new article for draft and deploy

ZarrVenkat · ZarrVenkat · commit dae094ad1565 · 2025-04-23T14:46:15.000+05:30
diff --git a/articles/firewall/draft-deploy.md b/articles/firewall/draft-deploy.md
@@ -1,6 +1,6 @@
 ---
 title: Azure Firewall features
-description: Learn about Azure Firewall feature draft and deploy
+description: Learn about Azure Firewall feature draft and deployment
 services: firewall
 author: vekannan
 ms.service: azure-firewall
@@ -9,14 +9,14 @@ ms.date: 04/22/2025
 ms.author: duau
 ---
 
-# Azure Firewall Draft and Deploy (Preview)
+# Azure Firewall Draft + Deployment (Preview)
 
 Organizations are required to make frequent changes to their Firewall Policy for several reasons: onboarding a new application or workload, patching security issue, or for maintenance and optimizing their policy by merging rules or deleting unused rules. These updates can be performed by multiple people, while each update can take up to a few minutes to be deployed.
 With Azure Firewall Policy Save & Commit, you can now update your policy in a 2-phased approach: 
 
-* Save: Make as many changes as needed, by one or more people, which will be saved in a temporary policy draft (which is cloned from your current applied policy). These changes are extremely fast to make.
+* Draft: Make as many changes as needed, by one or more people, which will be saved in a temporary policy draft (which is cloned from your current applied policy). These changes are extremely fast to make.
 
-* Commit: Apply the changes altogether by deploying the draft version and make it your current applied policy.
+* Deployment: Apply the changes altogether by deploying the draft version and make it your current applied policy.
 
 In this article, you learn how to:
 
@@ -29,31 +29,94 @@ In this article, you learn how to:
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
-### Use Draft + Commit
+If you want to use this feature via CLI, then make sure azure-firewall extenstion version is above [1.2.3](https://github.com/Azure/azure-cli-extensions/releases/tag/azure-firewall-1.2.3)
 
-Azure Firewall's draft and deploy feature allows you to safely test changes in a demo or test environment before applying them to production.  
+## Use Draft + Deployment
+
+Azure Firewall's draft + deployment feature allows you to make bulk updates to your firewall policy, before applying them to production.  
 
 1. In the Azure portal, navigate to your existing firewall policies or create a new one.
-1. On the Azure Firewall Policy blade, click **Draft & Deployment**, then select **Create a new draft.** This will create a new draft associated with this policy, which is a 1-1 copy of your current applied policy.
+1. On the Azure Firewall Policy blade, under **Management** section click **Draft & Deployment**, then select **Create a new draft.** This creates a draft that is an exact copy of your current applied policy.
 
-    :::image type="content" source="media/draft-deploy/Picture1.png" alt-text="screenshot of Draft and Deploy":::
+    :::image type="content" source="media/draft-deploy/pic1.png" alt-text="screenshot of Draft and Deploy":::
 
-1. On the draft page, make changes or additions to your rules or other settings. These pages are identical to the ones in the deployed draft, but changes you make in a draft will be deployed only when you specifically deploy the draft.
-1. Next, return to the **deploy** screen, and select **deploy draft**. Once the draft is deployed, the updated version, including all changes you made in draft, will override the current deployed policy and become the latest version. The draft body itself will be deleted after that. And you will then be able to create a new draft on top of the new deployment again.
-1. You can repeat the process as many times as you would like to make further changes to the firewall policy.
+    :::image type="content" source="media/draft-deploy/pic2.png" alt-text="screenshot of create a draft":::
+
+1. On the draft page, make changes or additions to your rules or settings. These pages are identical to the ones in the deployed draft. These changes will only take effect when you deploy the draft.
+    :::image type="content" source="media/draft-deploy/pic3.png" alt-text="screenshot of drafting changes":::
+
+1. To verify the changes, return to the **deploy** screen and see the rules or setting changes. To deploy, select **deploy draft**. Once deployed, the draft replaces the current policy and becomes the latest version. The draft itself is deleted after the deployment. 
+
+    :::image type="content" source="media/draft-deploy/pic4.png" alt-text="screenshot of check changes and deploy":::
+
+1. Repeat the process as needed to make further updates to the firewall policy.
+
+> [!NOTE]
+> When using this feature via PowerShell or API, you must first download the current policy and manually create a draft based on it. In contrast, when using the Azure portal or CLI, creating a draft automatically generates it from the existing policy.
 
