Merge pull request #215007 from halkazwini/firewall

PMEds28 · web-flow · commit c142947286dc · 2022-10-19T08:14:21.000+01:00
Azure Firewall: Freshness: Tutorial: Deploy and configure Azure Firewall and policy using the Azure portal
diff --git a/articles/firewall/tutorial-firewall-deploy-portal-policy.md b/articles/firewall/tutorial-firewall-deploy-portal-policy.md
@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: tutorial
-ms.date: 08/26/2021
+ms.date: 10/18/2022
 ms.author: victorh
 ms.custom: mvc
 #Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.
@@ -24,13 +24,13 @@ Network traffic is subjected to the configured firewall rules when you route you
 
 For this tutorial, you create a simplified single VNet with two subnets for easy deployment.
 
-For production deployments, a [hub and spoke model](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.
-
 * **AzureFirewallSubnet** - the firewall is in this subnet.
 * **Workload-SN** - the workload server is in this subnet. This subnet's network traffic goes through the firewall.
 
 ![Tutorial network infrastructure](media/tutorial-firewall-deploy-portal/tutorial-network.png)
 
+For production deployments, a [hub and spoke model](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.
+
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
@@ -57,10 +57,14 @@ First, create a resource group to contain the resources needed to deploy the fir
 The resource group contains all the resources for the tutorial.
 
 1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).
-2. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page. Then select **Add**.
-4. For **Subscription**, select your subscription.
-1. For **Resource group name**, enter *Test-FW-RG*.
-1. For **Region**, select a region. All other resources that you create must be in the same region.
+1. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page, then select **Add**. Enter or select the following values:
+
+    | Setting  | Value  |
+    | -------- | ------ |
+    | Subscription  | Select your Azure subscription. |
+    | Resource group | Enter *Test-FW-RG*. |
+    | Region | Select a region. All other resources that you create must be in the same region. |
+ 
 1. Select **Review + create**.
 1. Select **Create**.
 
@@ -74,11 +78,15 @@ This VNet will have two subnets.
 1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
 1. Select **Networking**.
 1. Search for **Virtual network** and select it.
-1. Select **Create**.
-1. For **Subscription**, select your subscription.
-1. For **Resource group**, select **Test-FW-RG**.
-1. For **Name**, type **Test-FW-VN**.
-1. For **Region**, select the same location that you used previously.
+1. Select **Create**, then enter or select the following values:
+
+    | Setting  | Value  |
+    | -------- | ------ |
+    | Subscription  | Select your Azure subscription. |
+    | Resource group | Select **Test-FW-RG**. |
+    | Name | Enter *Test-FW-VN*. |
+    | Region | Select the same location that you used previously. |
+
 1. Select **Next: IP addresses**.
 1. For **IPv4 Address space**, accept the default **10.0.0.0/16**.
 1. Under **Subnet**, select **default**.
@@ -89,37 +97,37 @@ This VNet will have two subnets.
    Next, create a subnet for the workload server.
 
 1. Select **Add subnet**.
-4. For **Subnet name**, type **Workload-SN**.
-5. For **Subnet address range**, type **10.0.2.0/24**.
-6. Select **Add**.
-7. Select **Review + create**.
-8. Select **Create**.
+1. For **Subnet name**, type **Workload-SN**.
+1. For **Subnet address range**, type **10.0.2.0/24**.
+1. Select **Add**.
+1. Select **Review + create**.
+1. Select **Create**.
 
 ### Create a virtual machine
 
 Now create the workload virtual machine, and place it in the **Workload-SN** subnet.
 
 1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
-2. Select **Windows Server 2016 Datacenter**.
-4. Enter these values for the virtual machine:
-
-   |Setting  |Value  |
-   |---------|---------|
-   |Resource group     |**Test-FW-RG**|
-   |Virtual machine name     |**Srv-Work**|
-   |Region     |Same as previous|
-   |Image|Windows Server 2016 Datacenter|
-   |Administrator user name     |Type a user name|
-   |Password     |Type a password|
-
-4. Under **Inbound port rules**, **Public inbound ports**, select **None**.
-6. Accept the other defaults and select **Next: Disks**.
-7. Accept the disk defaults and select **Next: Networking**.
-8. Make sure that **Test-FW-VN** is selected for the virtual network and the subnet is **Workload-SN**.
-9. For **Public IP**, select **None**.
-11. Accept the other defaults and select **Next: Management**.
-12. Select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.
-13. Review the settings on the summary page, and then select **Create**.
+1. Select **Windows Server 2019 Datacenter**.
+1. Enter or select these values for the virtual machine:
+
+   | Setting | Value |
+   | ------- | ----- |
+   | Subscription  | Select your Azure subscription. |
+   | Resource group     | Select **Test-FW-RG**. |
+   | Virtual machine name     | Enter *Srv-Work*.|
+   | Region     | Select the same location that you used previously. |
+   | Username     | Enter a username. |
+   | Password     | Enter a password. |
+
+1. Under **Inbound port rules**, **Public inbound ports**, select **None**.
+1. Accept the other defaults and select **Next: Disks**.
+1. Accept the disk defaults and select **Next: Networking**.
+1. Make sure that **Test-FW-VN** is selected for the virtual network and the subnet is **Workload-SN**.
+1. For **Public IP**, select **None**.
+1. Accept the other defaults and select **Next: Management**.
+1. Select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.
+1. Review the settings on the summary page, and then select **Create**.
 1. After the deployment completes, select the **Srv-Work** resource and note the private IP address for later use.
 
