Merge pull request #216669 from AbdullahBell/Firewall-Freshness

Azure Firewall: freshness | deploy-cli, sql-fqdn-filtering, create-ip-group, deploy-availability-zone-powershell

Author: Stacyrch140

articles/firewall/create-ip-group.md

@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: how-to
-ms.date: 06/23/2020
+ms.date: 10/31/2022
 ms.author: victorh 
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
 ms.devlang: azurecli
@@ -24,7 +24,7 @@ To create an IP Group by using the Azure portal:
 1. Select **Create**.
 1. Select your subscription.
 1. Select a resource group or create a new one.
-1. Enter a unique name for you IP Group, and then select a region.
+1. Enter a unique name for your IP Group, and then select a region.
 1. Select **Next: IP addresses**.
 1. Type an IP address, multiple IP addresses, or IP address ranges.
 
@@ -46,8 +46,8 @@ This example creates an IP Group with an address prefix and an IP address by usi
 ```azurepowershell
 $ipGroup = @{
     Name              = 'ipGroup'
-    ResourceGroupName = 'ipGroupRG'
-    Location          = 'West US'
+    ResourceGroupName = 'Test-FW-RG'
+    Location          = 'East US'
     IpAddress         = @('10.0.0.0/24', '192.168.1.10') 
 }
 
@@ -60,9 +60,9 @@ This example creates an IP Group with an address prefix and an IP address by usi
 
 ```azurecli-interactive
 az network ip-group create \
-    --name ipGroup \ 
-    --resource-group ipGroupRG \
-    --location westus \
+    --name ipGroup \
+    --resource-group Test-FW-RG \
+    --location eastus \
     --ip-addresses '10.0.0.0/24' '192.168.1.10'
 ```
 

articles/firewall/deploy-availability-zone-powershell.md

@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: how-to
-ms.date: 11/19/2019
+ms.date: 10/31/2022
 ms.author: victorh 
 ms.custom: devx-track-azurepowershell
 ---
@@ -32,23 +32,24 @@ When the standard public IP address is created, no specific zone is specified. T
 It's important to know, because you can't have a firewall in zone 1 and an IP address in zone 2. But you can have a firewall in zone 1 and IP address in all zones, or a firewall and an IP address in the same single zone for proximity purposes.
 
 ```azurepowershell
-$rgName = "resourceGroupName"
+$rgName = "Test-FW-RG"
 
 $vnet = Get-AzVirtualNetwork `
-  -Name "vnet" `
+  -Name "Test-FW-VN" `
   -ResourceGroupName $rgName
 
 $pip1 = New-AzPublicIpAddress `
   -Name "AzFwPublicIp1" `
-  -ResourceGroupName "rg" `
+  -ResourceGroupName "Test-FW-RG" `
   -Sku "Standard" `
-  -Location "centralus" `
-  -AllocationMethod Static
+  -Location "eastus" `
+  -AllocationMethod Static `
+  -Zone 1,2,3
 
 New-AzFirewall `
   -Name "azFw" `
   -ResourceGroupName $rgName `
-  -Location centralus `
+  -Location "eastus" `
   -VirtualNetwork $vnet `
   -PublicIpAddress @($pip1) `
   -Zone 1,2,3

articles/firewall/deploy-cli.md

@@ -4,7 +4,7 @@ description: In this article, you learn how to deploy and configure Azure Firewa
 services: firewall
 author: vhorne
 ms.service: firewall
-ms.date: 08/29/2019
+ms.date: 10/31/2022
 ms.author: victorh
 ms.topic: how-to
 #Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.
@@ -27,7 +27,7 @@ For this article, you create a simplified single VNet with three subnets for eas
 * **Workload-SN** - the workload server is in this subnet. This subnet's network traffic goes through the firewall.
 * **Jump-SN** - The "jump" server is in this subnet. The jump server has a public IP address that you can connect to using Remote Desktop. From there, you can then connect to (using another Remote Desktop) the workload server.
 
