MicrosoftDocs
diff --git a/‎articles/firewall/create-ip-group.md
Lines changed: 45 additions & 0 deletions b/‎articles/firewall/create-ip-group.md
Lines changed: 45 additions & 0 deletions
diff --git a/‎articles/firewall/ip-groups.md
Lines changed: 103 additions & 0 deletions b/‎articles/firewall/ip-groups.md
Lines changed: 103 additions & 0 deletions
diff --git a/‎articles/firewall/media/ip-groups/fw-ipgroup.png
85.1 KB b/‎articles/firewall/media/ip-groups/fw-ipgroup.png
85.1 KB
diff --git a/‎articles/firewall/media/ip-groups/overview.png
75.5 KB b/‎articles/firewall/media/ip-groups/overview.png
75.5 KB
diff --git a/‎articles/firewall/toc.yml
Lines changed: 4 additions & 0 deletions b/‎articles/firewall/toc.yml
Lines changed: 4 additions & 0 deletions
@@ -0,0 +1,45 @@
+---
+title: Create IP Groups in Azure Firewall 
+description: IP Groups allow you to group and manage IP addresses for Azure Firewall rules.
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: conceptual
+ms.date: 02/18/2020
+ms.author: victorh
+---
+
+# Create IP Groups (preview)
+
+> [!IMPORTANT]
+> This public preview is provided without a service level agreement and should not be used for production workloads. Certain features may not be supported, may have constrained capabilities, or may not be available in all Azure locations. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details.
+
+IP Groups allow you to group and manage IP addresses for Azure Firewall rules. They can have a single IP address, multiple IP addresses, or one or more IP address ranges.
+
+## Create an IP Group
+
+1. From the Azure portal home page, select **Create a resource**.
+2. Type **IP Groups** in the search text box, then select **IP Groups**.
+3. Select **Create**.
+4. Select your subscription.
+5. Select a resource group or create a new one.
+6. Type a unique name for you IP Group, and then select a region.
+
+6. Select **Next: IP addresses**.
+7. Type an IP address, multiple IP addresses, or IP address ranges.
+
+   There are two ways to enter IP addresses:
+   - You can manually enter them
+   - You can import them from a file
+
+   To import from a file, select **Import from a file**. You may either drag your file to the box or select **Browse for files**. If necessary, you can review and edit your uploaded IP addresses.
+
+   When you type an IP address, the portal validates it to check for overlapping, duplicates, and formatting issues.
+
+5. When finished, select **Review + Create**.
+6. Select **Create**.
+
+
+## Next steps
+
+- [Learn more about IP Groups](ip-groups.md)
@@ -0,0 +1,103 @@
+---
+title: IP Groups in Azure Firewall 
+description: IP groups allow you to group and manage IP addresses for Azure Firewall rules.
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.topic: conceptual
+ms.date: 02/18/2020
+ms.author: victorh
+---
+
+# IP Groups (preview) in Azure Firewall
+
+> [!IMPORTANT]
+> This public preview is provided without a service level agreement and should not be used for production workloads. Certain features may not be supported, may have constrained capabilities, or may not be available in all Azure locations. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for details.
+
+IP Groups allow you to group and manage IP addresses for Azure Firewall rules in the following ways:
+
+- As a source address in DNAT rules
+- As a source or destination address in network rules
+- As a source address in application rules
+
+
+An IP Group can have a single IP address, multiple IP addresses, or one or more IP address ranges.
+
+IP Groups can be reused in Azure Firewall DNAT, network, and application rules for multiple firewalls across regions and subscriptions in Azure. Group names must be unique. You can configure an IP Group in the Azure portal, Azure CLI, or REST API. A sample template is provided to help you get started.
+
+## Sample format
+
+The following IPv4 address format examples are valid to use in IP Groups:
+
+- Single address: 10.0.0.0
+- CIDR notation: 10.1.0.0/32
+- Address range: 10.2.0.0-10.2.0.31
+
+## Create an IP Group
+
+An IP Group can be created using the Azure portal, Azure CLI, or REST API. For more information, see [Create an IP Group (preview)](create-ip-group.md).
