Merge pull request #249999 from vhorne/fw-dnat

prmerger-automator[bot] · web-flow · commit 614ffa8d80af · 2023-08-31T15:37:08.000Z
freshness review
diff --git a/articles/firewall/tutorial-firewall-dnat.md b/articles/firewall/tutorial-firewall-dnat.md
@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: how-to
-ms.date: 06/06/2022
+ms.date: 08/31/2023
 ms.author: victorh
 ms.custom: mvc
 #Customer intent: As an administrator, I want to deploy and configure Azure Firewall DNAT so that I can control inbound Internet access to resources located in a subnet.
@@ -15,15 +15,6 @@ ms.custom: mvc
 
 You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to **Dnat**. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see [Azure Firewall rule processing logic](rule-processing.md).
 
-In this article, you learn how to:
-
-> [!div class="checklist"]
-> * Set up a test network environment
-> * Deploy a firewall
-> * Create a default route
-> * Configure a DNAT rule
-> * Test the firewall
-
 > [!NOTE]
 > This article uses classic Firewall rules to manage the firewall. The preferred method is to use [Firewall Policy](../firewall-manager/policy-overview.md). To complete this procedure using Firewall Policy, see [Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal](tutorial-firewall-dnat-policy.md)
 
@@ -60,16 +51,16 @@ First, create the VNets and then peer them.
 7. For **Resource group**, select **RG-DNAT-Test**.
 1. For **Name**, type **VN-Hub**.
 1. For **Region**, select the same region that you used before.
-1. Select **Next: IP Addresses**.
+1. Select **Next**.
+1. On the **Security** tab, select **Next**.
 1. For **IPv4 Address space**, accept the default **10.0.0.0/16**.
-1. Under **Subnet name**, select **default**.
-1. Edit the **Subnet name** and type **AzureFirewallSubnet**.
+1. Under **Subnets**, select **default**.
+1. For **Subnet template**, select  **Azure Firewall**.
 
      The firewall will be in this subnet, and the subnet name **must** be AzureFirewallSubnet.
      > [!NOTE]
      > The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see [Azure Firewall FAQ](firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).
 
-10. For **Subnet address range**, type **10.0.1.0/26**.
 11. Select **Save**.
 1. Select **Review + create**.
 1. Select **Create**.
@@ -82,12 +73,14 @@ First, create the VNets and then peer them.
 1. For **Resource group**, select **RG-DNAT-Test**.
 1. For **Name**, type **VN-Spoke**.
 1. For **Region**, select the same region that you used before.
-1. Select **Next: IP Addresses**.
+1. Select **Next**.
+1. On the **Security** tab, select **Next**.
 1. For **IPv4 Address space**, edit the default and type **192.168.0.0/16**.
-1. Select **Add subnet**.
-1. For the **Subnet name** type **SN-Workload**.
-10. For **Subnet address range**, type **192.168.1.0/24**.
-11. Select **Add**.
+1. Under **Subnets**, select **default**.
+1. For the subnet **Name** type **SN-Workload**.
+1. For **Starting address**, type **192.168.1.0**.
+1. For **Subnet size**, select **/24**.
+1. Select **Save**.
 1. Select **Review + create**.
 1. Select **Create**.
 
@@ -108,7 +101,7 @@ Now peer the two VNets.
 Create a workload virtual machine, and place it in the **SN-Workload** subnet.
 
 1. From the Azure portal menu, select **Create a resource**.
-2. Under **Popular**, select **Windows Server 2019 Datacenter**.
+2. Under **Popular Marketplace products**, select **Windows Server 2019 Datacenter**.
 
 **Basics**
 
@@ -132,14 +125,18 @@ Create a workload virtual machine, and place it in the **SN-Workload** subnet.
 
 **Management**
 
+1. Select **Next: Monitoring**.
+
+**Monitoring**
+
 1. For **Boot diagnostics**, select **Disable**.
 1. Select **Review + Create**.
 
 **Review + Create**
 
-Review the summary, and then select **Create**. This will take a few minutes to complete.
+Review the summary, and then select **Create**. This takes a few minutes to complete.
 
-After deployment finishes, note the private IP address for the virtual machine. It will be used later when you configure the firewall. Select the virtual machine name, and under **Settings**, select **Networking** to find the private IP address.
+After deployment finishes, note the private IP address for the virtual machine. It is used later when you configure the firewall. Select the virtual machine name. Select **Overview**, and under **Networking** note the private IP address.
 
 [!INCLUDE [ephemeral-ip-note.md](../../includes/ephemeral-ip-note.md)]
 
@@ -156,15 +153,15 @@ After deployment finishes, note the private IP address for the virtual machine.
    |Resource group     |Select **RG-DNAT-Test** |
    |Name     |**FW-DNAT-test**|
    |Region     |Select the same location that you used previously|
-   |Firewall tier|**Standard**|
+   |Firewall SKU|**Standard**|
    |Firewall management|**Use Firewall rules (classic) to manage this firewall**|
    |Choose a virtual network     |**Use existing**: VN-Hub|
    |Public IP address     |**Add new**, Name: **fw-pip**.|
 
 5. Accept the other defaults, and then select **Review + create**.
 6. Review the summary, and then select **Create** to create the firewall.
 
-   This will take a few minutes to deploy.
+   This takes a few minutes to deploy.
 7. After deployment completes, go to the **RG-DNAT-Test** resource group, and select the **FW-DNAT-test** firewall.
 8. Note the firewall's private and public IP addresses. You'll use them later when you create the default route and NAT rule.
 
@@ -175,8 +172,8 @@ For the **SN-Workload** subnet, you configure the outbound default route to go t
 > [!IMPORTANT]
 > You do not need to configure an explicit route back to the firewall at the destination subnet. Azure Firewall is a stateful service and handles the packets and sessions automatically. If you create this route, you'll create an asymmetrical routing environment that interrupts the stateful session logic and results in dropped packets and connections.
 
-1. From the Azure portal home page, select **All services**.
-2. Under **Networking**, select **Route tables**.
+1. From the Azure portal home page, select **Create a resource**.
+2. Search for **Route table** and select it.
 3. Select **Create**.
 5. For **Subscription**, select your subscription.
 1. For **Resource group**, select **RG-DNAT-Test**.
@@ -191,7 +188,7 @@ For the **SN-Workload** subnet, you configure the outbound default route to go t
 1. Select **OK**.
 1. Select **Routes**, and then select **Add**.
 1. For **Route name**, type **FW-DG**.
-1. For **Address prefix destination**, select **IP Addresses**.
+1. For **Destination type**, select **IP Addresses**.
 1. For **Destination IP addresses/CIDR ranges**, type **0.0.0.0/0**.
 1. For **Next hop type**, select **Virtual appliance**.
 
@@ -214,7 +211,9 @@ For the **SN-Workload** subnet, you configure the outbound default route to go t
 1. For **Destination ports**, type **3389**. 
 1. For **Translated Address** type the private IP address for the Srv-Workload virtual machine. 
 1. For **Translated port**, type **3389**. 
-1. Select **Add**. This will take a few minutes to complete.
+1. Select **Add**.
+
+This takes a few minutes to complete.
 
 ## Test the firewall
 
