules </br>3. Allocate the Azure Firewall and wait until the private IP gets populated </br>4. Reconfigure the private IP DNAT rules with the appropriate private IP address |
 |Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don't work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](../load-balancer/outbound-rules.md#limitations). We're exploring options to support this scenario in a future release.|
 |When an Azure Firewall is deallocated and then allocated again, sometimes it may be assigned a new private IP address that differs from the previous one.| After the deallocation and application process of the Azure Firewall, a private IP address is assigned dynamically from the Azure Firewall subnet. When a new private IP address is assigned that is different from the previous one, it will cause routing issues. |The existing User Defined Routes (UDRs) configured with the old private IP address will need to be reconfigured to reflect the new private IP address. A fix is being investigated to retain the private IP address after the allocation process.|
 |Azure Firewall DNS proxy server configurations in the parent policy is not inherited by child policies.|Changes made to the Azure Firewall parent policy will result in DNS resolution failures for Fully Qualified Domain Name (FQDN) based rules within the child policies that are linked to the parent policy.| To avoid this issue, configure the DNS proxy settings directly on the child policies instead of relying on inheritance from the parent policy. A fix is being investigated to allow child policies to interhit DNS configurations from the parent policy.|

articles/firewall/firewall-preview.md

@@ -43,14 +43,6 @@ For more information, see [Resource Health overview](/azure/service-health/resou
 
 You can configure Azure Firewall to autolearn both registered and private ranges every 30 minutes. For information, see [Azure Firewall SNAT private IP address ranges](snat-private-range.md#auto-learn-snat-routes-preview).
 
-### Private IP address DNAT rules (preview)
-
-You can now configure a DNAT rule on Azure Firewall Policy with the private IP address of the Azure Firewall as the destination. Previously, DNAT rules only worked with Azure Firewall Public IP addresses.
-This capability helps with connectivity between overlapped IP networks, which is a common scenario for enterprises when onboarding new partners to their network or merging with new acquisitions.
-This is also relevant for hybrid scenarios, connecting on-premises datacenters to Azure, where DNAT bridges the gap, enabling communication between private resources over nonroutable IP addresses.
-
-For more information, see [Private IP DNAT Support and Scenarios with Azure Firewall](https://techcommunity.microsoft.com/t5/azure-network-security-blog/private-ip-dnat-support-and-scenarios-with-azure-firewall/ba-p/4230073).
-
 ## Change tracking (preview)
 
 The *Change tracking* feature provides detailed insights into changes made to Azure Firewall configurations, specifically within *Rule Collection Groups*. It uses [Azure Resource Graph (ARG)](../governance/resource-graph/overview.md) to enable efficient monitoring and analysis of changes, enhancing visibility, accountability, and troubleshooting.

articles/firewall/rule-processing.md

@@ -2,11 +2,11 @@
 title: Azure Firewall rule processing logic
 description: Azure Firewall has NAT rules, network rules, and applications rules. The rules are processed according to the rule type.
 services: firewall
-author: duongau
+author: varunkalyana
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 07/02/2024
-ms.author: duau
+ms.date: 05/07/2025
+ms.author: varunkalyana
 ---
 
 # Configure Azure Firewall rules
@@ -135,7 +135,7 @@ If still no match is found within application rules, then the packet is evaluate
 
 ### DNAT rules and Network rules
 
-Inbound Internet or intranet (preview) connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in [Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the Azure portal](../firewall/tutorial-firewall-dnat.md). NAT rules are applied in priority before network rules. If a match is found, the traffic is translated according to the DNAT rule and allowed by the firewall. So the traffic isn't subject to any further processing by other network rules. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards.
+Inbound Internet or intranet connectivity can be enabled by configuring Destination Network Address Translation (DNAT) as described in [Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the Azure portal](../firewall/tutorial-firewall-dnat.md). NAT rules are applied in priority before network rules. If a match is found, the traffic is translated according to the DNAT rule and allowed by the firewall. So the traffic isn't subject to any further processing by other network rules. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards.
 
 Application rules aren't applied for inbound connections. So, if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF). For more information, see [What is Azure Web Application Firewall](../web-application-firewall/overview.md)?
 

articles/firewall/tutorial-firewall-dnat-policy.md

@@ -2,18 +2,18 @@
 title: 'Tutorial: Filter inbound Internet or intranet traffic with Azure Firewall DNAT policy using the portal'
 description: In this tutorial, you learn how to deploy and configure Azure Firewall policy DNAT using the Azure portal. 
 services: firewall
-author: duongau
+author: varunkalyana
 ms.service: azure-firewall
 ms.topic: tutorial
-ms.date: 08/26/2021
-ms.author: duau
+ms.date: 05/07/2025
+ms.author: varunkalyana
 ms.custom: mvc
 #Customer intent: As an administrator, I want to deploy and configure Azure Firewall policy DNAT so that I can control inbound Internet access to resources located in a subnet.
 ---
 
 # Tutorial: Filter inbound Internet or intranet traffic with Azure Firewall policy DNAT using the Azure portal
 
-You can configure Azure Firewall policy Destination Network Address Translation (DNAT) to translate and filter inbound Internet or intranet (preview) traffic to your subnets. When you configure DNAT, the *rule collection action* is set to **DNAT**. Each rule in the NAT rule collection can then be used to translate your firewall public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
+You can configure Azure Firewall policy Destination Network Address Translation (DNAT) to translate and filter inbound internet or intranet traffic to your subnets. When you configure DNAT, the *rule collection action* is set to **DNAT**. Each rule in the NAT rule collection can then be used to translate your firewall public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
 
 In this tutorial, you learn how to:
 

articles/firewall/tutorial-firewall-dnat.md

@@ -2,18 +2,18 @@
 title: Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the portal
 description: In this article, you learn how to deploy and configure Azure Firewall DNAT using the Azure portal. 
 services: firewall
-author: duongau
+author: varunkalyana
 ms.service: azure-firewall
 ms.topic: how-to
-ms.date: 03/17/2025
-ms.author: duau
+ms.date: 05/07/2025
+ms.author: varunkalyana
 ms.custom: mvc
-#Customer intent: As an administrator, I want to deploy and configure Azure Firewall DNAT so that I can control inbound Internet access to resources located in a subnet.
+#Customer intent: As an administrator, I want to deploy and configure Azure Firewall DNAT so that I can control inbound internet access to resources located in a subnet.
 ---
 
 # Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the Azure portal
 
-You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets or intranet traffic between private networks (preview). When you configure DNAT, the NAT rule collection action is set to **DNAT**. Each rule in the NAT rule collection can then be used to translate your firewall's public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, it's recommended to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
+You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound internet traffic to your subnets or intranet traffic between private networks. When you configure DNAT, the NAT rule collection action is set to **DNAT**. Each rule in the NAT rule collection can then be used to translate your firewall's public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, it's recommended to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
 
 > [!NOTE]
 > This article uses classic Firewall rules to manage the firewall. The preferred method is to use [Firewall Policy](../firewall-manager/policy-overview.md). To complete this procedure using Firewall Policy, see [Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal](tutorial-firewall-dnat-policy.md).