MicrosoftDocs
diff --git a/‎articles/container-instances/container-instances-egress-ip-address.md
Lines changed: 46 additions & 145 deletions b/‎articles/container-instances/container-instances-egress-ip-address.md
Lines changed: 46 additions & 145 deletions
@@ -2,7 +2,7 @@
 title: Configure static outbound IP
 description: Configure Azure firewall and user-defined routes for Azure Container Instances workloads that use the firewall's public IP address for ingress and egress
 ms.topic: article
-ms.date: 07/16/2020
+ms.date: 05/03/2022
 ---
 
 # Configure a single public IP address for outbound and inbound traffic to a container group
@@ -11,127 +11,80 @@ Setting up a [container group](container-instances-container-groups.md) with an
 
 This article provides steps to configure a container group in a [virtual network](container-instances-virtual-network-concepts.md) integrated with [Azure Firewall](../firewall/overview.md). By setting up a user-defined route to the container group and firewall rules, you can route and identify traffic to and from the container group. Container group ingress and egress use the public IP address of the firewall. A single egress IP address can be used by multiple container groups deployed in the virtual network's subnet delegated to Azure Container Instances.
 
-In this article you use the Azure CLI to create the resources for this scenario:
+In this article, you use the Azure CLI to create the resources for this scenario:
 
-* Container groups deployed on a delegated subnet [in the virtual network](container-instances-vnet.md) 
+* Container groups deployed on a delegated subnet [in the virtual network](container-instances-vnet.md)
 * An Azure firewall deployed in the network with a static public IP address
 * A user-defined route on the container groups' subnet
 * A NAT rule for firewall ingress and an application rule for egress
 
 You then validate ingress and egress from example container groups through the firewall.
 
-## Deploy ACI in a virtual network
+[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
 
-In a typical case, you might already have an Azure virtual network in which to deploy a container group. For demonstration purposes, the following commands create a virtual network and subnet when the container group is created. The subnet is delegated to Azure Container Instances. 
+[!INCLUDE [azure-cli-prepare-your-environment.md](../../includes/azure-cli-prepare-your-environment.md)]
 
-The container group runs a small web app from the `aci-helloworld` image. As shown in other articles in the documentation, this image packages a small web app written in Node.js that serves a static HTML page.
+[!INCLUDE [cli-launch-cloud-shell-sign-in.md](../../includes/cli-launch-cloud-shell-sign-in.md)]
 
-If you need one, first create an Azure resource group with the [az group create][az-group-create] command. For example:
+> [!NOTE]
+> To download the complete script, go to [full script](https://github.com/Azure-Samples/azure-cli-samples/blob/master/container-instances/egress-ip-address.sh).
 
-```azurecli
-az group create --name myResourceGroup --location eastus
-```
+## Get started
 
-To simplify the following command examples, use an environment variable for the resource group's name:
+This tutorial makes use of a randomized variable. If you are using an existing resource group, modify the value of this variable appropriately.
 
-```console
-export RESOURCE_GROUP_NAME=myResourceGroup
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="variable":::
+
+**Azure resource group**: If you don't have an Azure resource group already, create a resource group with the [az group create][az-group-create] command. Modify the location value as appropriate.
+
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="creategroup":::
+
+## Deploy ACI in a virtual network
+
+In a typical case, you might already have an Azure virtual network in which to deploy a container group. For demonstration purposes, the following commands create a virtual network and subnet when the container group is created. The subnet is delegated to Azure Container Instances.
+
+The container group runs a small web app from the `aci-helloworld` image. As shown in other articles in the documentation, this image packages a small web app written in Node.js that serves a static HTML page.
 
 Create the container group with the [az container create][az-container-create] command:
 
-```azurecli
-az container create \
-  --name appcontainer \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --image mcr.microsoft.com/azuredocs/aci-helloworld \
-  --vnet aci-vnet \
-  --vnet-address-prefix 10.0.0.0/16 \
-  --subnet aci-subnet \
-  --subnet-address-prefix 10.0.0.0/24
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="container":::
 
 > [!TIP]
 > Adjust the value of `--subnet address-prefix` for the IP address space you need in your subnet. The smallest supported subnet is /29, which provides eight IP addresses. Some IP addresses are reserved for use by Azure.
 