+
+## Browse IP Groups
+1. In the Azure portal search bar, type **IP Groups** and select it. You can see the list of the IP Groups, or you can select **Add** to create a new IP Group.
+2. Select an IP Group to open the overview page. You can edit, add, or delete IP addresses or IP Groups.
+
+   ![IP Groups overview](media/ip-groups/overview.png)
+
+## Manage an IP Group
+
+You can see all the IP addresses in the IP Group and the rules or resources that are associated with it. To delete an IP Group, you must first dissociate the IP Group from the resource that is using it.
+
+1. To view or edit the IP addresses, select **IP Addresses** under **Settings** on the left pane.
+2. To add a single or multiple IP address(es), select **Add IP Addresses**. This opens the **Drag or Browse** page for an upload, or you can enter the address manually.
+3.	Selecting the ellipses (**…**) to the right to edit or delete IP addresses. To edit or delete multiple IP addresses, select the boxes and select **Edit** or **Delete** at the top.
+4. Finally, can export the file in the CSV file format.
+
+> [!NOTE]
+> If you delete all the IP addresses in an IP Group while it is still in use in a rule, that rule is skipped.
+
+
+## Use an IP Group
+
+You can now select **IP Group** as a **Source type** or **Destination type** for the IP address(es) when you create Azure Firewall DNAT, application, or network rules.
+
+> [!NOTE]
+> IP Groups are not supported in Firewall Policy. It is currently only supported with traditional firewall rules.
+
+![IP Groups in Firewall](media/ip-groups/fw-ipgroup.png)
+
+## Region availability
+
+IP Groups are currently available in the following regions:
+
+- West US
+- West US 2
+- East US
+- East US 2
+- Central US
+- North Central US
+- West Central US
+- South Central US
+- Canada Central
+- North Europe
+- West Europe
+- France Central
+- UK South
+- Australia East
+- Australia Central
+- Australia Southeast
+
+## Related Azure PowerShell cmdlets
+
+The following Azure PowerShell cmdlets can be used to create and manage IP Groups:
+
+- [New-AzIpGroup](https://docs.microsoft.com/powershell/module/az.network/new-azipgroup?view=azps-3.4.0)
+- [Remove-AzIPGroup](https://docs.microsoft.com/powershell/module/az.network/remove-azipgroup?view=azps-3.4.0)
+- [Get-AzIpGroup](https://docs.microsoft.com/powershell/module/az.network/get-azipgroup?view=azps-3.4.0)
+- [Set-AzIpGroup](https://docs.microsoft.com/powershell/module/az.network/set-azipgroup?view=azps-3.4.0)
+- [New-AzFirewallNetworkRule](https://docs.microsoft.com/powershell/module/az.network/new-azfirewallnetworkrule?view=azps-3.4.0)
+- [New-AzFirewallApplicationRule](https://docs.microsoft.com/powershell/module/az.network/new-azfirewallapplicationrule?view=azps-3.4.0)
+- [New-AzFirewallNatRule](https://docs.microsoft.com/powershell/module/az.network/new-azfirewallnatrule?view=azps-3.4.0)
+
+## Next steps
+
+- Learn how to [deploy and configure an Azure Firewall](tutorial-firewall-deploy-portal.md).
@@ -35,6 +35,8 @@
       href: rule-processing.md
     - name: Service tags
       href: service-tags.md
+    - name: IP Groups
+      href: ip-groups.md
     - name: Forced tunneling
       href: forced-tunneling.md
     - name: Compliance certifications
@@ -57,6 +59,8 @@
       href: integrate-lb.md
     - name: Application rules with SQL FQDNs
       href: sql-fqdn-filtering.md
+    - name: Create IP Groups
+      href: create-ip-group.md
 - name: Reference
   items:
   - name: Azure CLI