 ## Deploy the firewall and policy
@@ -131,16 +139,16 @@ Deploy the firewall into the VNet.
 3. Select **Firewall** and then select **Create**.
 4. On the **Create a Firewall** page, use the following table to configure the firewall:
 
-   |Setting  |Value  |
-   |---------|---------|
-   |Subscription     |\<your subscription\>|
-   |Resource group     |**Test-FW-RG** |
-   |Name     |**Test-FW01**|
-   |Region     |Select the same location that you used previously|
-   |Firewall management|**Use a Firewall Policy to manage this firewall**|
-   |Firewall policy|**Add new**:<br>**fw-test-pol**<br>your selected region 
-   |Choose a virtual network     |**Use existing**: **Test-FW-VN**|
-   |Public IP address     |**Add new**:<br>**Name**:  **fw-pip**|
+   | Setting | Value |
+   | ------- | ----- |
+   | Subscription  | Select your Azure subscription. |
+   | Resource group     | Select **Test-FW-RG**. |
+   | Name     | Enter *Test-FW01*. |
+   | Region     | Select the same location that you used previously. |
+   | Firewall management | Select **Use a Firewall Policy to manage this firewall**. |
+   | Firewall policy | Select **Add new**, and enter *fw-test-pol*. <br> Select the same region that you used previously. 
+   | Choose a virtual network | Select **Use existing**, and then select **Test-FW-VN**. |
+   | Public IP address     | Select **Add new**, and enter *fw-pip* for the **Name**. |
 
 5. Accept the other default values, then select **Review + create**.
 6. Review the summary, and then select **Create** to create the firewall.
@@ -154,47 +162,49 @@ Deploy the firewall into the VNet.
 For the **Workload-SN** subnet, configure the outbound default route to go through the firewall.
 
 1. On the Azure portal menu, select **All services** or search for and select *All services* from any page.
-2. Under **Networking**, select **Route tables**.
-3. Select **Add**.
-5. For **Subscription**, select your subscription.
-6. For **Resource group**, select **Test-FW-RG**.
-7. For **Region**, select the same location that you used previously.
-4. For **Name**, type **Firewall-route**.
+1. Under **Networking**, select **Route tables**.
+1. Select **Create**, then enter or select the following values:
+
+   | Setting | Value |
+   | ------- | ----- |
+   | Subscription | Select your Azure subscription. |
+   | Resource group | Select **Test-FW-RG**. |
+   | Region  | Select the same location that you used previously. |
+   | Name  | Enter *Firewall-route*. |
+
 1. Select **Review + create**.
 1. Select **Create**.
 
 After deployment completes, select **Go to resource**.
 
-1. On the Firewall-route page, select **Subnets** and then select **Associate**.
+1. On the **Firewall-route** page, select **Subnets** and then select **Associate**.
 1. Select **Virtual network** > **Test-FW-VN**.
 1. For **Subnet**, select **Workload-SN**. Make sure that you select only the **Workload-SN** subnet for this route, otherwise your firewall won't work correctly.
-
-13. Select **OK**.
-14. Select **Routes** and then select **Add**.
-15. For **Route name**, type **fw-dg**.
-16. For **Address prefix**, type **0.0.0.0/0**.
-17. For **Next hop type**, select **Virtual appliance**.
-
+1. Select **OK**.
+1. Select **Routes** and then select **Add**.
+1. For **Route name**, enter *fw-dg*.
+1. For **Address prefix**, enter *0.0.0.0/0*.
+1. For **Next hop type**, select **Virtual appliance**.
     Azure Firewall is actually a managed service, but virtual appliance works in this situation.
-18. For **Next hop address**, type the private IP address for the firewall that you noted previously.
-19. Select **OK**.
+1. For **Next hop address**, enter the private IP address for the firewall that you noted previously.
+1. Select **OK**.
 