 For use in a later step, get the private IP address of the container group by running the [az container show][az-container-show] command:
 
-```azurecli
-ACI_PRIVATE_IP="$(az container show --name appcontainer \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --query ipAddress.ip --output tsv)"
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="privateip":::
 
 ## Deploy Azure Firewall in network
 
 In the following sections, use the Azure CLI to deploy an Azure firewall in the virtual network. For background, see [Tutorial: Deploy and configure Azure Firewall using the Azure portal](../firewall/deploy-cli.md).
 
 First, use the [az network vnet subnet create][az-network-vnet-subnet-create] to add a subnet named AzureFirewallSubnet for the firewall. AzureFirewallSubnet is the *required* name of this subnet.
 
-```azurecli
-az network vnet subnet create \
-  --name AzureFirewallSubnet \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --vnet-name aci-vnet   \
-  --address-prefix 10.0.1.0/26
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="subnet":::
 
 Use the following [Azure CLI commands](../firewall/deploy-cli.md) to create a firewall in the subnet.
 
 If not already installed, add the firewall extension to the Azure CLI using the [az extension add][az-extension-add] command:
 
-```azurecli
-az extension add --name azure-firewall
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="firewallext":::
 
 Create the firewall resources:
 
-```azurecli
-az network firewall create \
-  --name myFirewall \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --location eastus
-
-az network public-ip create \
-  --name fw-pip \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --location eastus \
-  --allocation-method static \
-  --sku standard
-    
-az network firewall ip-config create \
-  --firewall-name myFirewall \
-  --name FW-config \
-  --public-ip-address fw-pip \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --vnet-name aci-vnet
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="firewallext":::
 
 Update the firewall configuration using the [az network firewall update][az-network-firewall-update] command:
 
-```azurecli
-az network firewall update \
-  --name myFirewall \
-  --resource-group $RESOURCE_GROUP_NAME
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="firewallupdate":::
 
 Get the firewall's private IP address using the [az network firewall ip-config list][az-network-firewall-ip-config-list] command. This private IP address is used in a later command.
 
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="storeprivateip":::
 
-```azurecli
-FW_PRIVATE_IP="$(az network firewall ip-config list \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --firewall-name myFirewall \
-  --query "[].privateIpAddress" --output tsv)"
-```
 Get the firewall's public IP address using the [az network public-ip show][az-network-public-ip-show] command. This public IP address is used in a later command.
 
-```azurecli
-FW_PUBLIC_IP="$(az network public-ip show \
-  --name fw-pip \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --query ipAddress --output tsv)"
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="storepublicip":::
 
 ## Define user-defined route on ACI subnet
 
@@ -141,97 +94,49 @@ Define a use-defined route on the ACI subnet, to divert traffic to the Azure fir
 
 First, run the following [az network route-table create][az-network-route-table-create] command to create the route table. Create the route table in the same region as the virtual network.
 
-```azurecli
-az network route-table create \
-  --name Firewall-rt-table \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --location eastus \
-  --disable-bgp-route-propagation true
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="routetable":::
 
 ### Create route
 
 Run [az network-route-table route create][az-network-route-table-route-create] to create a route in the route table. To route traffic to the firewall, set the next hop type to `VirtualAppliance`, and pass the firewall's private IP address as the next hop address.
 
-```azurecli
-az network route-table route create \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --name DG-Route \
-  --route-table-name Firewall-rt-table \
-  --address-prefix 0.0.0.0/0 \
-  --next-hop-type VirtualAppliance \
-  --next-hop-ip-address $FW_PRIVATE_IP
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="createroute":::
 
 ### Associate route table to ACI subnet
 
 Run the [az network vnet subnet update][az-network-vnet-subnet-update] command to associate the route table with the subnet delegated to Azure Container Instances.
 
-```azurecli
-az network vnet subnet update \
-  --name aci-subnet \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --vnet-name aci-vnet \
-  --address-prefixes 10.0.0.0/24 \
-  --route-table Firewall-rt-table
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="associateroute":::
 
 ## Configure rules on firewall
 
-By default, Azure Firewall denies (blocks) inbound and outbound traffic. 
+By default, Azure Firewall denies (blocks) inbound and outbound traffic.
 
