Merge pull request #279802 from aimee-littleton/patch-212

prmerger-automator[bot] · web-flow · commit 89b243711898 · 2024-07-01T18:56:25.000Z
Update deploy-multi-public-ip-powershell.md
diff --git a/articles/firewall/deploy-multi-public-ip-powershell.md b/articles/firewall/deploy-multi-public-ip-powershell.md
@@ -15,15 +15,18 @@ ms.custom: devx-track-azurepowershell
 This feature enables the following scenarios:
 
 - **DNAT** - You can translate multiple standard port instances to your backend servers. For example, if you have two public IP addresses, you can translate TCP port 3389 (RDP) for both IP addresses.
-- **SNAT** - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. Azure Firewall randomly selects the source public IP address to use for a connection. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall. Consider using a [public IP address prefix](../virtual-network/ip-services/public-ip-address-prefix.md) to simplify this configuration.
+- **SNAT** - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. Azure Firewall randomly selects the first source public IP address to use for a connection and selects another public IP after ports from the first IP have been exhausted. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall. Consider using a [public IP address prefix](../virtual-network/ip-services/public-ip-address-prefix.md) to simplify this configuration.
  
 Azure Firewall with multiple public IP addresses is available via the Azure portal, Azure PowerShell, Azure CLI, REST, and templates.\
 You can deploy an Azure Firewall with up to 250 public IP addresses, however DNAT destination rules will also count toward the 250 maximum.
 Public IPs + DNAT destination rule = 250 max.
 
+> [!NOTE]
+> In scenarios with high traffic volume and throughput, it is recommended to use a [NAT Gateway](/azure/nat-gateway/nat-overview) to provide outbound connectivity. SNAT ports are dynamically allocated across all public IPs associated with NAT Gateway. To learn more see [integrate NAT Gateway with Azure Firewall](/azure/firewall/integrate-with-nat-gateway).
+
 The following Azure PowerShell examples show how you can configure, add, and remove public IP addresses for Azure Firewall.
 
-> [!NOTE]
+> [!IMPORTANT]
 > You can't remove the first ipConfiguration from the Azure Firewall public IP address configuration page. If you want to modify the IP address, you can use Azure PowerShell.
 
 ## Create a firewall with two or more public IP addresses
