Merge pull request #5 from abhinavsriram/docs-editor/management-nic-1728059764

vhorne · web-flow · commit 7c201cb18975 · 2024-10-04T12:18:48.000-07:00
some small updates to the article
diff --git a/articles/firewall/management-nic.md b/articles/firewall/management-nic.md
@@ -14,71 +14,46 @@ ms.author: victorh
 > [!NOTE]
 > This feature was previously called Forced Tunneling. Originally, a Management NIC was required only for Forced Tunneling. However, now Packet capture (preview) also requires a Management NIC, so it has been decoupled from Forced Tunneling. All relevant documentation has been updated to reflect this.
 
-An Azure Firewall Management NIC separates firewall management traffic from customer traffic. The Firewall Management NIC helps support two features today: Forced Tunneling and Packet Capture (preview). To support either of these capabilities, you must create an Azure Firewall with the Firewall Management NIC enabled. This is a mandatory requirement to avoid service disruption.
+An Azure Firewall Management NIC separates firewall management traffic from customer traffic. The Firewall Management NIC helps support two features today: Forced Tunneling and Packet Capture (preview). To support either of these capabilities, you must create an Azure Firewall with the Firewall Management NIC enabled or enable it on an existing Azure Firewall. This is a mandatory requirement to avoid service disruption.
 
 ## What happens when you enable the Management NIC
 
-If you enable a Management NIC, the firewall routes its management traffic via the AzureFirewallManagementSubnet (minimum subnet size /26) with its associated public IP address. You assign this public IP address for the firewall to manage traffic. It's used exclusively by the Azure platform and can't be used for any other purpose. All traffic required for firewall operational purposes is incorporated into the Management subnet. By default, the service associates a system-provided route table to the Management subnet. The only route allowed on this subnet is a default route to the Internet and *Propagate gateway routes* must be disabled. Avoid associating customer route tables to the Management subnet, as this can cause service disruptions if configured incorrectly. If you do associate a route table, then ensure it has a default route to the Internet to avoid service disruptions.
+If you enable a Management NIC, the firewall routes its management traffic via the AzureFirewallManagementSubnet (minimum subnet size /26) with its associated public IP address. You assign this public IP address for the firewall to manage traffic. It's used exclusively by the Azure platform and can't be used for any other purpose. All traffic required for firewall operational purposes is incorporated into the AzureFirewallManagementSubnet. 
 
-:::image type="content" source="media/management-nic/firewall-management-nic.png" alt-text="Screenshot showing the firewall management NIC dialog.":::
-
-## Enable the Management NIC
+By default, the service associates a system-provided route table to the Management subnet. The only route allowed on this subnet is a default route to the Internet and *Propagate gateway routes* must be disabled. Avoid associating customer route tables to the Management subnet, as this can cause service disruptions if configured incorrectly. If you do associate a route table, then ensure it has a default route to the Internet to avoid service disruptions.
 
-The Firewall Management NIC can be enabled during the firewall create process. For Standard and Premium firewall versions, the Firewall Management NIC must be enabled during the create process, but all Basic Firewall versions and all Secured Hub firewalls always have a Management NIC enabled. For a pre-existing firewall, you must stop the firewall and then restart it with the Firewall Management NIC enabled to support Forced tunneling and Packet capture (preview). Stopping/starting the firewall can be used to enable the Firewall Management NIC without the need to redeploy a new firewall. You should always start/stop the firewall during maintenance hours to avoid disruptions, including when attempting to enable the Firewall Management NIC. 
-
-Use the following steps:
+:::image type="content" source="media/management-nic/firewall-management-nic.png" alt-text="Screenshot showing the firewall management NIC dialog.":::
 
-1. Stop the existing firewall:
-   ```azurepowershell
-    $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
-    $azfw.Deallocate()
-    Set-AzFirewall -AzureFirewall $azfw
-   ```
-1. Create a new subnet with AzureFirewallManagementSubnet and create a management Public IP address.
-   - Use the portal to create a virtual network subnet named **AzureFirewallManagementSubnet**.
-   - Create a separate public IP address for the new Management public IP address.
-1. Start the firewall with the Management IP address and subnet:
-   ```azurepowershell
-      $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
-      $vnet = Get-AzVirtualNetwork -ResourceGroupName "RG Name" -Name "VNet Name"
-      $pip= Get-AzPublicIpAddress -ResourceGroupName "RG Name" -Name "azfwpublicip"
-      $mgmtPip2 = Get-AzPublicIpAddress -ResourceGroupName "RG Name" -Name "mgmtpip"
-      $azfw.Allocate($vnet, $pip, $mgmtPip2)
-      $azfw | Set-AzFirewall
-   ```
-   
+## Enabling the Management NIC on existing firewalls
 