 ### Configure NAT rule on firewall to ACI subnet
 
 Create a [NAT rule](../firewall/rule-processing.md) on the firewall to translate and filter inbound internet traffic to the application container you started previously in the network. For details, see [Filter inbound Internet traffic with Azure Firewall DNAT](../firewall/tutorial-firewall-dnat.md)
 
 Create a NAT rule and collection by using the [az network firewall nat-rule create][az-network-firewall-nat-rule-create] command:
 
-```azurecli
-az network firewall nat-rule create \
-  --firewall-name myFirewall \
-  --collection-name myNATCollection \
-  --action dnat \
-  --name myRule \
-  --protocols TCP \
-  --source-addresses '*' \
-  --destination-addresses $FW_PUBLIC_IP \
-  --destination-ports 80 \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --translated-address $ACI_PRIVATE_IP \
-  --translated-port 80 \
-  --priority 200
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="natrule":::
 
 Add NAT rules as needed to filter traffic to other IP addresses in the subnet. For example, other container groups in the subnet could expose IP addresses for inbound traffic, or other internal IP addresses could be assigned to the container group after a restart.
 
 ### Create outbound application rule on the firewall
 
 Run the following [az network firewall application-rule create][az-network-firewall-application-rule-create] command to create an outbound rule on the firewall. This sample rule allows access from the subnet delegated to Azure Container Instances to the FQDN `checkip.dyndns.org`. HTTP access to the site is used in a later step to confirm the egress IP address from Azure Container Instances.
 
-```azurecli
-az network firewall application-rule create \
-  --collection-name myAppCollection \
-  --firewall-name myFirewall \
-  --name Allow-CheckIP \
-  --protocols Http=80 Https=443 \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --target-fqdns checkip.dyndns.org \
-  --source-addresses 10.0.0.0/24 \
-  --priority 200 \
-  --action Allow
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="outboundrule":::
 
 ## Test container group access through the firewall
 
 The following sections verify that the subnet delegated to Azure Container Instances is properly configured behind the Azure firewall. The previous steps routed both incoming traffic to the subnet and outgoing traffic from the subnet through the firewall.
 
 ### Test ingress to a container group
 
-Test inbound access to the *appcontainer* running in the virtual network by browsing to the firewall's public IP address. Previously, you stored the public IP address in variable $FW_PUBLIC_IP:
+Test inbound access to the `appcontainer` running in the virtual network by browsing to the firewall's public IP address. Previously, you stored the public IP address in variable $FW_PUBLIC_IP:
 
-```bash
-echo $FW_PUBLIC_IP
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="echo":::
 
 Output is similar to:
 
@@ -245,19 +150,9 @@ If the NAT rule on the firewall is configured properly, you see the following wh
 
 ### Test egress from a container group
 
-
 Deploy the following sample container into the virtual network. When it runs, it sends a single HTTP request to `http://checkip.dyndns.org`, which displays the IP address of the sender (the egress IP address). If the application rule on the firewall is configured properly, the firewall's public IP address is returned.
 
-```azurecli
-az container create \
-  --resource-group $RESOURCE_GROUP_NAME \
-  --name testegress \
-  --image mcr.microsoft.com/azuredocs/aci-tutorial-sidecar \
-  --command-line "curl -s http://checkip.dyndns.org" \
-  --restart-policy OnFailure \
-  --vnet aci-vnet \
-  --subnet aci-subnet
-```
+:::code language="azurecli" source="~/azure_cli_scripts/container-instances/egress-ip-address.sh" id="egress":::
 
 View the container logs to confirm the IP address is the same as the public IP address of the firewall.
 
@@ -273,14 +168,20 @@ Output is similar to:
 <html><head><title>Current IP Check</title></head><body>Current IP Address: 52.142.18.133</body></html>
 ```
 
+## Clean up resources
+
+When no longer needed, you can use [az group delete](/cli/azure/group) to remove the resource group and all related resources as follows. The `--no-wait` parameter returns control to the prompt without waiting for the operation to complete. The `--yes` parameter confirms that you wish to delete the resources without an additional prompt to do so.
+
+```azurecli-interactive
+az group delete --name $resourceGroup --yes --no-wait
+```
+
 ## Next steps
 
 In this article, you set up container groups in a virtual network behind an Azure firewall. You configured a user-defined route and NAT and application rules on the firewall. By using this configuration, you set up a single, static IP address for ingress and egress from Azure Container Instances.
 
 For more information about managing traffic and protecting Azure resources, see the [Azure Firewall](../firewall/index.yml) documentation.
 
-
-
 [az-group-create]: /cli/azure/group#az_group_create
 [az-container-create]: /cli/azure/container#az_container_create
 [az-network-vnet-subnet-create]: /cli/azure/network/vnet/subnet#az_network_vnet_subnet_create