You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/firewall-faq.md
+3-5Lines changed: 3 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: firewall
5
5
author: vhorne
6
6
ms.service: firewall
7
7
ms.topic: conceptual
8
-
ms.date: 08/29/2019
8
+
ms.date: 09/17/2019
9
9
ms.author: victorh
10
10
---
11
11
@@ -124,11 +124,9 @@ Azure Firewall doesn’t SNAT when the destination IP address is a private IP ra
124
124
125
125
## Is forced tunneling/chaining to a Network Virtual Appliance supported?
126
126
127
-
Forced tunneling isn't supported by default, but it can be enabled with help from Support.
127
+
Forced tunneling isn't currently supported. Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the **NextHopType** value set as **Internet** to maintain direct Internet connectivity.
128
128
129
-
Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the **NextHopType** value set as **Internet** to maintain direct Internet connectivity. By default, Azure Firewall doesn't support forced tunneling to an on-premises network.
130
-
131
-
However, if your configuration requires forced tunneling to an on-premises network, Microsoft will support it on a case by case basis. Contact Support so that we can review your case. If accepted, we'll allow your subscription and ensure the required firewall Internet connectivity is maintained.
129
+
If your configuration requires forced tunneling to an on-premises network and you can determine the target IP prefixes for your Internet destinations, you can configure these ranges with the on-premises network as the next hop via a user defined route on the AzureFirewallSubnet. Or, you can use BGP to define these routes.
132
130
133
131
## Are there any firewall resource group restrictions?
Copy file name to clipboardExpand all lines: articles/firewall/tutorial-hybrid-portal.md
+5-4Lines changed: 5 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,10 +5,11 @@ services: firewall
5
5
author: vhorne
6
6
ms.service: firewall
7
7
ms.topic: tutorial
8
-
ms.date: 08/29/2019
8
+
ms.date: 09/17/2019
9
9
ms.author: victorh
10
10
customer intent: As an administrator, I want to control network access from an on-premises network to an Azure virtual network.
11
11
---
12
+
12
13
# Tutorial: Deploy and configure Azure Firewall in a hybrid network using the Azure portal
13
14
14
15
When you connect your on-premises network to an Azure virtual network to create a hybrid network, the ability to control access to your Azure network resources is an important part of an overall security plan.
@@ -52,9 +53,9 @@ There are three key requirements for this scenario to work correctly:
52
53
See the [Create Routes](#create-the-routes) section in this tutorial to see how these routes are created.
53
54
54
55
>[!NOTE]
55
-
>Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the **NextHopType** value set as **Internet** to maintain direct Internet connectivity. By default, Azure Firewall doesn't support forced tunneling to an on-premises network.
56
+
>Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the **NextHopType** value set as **Internet** to maintain direct Internet connectivity.
56
57
>
57
-
>However, if your configuration requires forced tunneling to an on-premises network, Microsoft will support it on a case by case basis. Contact Support so that we can review your case. If accepted, we'll allow your subscription and ensure the required firewall Internet connectivity is maintained.
58
+
>Azure Firewall doesn't currently support forced tunneling. If your configuration requires forced tunneling to an on-premises network and you can determine the target IP prefixes for your Internet destinations, you can configure these ranges with the on-premises network as the next hop via a user defined route on the AzureFirewallSubnet. Or, you can use BGP to define these routes.
58
59
59
60
>[!NOTE]
60
61
>Traffic between directly peered VNets is routed directly even if a UDR points to Azure Firewall as the default gateway. To send subnet to subnet traffic to the firewall in this scenario, a UDR must contain the target subnet network prefix explicitly on both subnets.
@@ -367,7 +368,7 @@ Create a virtual machine in the spoke virtual network, running IIS, with no publ
367
368
-**User name**: *azureuser*.
368
369
-**Password**: *Azure123456!*
369
370
4. Select **Next:Disks**.
370
-
5. Accept the defaults and select **Next:Networking**.
371
+
5. Accept the defaults and select **Next:Networking**.
371
372
6. Select **VNet-Spoke** for the virtual network and the subnet is **SN-Workload**.
372
373
7. For **Public IP**, select **None**.
373
374
8. For **Public inbound ports**, select **Allow selected ports**, and then select **HTTP (80)**, and **RDP (3389)**
0 commit comments