Merge pull request #100788 from vhorne/fwm-vnet-support

Start Firewall Manager VNet support articles

Author: ttorble

articles/firewall-manager/deployment-overview.md

@@ -5,7 +5,7 @@ author: vhorne
 ms.service: firewall-manager
 services: firewall-manager
 ms.topic: overview
-ms.date: 10/25/2019
+ms.date: 02/18/2020
 ms.author: victorh
 ---
 
@@ -15,23 +15,32 @@ ms.author: victorh
 
 There's more than one way to deploy Azure Firewall Manager Preview, but the following general process is recommended.
 
-## Prerequisites
+## General deployment process
+
+### Hub virtual networks
 
-> [!IMPORTANT]
-> Azure Firewall Manager Preview must be explicitly enabled using the `Register-AzProviderFeature` PowerShell command.
->From a PowerShell command prompt, run the following commands:
->
->```azure-powershell
->connect-azaccount
->Register-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network
->```
->It takes up to 30 minutes for the feature registration to complete. Run the following command to check your >registration status:
->
->`Get-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network`
+1.	Create a firewall policy
 
+    - Create a new policy
+<br>*or*<br>
+    - Derive a base policy and customize a local policy
+<br>*or*<br>
+    - Import rules from an existing Azure Firewall. Make sure to remove NAT rules from policies that should be applied across multiple firewalls
+1. Create your hub and spoke architecture
+   - Create a Hub Virtual Network using Azure Firewall Manager and peer spoke virtual networks to it using virtual network peering
+<br>*or*<br>
+    - Create a virtual network and add virtual network connections and peer spoke virtual networks to it using virtual network peering
 
+3. Select security providers and associate firewall policy. Currently, only Azure Firewall is a supported provider.
 
-## General deployment process
+   - This is done while you create a Hub Virtual Network
+<br>*or*<br>
+    - Convert an existing virtual network to a Hub Virtual Network. It is also possible to convert multiple virtual networks.
+
+4. Configure User Define Routes to route traffic to your Hub Virtual Network firewall.
+
+
+### Secured virtual hubs
 
 1. Create your hub and spoke architecture
 

articles/firewall-manager/media/overview/firewallmanagerv4.png

@@ -1,15 +1,15 @@
 ---
-title: How to migrate Azure Firewall configurations to Azure Firewall policy (preview)
+title: Migrate Azure Firewall configurations to Azure Firewall policy (preview) using PowerShell
 description: Learn How to migrate Azure Firewall configurations to Azure Firewall policy (preview)
 author: vhorne
 ms.service: firewall-manager
 services: firewall-manager
 ms.topic: conceptual
-ms.date: 10/25/2019
+ms.date: 02/18/2020
 ms.author: victorh
 ---
 
-# How to migrate Azure Firewall configurations to Azure Firewall policy (preview)
+# Migrate Azure Firewall configurations to Azure Firewall policy (preview) using Powershell
 
 [!INCLUDE [Preview](../../includes/firewall-manager-preview-notice.md)]
 

articles/firewall-manager/media/overview/firewallmanagerv5.png

@@ -5,17 +5,28 @@ author: vhorne
 ms.service: firewall-manager
 services: firewall-manager
 ms.topic: overview
-ms.date: 12/06/2019
+ms.date: 02/18/2020
 ms.author: victorh
 ---
 
 # What is Azure Firewall Manager Preview?
 
 [!INCLUDE [Preview](../../includes/firewall-manager-preview-notice.md)]
 
-Azure Firewall Manager Preview is a security management service that provides central security policy and route management for cloud-based security perimeters. It works with [Azure Virtual WAN Hub](../virtual-wan/virtual-wan-about.md#resources), a  Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a *[secured virtual hub](secured-virtual-hub.md)*. 
+Azure Firewall Manager Preview is a security management service that provides central security policy and route management for cloud-based security perimeters. 
 
-![firewall-manager](media/overview/firewallmanagerv3.png)
+Firewall Manager can provide security management for two network architecture types:
+
+- **secured virtual hub**
+
+   An [Azure Virtual WAN Hub](../virtual-wan/virtual-wan-about.md#resources) is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a *[secured virtual hub](secured-virtual-hub.md)*. 
+- **hub virtual network**
+
+   This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a *hub virtual network*. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that are not peered to any spoke.
+
+For a detailed comparison of *secured virtual hub* and *hub virtual network* architectures, see [What are the Azure Firewall Manager architecture options?](vhubs-and-vnets.md).
+
+![firewall-manager](media/overview/firewallmanagerv5.png)
 
 ## Azure Firewall Manager Preview features
 
@@ -33,6 +44,8 @@ You can use Azure Firewall Manager Preview to centrally manage Azure Firewall po
 
 In addition to Azure Firewall, you can integrate third-party security as a service (SECaaS) providers to provide additional network protection for your VNet and branch Internet connections.
 
+This feature is available only with secured virtual hub deployments.
+
 - VNet to Internet (V2I) traffic filtering
 
    - Filter outbound virtual network traffic with your preferred third-party security provider.
@@ -46,32 +59,29 @@ For more information about trusted security providers, see [What are Azure Firew
 
 ### Centralized route management
 
-Easily route traffic to your secured hub for filtering and logging without the need to manually set up User Defined Routes (UDR) on spoke virtual networks. You can use third-party providers for Branch to Internet (B2I) traffic filtering, side by side with Azure Firewall for Branch to VNet (B2V), VNet to VNet (V2V) and VNet to Internet (V2I). You can also use third-party providers for V2I traffic filtering as long as Azure Firewall is not required for B2V or V2V. 
+Easily route traffic to your secured hub for filtering and logging without the need to manually set up User Defined Routes (UDR) on spoke virtual networks. 
 
