Merge pull request #110150 from vhorne/fw-ipg

itechedit · web-flow · commit 85d8a2d2e6b1 · 2020-04-06T08:16:45.000-07:00
IP group updates
diff --git a/articles/firewall/firewall-faq.md b/articles/firewall/firewall-faq.md
@@ -207,4 +207,8 @@ Set-AzFirewall -AzureFirewall $fw
 
 ## Why can a TCP ping and similar tools successfully connect to a target FQDN even when no rule on Azure Firewall allows that traffic?
 
-A TCP ping is not actually connecting  to the target FQDN. This happens because Azure Firewall's transparent proxy listens on port 80/443 for outbound traffic. The TCP ping establishes a connection with the firewall, which then drops the packet and logs the connection. This behavior doesn't have any security impact. However, to avoid confusion we're investigating potential changes to this behavior. 
+A TCP ping is not actually connecting  to the target FQDN. This happens because Azure Firewall's transparent proxy listens on port 80/443 for outbound traffic. The TCP ping establishes a connection with the firewall, which then drops the packet and logs the connection. This behavior doesn't have any security impact. However, to avoid confusion we're investigating potential changes to this behavior.
+
+## Are there limits for the number of IP addresses supported by IP Groups?
+
+Yes. For more information, see [Azure subscription and service limits, quotas, and constraints](../azure-resource-manager/management/azure-subscription-service-limits.md#azure-firewall-limits)
diff --git a/articles/firewall/ip-groups.md b/articles/firewall/ip-groups.md
@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: conceptual
-ms.date: 02/18/2020
+ms.date: 04/03/2020
 ms.author: victorh
 ---
 
@@ -49,7 +49,7 @@ You can see all the IP addresses in the IP Group and the rules or resources that
 
 1. To view or edit the IP addresses, select **IP Addresses** under **Settings** on the left pane.
 2. To add a single or multiple IP address(es), select **Add IP Addresses**. This opens the **Drag or Browse** page for an upload, or you can enter the address manually.
-3.	Selecting the ellipses (**…**) to the right to edit or delete IP addresses. To edit or delete multiple IP addresses, select the boxes and select **Edit** or **Delete** at the top.
+3.    Selecting the ellipses (**…**) to the right to edit or delete IP addresses. To edit or delete multiple IP addresses, select the boxes and select **Edit** or **Delete** at the top.
 4. Finally, can export the file in the CSV file format.
 
 > [!NOTE]
@@ -67,24 +67,47 @@ You can now select **IP Group** as a **Source type** or **Destination type** for
 
 ## Region availability
 
-IP Groups are currently available in the following regions:
-
-- West US
-- West US 2
-- East US
-- East US 2
-- Central US
-- North Central US
-- West Central US
-- South Central US
-- Canada Central
-- North Europe
-- West Europe
-- France Central
-- UK South
-- Australia East
-- Australia Central
-- Australia Southeast
+IP Groups are available in all public cloud regions.
+
+## IP address limits
+
+For 50 IP Groups or less, you can have a maximum of 5000 individual IP addresses each per firewall instance. For 51 to 100 IP Groups, you can have 500 individual IP address each per firewall instance.
+
+### Examples
+
+#### Example 1: supported
+
+|IP Groups  |# IP addresses  |Notation  |Rule  |
+|---------|---------|---------|---------|
+|IPGroup1 |4096     |10.0.0.0/20  |Rule1|
+|IPGroup2     |3|196.0.0.0 - 196.0.0.2|Rule1|
+|IPGroup3     |1|1.2.3.4|Rule1|
+|     |**Total 8192**|         |         |
+|     |         |         |         |
+
+#### Example 2: supported
+
+|IP Groups  |# IP addresses  |Notation  |Rule  |
+|---------|---------|---------|---------|
+|IPGroup1 |4096     |10.0.0.0/20  |Rule1|
+|IPGroup2     |4096|11.0.0.0/20|Rule1|
+|     |**Total 8192**|         |         |
+
+#### Example 3: not supported
+
+|IP Groups  |# IP addresses  |Notation  |Rule  |
+|---------|---------|---------|---------|
+|IPGroup1 |8192     |10.0.0.0/20, 11.0.0.0/20  |Rule1|
+|     |**Total 8192**|||
+
+#### Example 4: supported
+
+|IP Groups  |# IP addresses  |Notation  |Rule  |
+|---------|---------|---------|---------|
+|IPGroup1 |4096     |10.0.0.0/20  |Rule1|
+|IPGroup2     |4096|11.0.0.0/20|Rule2|
+|     |**Total 8192**|         |         |
+
 
 ## Related Azure PowerShell cmdlets
 
diff --git a/includes/firewall-limits.md b/includes/firewall-limits.md
@@ -5,7 +5,7 @@
  author: vhorne
  ms.service: firewall
  ms.topic: include
- ms.date: 04/01/2020
+ ms.date: 04/03/2020
  ms.author: victorh
  ms.custom: include file
 ---
@@ -18,6 +18,7 @@
 |Minimum AzureFirewallSubnet size |/26|
 |Port range in network and application rules|0-64,000. Work is in progress to relax this limitation.|
 |Public IP addresses|100 maximum (Currently, SNAT ports are added only for the first five public IP addresses.)|
+|IP Groups IP addresses|50 IP Groups or less: maximum 5000 individual IP addresses each per firewall instance.<br>51 - 100 IP Groups: 500 individual IP address each per firewall instance.<br><br>For more information see [IP Groups (preview) in Azure Firewall](../articles/firewall/ip-groups.md#ip-address-limits)
 |Route table|By default, AzureFirewallSubnet has a 0.0.0.0/0 route with the NextHopType value set to **Internet**.<br><br>Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override that with a 0.0.0.0/0 UDR with the **NextHopType** value set as **Internet** to maintain direct Internet connectivity. By default, Azure Firewall doesn't support forced tunneling to an on-premises network.<br><br>However, if your configuration requires forced tunneling to an on-premises network, Microsoft will support it on a case by case basis. Contact Support so that we can review your case. If accepted, we'll allow your subscription and ensure the required firewall Internet connectivity is maintained.|
 
 <sup>1</sup>If you need to increase these limits, contact Azure Support.