-# [Powershell](#tab/powershell)
- 
-```azurepowershell-interactive 
-New-AzFirewallPolicyDraft -AzureFirewallPolicyName fw-policy -ResourceGroupName chetan-rg
-Set-AzFirewallPolicyDraft -AzureFirewallPolicyName fw-policy -ResourceGroupName chetan-rg -PrivateRange @("99.99.99.0/24", "66.66.0.0/16")                                                                           
- 
-New-AzFirewallPolicyRuleCollectionGroupDraft -AzureFirewallPolicyRuleCollectionGroupName rcg-a  -ResourceGroupName chetan-rg -AzureFirewallPolicyName -Priority 200
-```
 # [CLI](#tab/CLI)
 ```azurecli-interactive
+
+az login
+
+Create a draft: 
+az network firewall policy draft create --policy-name fw-policy --resource-group test-rg
+
+Update draft (settings):
+az network firewall policy draft update --policy-name fw-policy --resource-group test-rg --threat-intel-mode Off --idps-mode Deny
+
+Update draft (rules):
+
+    Create a new RCG in draft:
+    az network firewall policy rule-collection-group draft create –rule-collection-group-name rcg-b –policy-name fw-policy –resource-group test-rg –priority 303
+
+    Update a RCG in draft:
+    az network firewall policy rule-collection-group draft collection add-nat-collection -n nat_collection_1 --collection-priority 10003 --policy-name fw-policy -g test-rg --rule-collection-group-name rcg-c --action DNAT --rule-name network_rule_21 --description "test" --destination-addresses "202.120.36.15" --source-addresses "202.120.36.13" "202.120.36.14" --translated-address 128.1.1.1 --translated-port 1234 --destination-ports 12000 12001 --ip-protocols TCP UDP
+
+See the Draft: 
+az network firewall policy draft show --policy-name fw-policy --resource-group test-rg
+
+Deploy Draft: 
+az network firewall policy deploy --name fw-policy --resource-group test-rg
+
+Discard Draft:
+az network firewall policy draft delete --policy-name fw-policy --resource-group test-rg
+
+```
+
+# [PowerShell](#tab/powershell)
+ 
+```azurepowershell-interactive 
+
+Create a draft: 
+New-AzFirewallPolicyDraft -AzureFirewallPolicyName fw-policy -ResourceGroupName test-rg
+
+Update draft (settings):
+Set-AzFirewallPolicyDraft -AzureFirewallPolicyName fw-policy -ResourceGroupName test-rg -ThreatIntelWhitelist $threatIntelWhitelist
+
+Update draft (rules):
+    Create a new RCG in draft:
+    New-AzFirewallPolicyRuleCollectionGroupDraft -AzureFirewallPolicyRuleCollectionGroupName rcg-a -ResourceGroupName test-rg -AzureFirewallPolicyName fw-policy -Priority 200
+
+    Update a RCG in draft:
+    $rule1 = New-AzFirewallPolicyApplicationRule -Name "Allow-HTTP" -Protocol "Http:80" -SourceAddress "10.0.0.0/24" -TargetFqdn www.example.com
+
+    $rule2 = New-AzFirewallPolicyApplicationRule -Name "Allow-HTTPS-2" -Protocol "Https:443" -SourceAddress "10.0.0.0/24" -TargetFqdn "www.secureexample.com"  
+
+    $ruleCollection = New-AzFirewallPolicyFilterRuleCollection -Name "Allow-Rules" -Priority 100 -Rule $rule1, $rule2 -ActionType Allow   
+
+    Set-AzFirewallPolicyRuleCollectionGroupDraft -AzureFirewallPolicyRuleCollectionGroupName rcg-b -ResourceGroupName test-rg -AzureFirewallPolicyName fw-policy -Priority 400 -RuleCollection $ruleCollection
+
+See the draft: 
+Get-AzFirewallPolicyDraft -AzureFirewallPolicyName fw-policy -ResourceGroupName test-rg
+
+Deploy the draft:
+Deploy-AzFirewallPolicy -Name fw-policy -ResourceGroupName test-rg 
+
+Discard draft:
+Remove-AzFirewallPolicyDraft -AzureFirewallPolicyName fw-policy -ResourceGroupName test-rg
+
 ```
-# [API](#tab/API)
 
 ---
 
