MicrosoftDocs
diff --git a/‎articles/active-directory-b2c/custom-domain.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory-b2c/custom-domain.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/dns/dns-operations-dnszones-cli.md
Lines changed: 1 addition & 1 deletion b/‎articles/dns/dns-operations-dnszones-cli.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/dns/dns-protect-zones-recordsets.md
Lines changed: 1 addition & 1 deletion b/‎articles/dns/dns-protect-zones-recordsets.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/firewall/management-nic.md
Lines changed: 35 additions & 1 deletion b/‎articles/firewall/management-nic.md
Lines changed: 35 additions & 1 deletion
diff --git a/‎articles/frontdoor/blue-green-deployment.md
Lines changed: 1 addition & 1 deletion b/‎articles/frontdoor/blue-green-deployment.md
Lines changed: 1 addition & 1 deletion
@@ -108,7 +108,7 @@ Follow these steps to create an Azure Front Door:
 
 1. To choose the directory that contains the Azure subscription that you’d like to use for Azure Front Door and *not* the directory containing your Azure AD B2C tenant select the **Settings** icon in the top menu to switch to your Azure AD B2C tenant from the **Directories + subscriptions** menu.
 
-1. Follow the steps in [Create Front Door profile - Quick Create](../frontdoor/create-front-door-portal.md#create-front-door-profile---quick-create) to create a Front Door for your Azure AD B2C tenant using the following settings: 
+1. Follow the steps in [Create Front Door profile - Quick Create](../frontdoor/create-front-door-portal.md#create-an-azure-front-door-profile) to create a Front Door for your Azure AD B2C tenant using the following settings: 
 
 
     |Key  |Value  |
@@ -202,7 +202,7 @@ To create a CNAME record for your custom domain:
 The **default-route** routes the traffic from the client to Azure Front Door. Then, Azure Front Door uses your configuration to send the traffic to Azure AD B2C. Follow these steps to enable the default-route.
 
 1. Select **Front Door manager**.
-1. To add enable the **default-route**, first expand an endpoint from the list of endpoints in the Front Door manager. Then, select the **default-route**. 
+1. To enable the **default-route**, first expand an endpoint from the list of endpoints in the Front Door manager. Then, select the **default-route**. 
 
     The following screenshot shows how to select the default-route.
 
 
@@ -119,7 +119,7 @@ The following example is the response.
 ```json
 {
   "etag": "00000002-0000-0000-3d4d-64aa3689d201",
-  "id": "/subscriptions/147a22e9-2356-4e56-b3de-1f5842ae4a3b/resourceGroups/myresourcegroup/providers/Microsoft.Network/dnszones/contoso.com",
+  "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myresourcegroup/providers/Microsoft.Network/dnszones/contoso.com",
   "location": "global",
   "maxNumberOfRecordSets": 5000,
   "name": "contoso.com",
 
@@ -152,7 +152,7 @@ The following example shows a custom role definition for managing CNAME records
     "NotActions": [
     ],
     "AssignableScopes": [
-        "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"
+        "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"
     ]
 }
 ```
 
@@ -86,6 +86,40 @@ Now when you view the firewall in the Azure portal, you see the assigned Managem
 > [!NOTE]
 > If you remove all other IP address configurations on your firewall, the management IP address configuration is removed as well, and the firewall is deallocated. The public IP address assigned to the management IP address configuration can't be removed, but you can assign a different public IP address.
 