-> [!NOTE]
-> If you remove all other IP address configurations on your firewall, the management IP address configuration is removed as well, and the firewall is deallocated. The public IP address assigned to the management IP address configuration can't be removed, but you can assign a different public IP address.
+For Standard and Premium firewall versions, the Firewall Management NIC must be manually enabled during the create process as shown above, but all Basic Firewall versions and all Secured Hub firewalls always have a Management NIC enabled. 
 
-## Convert a regular firewall to a forced tunnel mode firewall
+For a pre-existing firewall, you must stop the firewall and then restart it with the Firewall Management NIC enabled to support Forced tunneling and Packet capture (preview). Stopping/starting the firewall can be used to enable the Firewall Management NIC without the need to delete an existing firewall and redeploy a new one. You should always start/stop the firewall during maintenance hours to avoid disruptions, including when attempting to enable the Firewall Management NIC. 
 
-The following procedure shows you how to convert a regular firewall to a forced tunnel mode firewall with a Management subnet. This is done without deleting the original firewall. To avoid deleting it, you can use the following procedure to stop it, and then reallocate it with a Management IP address and subnet.
+Use the following steps:
 
-1. Create the new `AzureFirewallManagementSubnet` subnet
+1. Create the `AzureFirewallManagementSubnet` on the Azure portal and use the appropriate IP address range for the virtual network.
 
-   1. Use the Azure portal to create the new subnet.
    :::image type="content" source="media/management-nic/firewall-management-subnet.png" alt-text="Screenshot showing add a subnet.":::
-   1. Use the appropriate IP address range for the virtual network.
-1. Create the new management public IP address
-   1. Create it with the same properties as the existing firewall public IP address: SKU, Tier, and Location.
+1. Create the new management public IP address with the same properties as the existing firewall public IP address: SKU, Tier, and Location.
+
    :::image type="content" source="media/management-nic/firewall-management-ip.png" lightbox="media/management-nic/firewall-management-ip.png" alt-text="Screenshot showing the public IP address creation.":::
    
 1. Stop the firewall
 
    Use the information in [Azure Firewall FAQ](firewall-faq.yml#how-can-i-stop-and-start-azure-firewall) to stop the firewall:
-
+   
    ```azurepowershell
    $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
    $azfw.Deallocate()
    Set-AzFirewall -AzureFirewall $azfw
    ```
    
+   
+1. Start the firewall with the management public IP address and subnet.
 
-1. Start the firewall with the management IP address and subnet
-
-   For example, start the firewall with one public IP address and a Management public IP address:
-
+   Start a firewall with one public IP address and a Management public IP address:
+   
    ```azurepowershell
    $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
    $vnet = Get-AzVirtualNetwork -Name "VNet Name" -ResourceGroupName "RG Name" 
@@ -87,9 +62,9 @@ The following procedure shows you how to convert a regular firewall to a forced
    $azfw.Allocate($vnet, $pip, $mgmtPip)
    $azfw | Set-AzFirewall
    ```
-
-   Example to start a firewall with two public IP addresses and a Management public IP address:
-
+   
+   Start a firewall with two public IP addresses and a Management public IP address:
+   
    ```azurepowershell
    $azfw = Get-AzFirewall -Name "FW Name" -ResourceGroupName "RG Name"
    $vnet = Get-AzVirtualNetwork -Name "VNet Name" -ResourceGroupName "RG Name" 
@@ -103,8 +78,10 @@ The following procedure shows you how to convert a regular firewall to a forced
 Now when you view the firewall in the Azure portal, you see the assigned Management public IP address:
 
 :::image type="content" source="media/management-nic/firewall-with-management-ip.png" lightbox="media/management-nic/firewall-with-management-ip.png" alt-text="Screenshot showing the firewall with a management IP address.":::
-   
 
+
+> [!NOTE]
+> If you remove all other IP address configurations on your firewall, the management IP address configuration is removed as well, and the firewall is deallocated. The public IP address assigned to the management IP address configuration can't be removed, but you can assign a different public IP address.
 ## Related content
 
 - [Azure Firewall forced tunneling](forced-tunneling.md)