-## Region availability
+This feature is available only with secured virtual hub deployments.
 
-The following regions are supported for the public preview:
+You can use third-party providers for Branch to Internet (B2I) traffic filtering, side by side with Azure Firewall for Branch to VNet (B2V), VNet to VNet (V2V) and VNet to Internet (V2I). You can also use third-party providers for V2I traffic filtering as long as Azure Firewall is not required for B2V or V2V. 
 
-- West Europe, North Europe, France Central, France South, UK South, UK West
-- Australia East, Australia Central, Australia Central 2, Australia Southeast
-- Canada Central
-- East US, West US, East US 2, South Central US, West US 2, Central US, North Central US, West Central US
+## Region availability
 
-Azure Firewall Policies can only be created in these regions, but they can be used across regions. For example, you can create a policy in West US, and use it in East US. 
+Azure Firewall Policies can be used across regions. For example, you can create a policy in West US, and use it in East US. 
 
 ## Known issues
 
 Azure Firewall Manager Preview has the following known issues:
 
 |Issue  |Description  |Mitigation  |
 |---------|---------|---------|
-|Manually created central VNets not supported|Currently, Azure Firewall Manager supports networks created with Virtual Hubs. Using your own manually created hub VNet is not yet supported.|For now, use Azure Firewall Manager with hub and spoke networks created with Virtual Hubs.<br>Fix in progress.
 |Third-party filtering limitations|V2I traffic filtering with third-party providers is not supported with Azure Firewall B2V and V2V.|Currently investigating.|
 |Traffic splitting not currently supported|Office 365 and Azure Public PaaS traffic splitting is not currently supported. As such, selecting a third-party provider for V2I or B2I also sends all Azure Public PaaS and Office 365 traffic via the partner service.|Currently investigating traffic splitting at the hub.
-|One hub per region|You can't have more than one hub per region|Create multiple virtual WANs in a region.|
+|One secured virtual hub per region|You can't have more than one secured virtual hub per region|Create multiple virtual WANs in a region.|
 |Base policies must be in same region as local policy|Create all your local policies in the same region as the base policy. You can still apply a policy that was created in one region on a secured hub from another region.|Currently investigating.|
 |Inter-hub communication not working with Secured Virtual Hub|Secured Virtual Hub to Secured Virtual Hub communication is not yet supported.|Currently investigating.|
 |All Secured Virtual Hubs sharing the same virtual WAN must be in the same resource group.|This behavior is aligned with Virtual WAN Hubs today.|Create multiple Virtual WANs to allow Secured Virtual Hubs to be created in different resource groups.|
+|IP Groups are not supported in Firewall Policy|IP Groups are in public preview and currently only supported with traditional firewall rules|Fix in progress
 
 ## Next steps
 

articles/firewall-manager/media/secure-hybrid-network/gateway-connections.png

@@ -1,36 +1,33 @@
 ---
-title: 'Tutorial: Use Azure Firewall Manager Preview to secure your cloud network using the Azure portal'
-description: In this tutorial, you learn how to secure your cloud network with Azure Firewall Manager using the Azure portal. 
+title: 'Tutorial: Secure your virtual WAN using Azure Firewall Manager preview'
+description: In this tutorial, you learn how to secure your virtual WAN with Azure Firewall Manager using the Azure portal. 
 services: firewall-manager
 author: vhorne
 ms.service: firewall-manager
 ms.topic: tutorial
-ms.date: 10/27/2019
+ms.date: 02/18/2020
 ms.author: victorh
 ---
 
-# Tutorial: Secure your cloud network with Azure Firewall Manager Preview using the Azure portal
+# Tutorial: Secure your virtual WAN using Azure Firewall Manager preview 
 
 [!INCLUDE [Preview](../../includes/firewall-manager-preview-notice.md)]
 
-Using Azure Firewall Manager Preview, you can create secured hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there's no need to create user defined routes (UDRs).
+Using Azure Firewall Manager Preview, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there's no need to create user defined routes (UDRs).
 
 ![secure the cloud network](media/secure-cloud-network/secure-cloud-network.png)
 
-## Prerequisites
+Firewall Manager also supports a hub virtual network architecture. For a comparison of the secured virtual hub and hub virtual network architecture types, see [What are the Azure Firewall Manager architecture options?](vhubs-and-vnets.md)
 
-> [!IMPORTANT]
-> Azure Firewall Manager Preview must be explicitly enabled using the `Register-AzProviderFeature` PowerShell command.
+In this tutorial, you learn how to:
 
-From a PowerShell command prompt, run the following commands:
-
-```azure-powershell
-connect-azaccount
-Register-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network
-```
-It takes up to 30 minutes for the feature registration to complete. Run the following command to check your registration status:
-
-`Get-AzProviderFeature -FeatureName AllowCortexSecurity -ProviderNamespace Microsoft.Network`
+> [!div class="checklist"]
+> * Create the spoke virtual network
+> * Create a secured virtual hub
+> * Connect the hub and spoke VNets
+> * Create a firewall policy and secure your hub
+> * Route traffic to your hub
+> * Test the firewall
 
 ## Create a hub and spoke architecture
 
@@ -146,7 +143,7 @@ To test your firewall rules, you'll need to deploy a couple servers. You'll depl
    |Virtual machine name     |**Jump-Srv**|
    |Region     |**(US) East US)**|
    |Administrator user name     |**azureuser**|
-   |Password     |**Azure123456!**|
+   |Password     |type your password|
 
 4. Under **Inbound port rules**, for **Public inbound ports**, select **Allow selected ports**.
 5. For **Select inbound ports**, select **RDP (3389)**.