 ## Configure an application rule
 
 This is the application rule that allows outbound access to `www.google.com`.
 
-1. Open the **Test-FW-RG**, and select the **fw-test-pol** firewall policy.
+1. Open the **Test-FW-RG** resource group, and select the **fw-test-pol** firewall policy.
 1. Select **Application rules**.
 1. Select **Add a rule collection**.
-1. For **Name**, type **App-Coll01**.
-1. For **Priority**, type **200**.
+1. For **Name**, enter *App-Coll01*.
+1. For **Priority**, enter *200*.
 1. For **Rule collection action**, select **Allow**.
-1. Under **Rules**, for **Name**, type **Allow-Google**.
+1. Under **Rules**, for **Name**, enter *Allow-Google*.
 1. For **Source type**, select **IP address**.
-1. For **Source**, type **10.0.2.0/24**.
-1. For **Protocol:port**, type **http, https**.
+1. For **Source**, enter *10.0.2.0/24*.
+1. For **Protocol:port**, enter *http, https*.
 1. For **Destination Type**, select **FQDN**.
-1. For **Destination**, type **`www.google.com`**
+1. For **Destination**, enter *`www.google.com`*
 1. Select **Add**.
 
 Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. For more information, see [Infrastructure FQDNs](infrastructure-fqdns.md).
@@ -205,37 +215,37 @@ This is the network rule that allows outbound access to two IP addresses at port
 
 1. Select **Network rules**.
 2. Select **Add a rule collection**.
-3. For **Name**, type **Net-Coll01**.
-4. For **Priority**, type **200**.
+3. For **Name**, enter *Net-Coll01*.
+4. For **Priority**, enter *200*.
 5. For **Rule collection action**, select **Allow**.
 1. For **Rule collection group**, select **DefaultNetworkRuleCollectionGroup**.
-1. Under **Rules**, for **Name**, type **Allow-DNS**.
+1. Under **Rules**, for **Name**, enter *Allow-DNS*.
 1. For **Source type**, select **IP Address**.
-1. For **Source**, type **10.0.2.0/24**.
+1. For **Source**, enter *10.0.2.0/24*.
 1. For **Protocol**, select **UDP**.
-1. For **Destination Ports**, type **53**.
+1. For **Destination Ports**, enter *53*.
 1. For **Destination type** select **IP address**.
-1. For **Destination**, type **209.244.0.3,209.244.0.4**.<br>These are public DNS servers operated by CenturyLink.
+1. For **Destination**, enter *209.244.0.3,209.244.0.4*.<br>These are public DNS servers operated by CenturyLink.
 2. Select **Add**.
 
 ## Configure a DNAT rule
 
-This rule allows you to connect a remote desktop to the Srv-Work virtual machine through the firewall.
+This rule allows you to connect a remote desktop to the **Srv-Work** virtual machine through the firewall.
 
 1. Select the **DNAT rules**.
 2. Select **Add a rule collection**.
-3. For **Name**, type **rdp**.
-1. For **Priority**, type **200**.
+3. For **Name**, enter *rdp*.
+1. For **Priority**, enter *200*.
 1. For **Rule collection group**, select **DefaultDnatRuleCollectionGroup**.
-1. Under **Rules**, for **Name**, type **rdp-nat**.
+1. Under **Rules**, for **Name**, enter *rdp-nat*.
 1. For **Source type**, select **IP address**.
-1. For **Source**, type **\***.
+1. For **Source**, enter *\**.
 1. For **Protocol**, select **TCP**.
-1. For **Destination Ports**, type **3389**.
+1. For **Destination Ports**, enter *3389*.
 1. For **Destination Type**, select **IP Address**.
-1. For **Destination**, type the firewall public IP address.
-1. For **Translated address**, type the **Srv-work** private IP address.
-1. For **Translated port**, type **3389**.
+1. For **Destination**, enter the firewall public IP address.
+1. For **Translated address**, enter the **Srv-work** private IP address.
+1. For **Translated port**, enter *3389*.
 1. Select **Add**.
 
 
@@ -247,7 +257,7 @@ For testing purposes in this tutorial, configure the server's primary and second
 2. Select the network interface for the **Srv-Work** virtual machine.
 3. Under **Settings**, select **DNS servers**.
 4. Under **DNS servers**, select **Custom**.
-5. Type **209.244.0.3** in the **Add DNS server** text box, and **209.244.0.4** in the next text box.
+5. Enter *209.244.0.3* in the **Add DNS server** text box, and *209.244.0.4* in the next text box.
 6. Select **Save**.
 7. Restart the **Srv-Work** virtual machine.
 