+## Deploying a New Azure Firewall with Management NIC for Forced Tunneling
+
+If you prefer to deploy a new Azure Firewall instead of the Stop/Start method, make sure to include a Management Subnet and Management NIC as part of your configuration.
+
+**Important Note**
+* **Single Firewall per Virtual Network (VNET)**: Since two firewalls cannot exist within the same virtual network, it is recommended to delete the old firewall before starting the new deployment if you plan to reuse the same VNET.
+* **Pre-create Subnet**: Ensure the **AzureFirewallManagementSubnet** is created in advance to avoid deployment issues when using an existing VNET.
+
+**Prerequisites**
+* Create the **AzureFirewallManagementSubnet**:
+    * Minimum subnet size: /26
+    * Example: 10.0.1.0/26
+
+**Deployment Steps**
+1. Go to **Create a Resource** in the Azure Portal.
+1.	Search for **Firewall** and select **Create**.
+1.	On the Create a Firewall page, configure the following:
+    * **Subscription**: Select your subscription.
+    * **Resource Group**: Select or create a new resource group.
+    * **Name**: Enter a name for the firewall.
+    * **Region**: Choose your region.
+    * **Firewall SKU**: Select Basic, Standard, or Premium.
+    * **Virtual Network**: Create a new virtual network or use an existing one.
+         * Address space: e.g., 10.0.0.0/16
+         * Subnet for AzureFirewallSubnet: e.g., 10.0.0.0/26
+    * **Public IP Address**: Add new Public IP
+         * Name: e.g., FW-PIP
+1.	Firewall Management NIC
+    * Select **Enable Firewall Management NIC**
+         * Subnet for AzureFirewallManagementSubnet: e.g., 10.0.1.0/24
+         * Create Management public IP address: e.g., Mgmt-PIP
+1.	Select **Review + Create** to validate and deploy the firewall. This will take a few minutes to deploy. 
+
+
 ## Related content
 
-- [Azure Firewall forced tunneling](forced-tunneling.md)
+- [Azure Firewall forced tunneling](forced-tunneling.md)
@@ -79,7 +79,7 @@ Azure Front Door is Microsoft's modern cloud Content Delivery Network (CDN) that
     > [!NOTE]
     > Initially, set the weight of the current origin higher than the new origin to ensure most traffic is routed to the current origin. Gradually increase the weight of the new origin and decrease the weight of the current origin as you test. The total weight doesn't need to be 100, but it helps visualize traffic distribution. The example sets the existing origin to receive three times as much traffic as the new origin.
 
-1. Enable session affinity if your application requires it. For more information, see [Session affinity](routing-methods.md#session-affinity).
+1. Enable session affinity if your application requires it. For more information, see [Session affinity](routing-methods.md). 
 
     > [!NOTE]
     > *Session affinity* ensures the end user is routed to the same origin after the first request. Enable this feature based on your application and the type of enhancements being rolled out. For major revisions, enable session affinity to keep users on the new codebase. For minor enhancements, you can leave session affinity disabled. When in doubt, enable session affinity.
Original file line number	Diff line number	Diff line change
`@@ -119,7 +119,7 @@ The following example is the response.`
`119`	`119`	```json
`120`	`120`	`{`
`121`	`121`	`"etag": "00000002-0000-0000-3d4d-64aa3689d201",`
`122`		`- "id": "/subscriptions/147a22e9-2356-4e56-b3de-1f5842ae4a3b/resourceGroups/myresourcegroup/providers/Microsoft.Network/dnszones/contoso.com",`
	`122`	`+ "id": "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e/resourceGroups/myresourcegroup/providers/Microsoft.Network/dnszones/contoso.com",`
`123`	`123`	`"location": "global",`
`124`	`124`	`"maxNumberOfRecordSets": 5000,`
`125`	`125`	`"name": "contoso.com",`
Original file line number	Diff line number	Diff line change
`@@ -152,7 +152,7 @@ The following example shows a custom role definition for managing CNAME records`
`152`	`152`	`"NotActions": [`
`153`	`153`	`],`
`154`	`154`	`"AssignableScopes": [`
`155`		`- "/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"`
	`155`	`+ "/subscriptions/aaaa0a0a-bb1b-cc2c-dd3d-eeeeee4e4e4e"`
`156`	`156`	`]`
`157`	`157`	`}`
`158`	`158`	```