-![Tutorial network infrastructure](media/tutorial-firewall-rules-portal/Tutorial_network.png)
+:::image type="content" source="media/tutorial-firewall-rules-portal/Tutorial_network.png" alt-text="Diagram of network infrastructure." lightbox="media/tutorial-firewall-rules-portal/Tutorial_network.png":::
 
 In this article, you learn how to:
 

articles/firewall/sql-fqdn-filtering.md

@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: how-to
-ms.date: 06/18/2020
+ms.date: 10/31/2022
 ms.author: victorh
 ---
 
@@ -25,40 +25,40 @@ If you use non-default ports for SQL IaaS traffic, you can configure those ports
 ## Configure using Azure CLI
 
 1. Deploy an [Azure Firewall using Azure CLI](deploy-cli.md).
-2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
+1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
 
    > [!NOTE]
    > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
 
-3. Create a new rule collection with an application rule using SQL FQDN to allow access to a SQL server:
+1. Create a new rule collection with an application rule using SQL FQDN to allow access to a SQL server:
 
    ```azurecli
     az extension add -n azure-firewall
     
     az network firewall application-rule create \ 
-    -g FWRG \
-    --f azfirewall \ 
-    --c sqlRuleCollection \
-    --priority 1000 \
-    --action Allow \
-    --name sqlRule \
-    --protocols mssql=1433 \
-    --source-addresses 10.0.0.0/24 \
-    --target-fqdns sql-serv1.database.windows.net
+        --resource-group Test-FW-RG \
+        --firewall-name Test-FW01 \ 
+        --collection-name sqlRuleCollection \
+        --priority 1000 \
+        --action Allow \
+        --name sqlRule \
+        --protocols mssql=1433 \
+        --source-addresses 10.0.0.0/24 \
+        --target-fqdns sql-serv1.database.windows.net
    ```
 
 ## Configure using Azure PowerShell
 
 1. Deploy an [Azure Firewall using Azure PowerShell](deploy-ps.md).
-2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
+1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).
 
    > [!NOTE]
    > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
 
-3. Create a new rule collection with an application rule using SQL FQDN to allow access to a SQL server:
+1. Create a new rule collection with an application rule using SQL FQDN to allow access to a SQL server:
 
    ```azurepowershell
-   $AzFw = Get-AzFirewall -Name "azfirewall" -ResourceGroupName "FWRG"
+   $AzFw = Get-AzFirewall -Name "Test-FW01" -ResourceGroupName "Test-FW-RG"
     
    $sqlRule = @{
       Name          = "sqlRule"
@@ -84,14 +84,15 @@ If you use non-default ports for SQL IaaS traffic, you can configure those ports
 
 ## Configure using the Azure portal
 1. Deploy an [Azure Firewall using Azure CLI](deploy-cli.md).
-2. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).  
+1. If you filter traffic to Azure SQL Database, Azure Synapse Analytics, or SQL Managed Instance, ensure the SQL connectivity mode is set to **Proxy**. To learn how to switch SQL connectivity mode, see [Azure SQL Connectivity Settings](/azure/azure-sql/database/connectivity-settings#change-the-connection-policy-via-the-azure-cli).  
 
    > [!NOTE]
    > SQL *proxy* mode can result in more latency compared to *redirect*. If you want to continue using redirect mode, which is the default for clients connecting within Azure, you can filter access using the SQL [service tag](service-tags.md) in firewall [network rules](tutorial-firewall-deploy-portal.md#configure-a-network-rule).
-3. Add the application rule with the appropriate protocol, port, and SQL FQDN and then select **Save**.
+
+1. Add the application rule with the appropriate protocol, port, and SQL FQDN and then select **Save**.
    ![application rule with SQL FQDN](media/sql-fqdn-filtering/application-rule-sql.png)
-4. Access SQL from a virtual machine in a VNet that filters the traffic through the firewall. 
-5. Validate that [Azure Firewall logs](./firewall-workbook.md) show the traffic is allowed.
+1. Access SQL from a virtual machine in a VNet that filters the traffic through the firewall. 
+1. Validate that [Azure Firewall logs](./firewall-workbook.md) show the traffic is allowed.
 
 ## Next steps