Merge pull request #57313 from ShawnJackson/firewall-hybrid-ps

QualityReviewPilot: firewall-hybrid-ps

Author: Jak-MS

articles/firewall/tutorial-hybrid-ps.md

@@ -1,33 +1,45 @@
 ---
-title: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell
+title: 'Tutorial: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell'
 description: In this tutorial, you learn how to deploy and configure Azure Firewall using the Azure portal. 
 services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: tutorial
 ms.date: 10/27/2018
 ms.author: victorh
-#Customer intent: As an administrator, I want to deploy and configure Azure Firewall in a hybrid network so that I can control access from an on-premise network to an Azure VNet.
+#Customer intent: As an administrator, I want to control network access from an on-premises network to an Azure virtual network.
 ---
 # Tutorial: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell
 
+When you connect your on-premises network to an Azure virtual network to create a hybrid network, the ability to control access to your Azure network resources is an important part of an overall security plan.
+
+You can use Azure Firewall to control network access in a hybrid network using rules that define allowed and denied network traffic.
+
+For this tutorial, you create three virtual networks:
+
+- **VNet-Hub** - the firewall is in this virtual network.
+- **VNet-Spoke** - the spoke virtual network represents the workload located on Azure.
+- **VNet-Onprem** - The on-premises virtual network represents an on-premises network. In an actual deployment, it can be connected by either a VPN or Express Route connection. For simplicity, this tutorial uses a VPN gateway connection, and an Azure-located virtual network is used to represent an on-premises network.
+
+![Firewall in a hybrid network](media/tutorial-hybrid-ps/hybrid-network-firewall.png)
+
 In this tutorial, you learn how to:
 
 > [!div class="checklist"]
-> * Set up the network environment
+> * Declare the variables
+> * Create the firewall hub virtual network
+> * Create the spoke virtual network
+> * Create the on-premises virtual network
 > * Configure and deploy the firewall
+> * Create and connect the VPN gateways
+> * Peer the hub and spoke virtual networks
 > * Create the routes
 > * Create the virtual machines
 > * Test the firewall
 
-For this tutorial, you create three VNets:
-- **VNet-Hub** - the firewall is in this VNet.
-- **VNet-Spoke** - the spoke VNet represents the workload located on Azure.
-- **VNet-Onprem** - The OnPrem VNet represents an on-premise network. In an actual deployment, it can be connected by either a VPN or Express Route connection. For simplicity, this tutorial uses a VPN gateway connection, and an Azure-located VNet is used to represent an on-premise network.
-
-![Firewall in a hybrid network](media/tutorial-hybrid-ps/hybrid-network-firewall.png)
+## Prerequisites
 
-## Key requirements
+This tutorial requires that you run PowerShell locally. You must have Azure PowerShell module version 6.12.0 or later installed. Run `Get-Module -ListAvailable AzureRM` to find the version. If you need to upgrade, see [Install Azure PowerShell module](https://docs.microsoft.com/powershell/azure/install-azurerm-ps). After you verify the PowerShell version, run `Login-AzureRmAccount` to create a connection with Azure.
 
 There are three key requirements for this scenario to work correctly:
 
@@ -40,11 +52,9 @@ See the [Create Routes](#create-routes) section in this tutorial to see how thes
 
 If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
 
-[!INCLUDE [cloud-shell-powershell.md](../../includes/cloud-shell-powershell.md)]
-
 ## Declare the variables
 
-The following example declares the variables using the values for this tutorial. In most cases, you should replace the values with your own. However, you can use these variables if you are running through the steps to become familiar with this type of configuration. Modify the variables if needed, then copy and paste them into your PowerShell console.
+The following example declares the variables using the values for this tutorial. In some cases, you might need to replace some values with your own to work in your subscription. Modify the variables if needed, then copy and paste them into your PowerShell console.
 
 ```azurepowershell
 $RG1 = "FW-Hybrid-Test"
@@ -62,15 +72,15 @@ $GWHubpipName = "VNet-hub-GW-pip"
 $GWIPconfNameHub = "GW-ipconf-hub"
 $ConnectionNameHub = "hub-to-Onprem"
 
-# Variables for the spoke VNet
+# Variables for the spoke virtual network
 
 $VnetNameSpoke = "VNet-Spoke"
 $SNnameSpoke = "SN-Workload"
 $VNetSpokePrefix = "10.6.0.0/16"
 $SNSpokePrefix = "10.6.0.0/24"
 $SNSpokeGWPrefix = "10.6.1.0/24"
 
-# Variables for the OnPrem VNet
+# Variables for the on-premises virtual network
 
 $VNetnameOnprem = "Vnet-Onprem"
 $SNNameOnprem = "SN-Corp"
@@ -85,70 +95,69 @@ $GWOnprempipName = "VNet-Onprem-GW-pip"
 $SNnameGW = "GatewaySubnet"
 ```
 
-## Create a resource group
 
-Create a resource group to contain all the resources required for this tutorial:
+## Create the firewall hub virtual network
+
+First, create the resource group to contain the resources for this tutorial:
 
 ```azurepowershell
   New-AzureRmResourceGroup -Name $RG1 -Location $Location1
   ```
 
-## Create and configure the firewall hub Vnet
-
-Define the subnets to be included in the VNet:
+Define the subnets to be included in the virtual network:
 
 ```azurepowershell
 $FWsub = New-AzureRmVirtualNetworkSubnetConfig -Name $SNnameHub -AddressPrefix $SNHubPrefix
 $GWsub = New-AzureRmVirtualNetworkSubnetConfig -Name $SNnameGW -AddressPrefix $SNGWHubPrefix
 ```
 
-Now, create the firewall hub VNet:
+Now, create the firewall hub virtual network:
 
 ```azurepowershell
 $VNetHub = New-AzureRmVirtualNetwork -Name $VNetnameHub -ResourceGroupName $RG1 `
 -Location $Location1 -AddressPrefix $VNetHubPrefix -Subnet $FWsub,$GWsub
 ```
 
-Request a public IP address to be allocated to the VPN gateway you will create for your VNet. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your VPN gateway. 
+Request a public IP address to be allocated to the VPN gateway you will create for your virtual network. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your VPN gateway. 
 
   ```azurepowershell
   $gwpip1 = New-AzureRmPublicIpAddress -Name $GWHubpipName -ResourceGroupName $RG1 `
   -Location $Location1 -AllocationMethod Dynamic
 ```
 
-## Create and configure the spoke Vnet
+## Create the spoke virtual network
 
-Define the subnets to be included in the spoke VNet:
+Define the subnets to be included in the spoke virtual network:
 
 ```azurepowershell
 $Spokesub = New-AzureRmVirtualNetworkSubnetConfig -Name $SNnameSpoke -AddressPrefix $SNSpokePrefix
 $GWsubSpoke = New-AzureRmVirtualNetworkSubnetConfig -Name $SNnameGW -AddressPrefix $SNSpokeGWPrefix
 ```
 
-Create the spoke VNet:
+Create the spoke virtual network:
 
 ```azurepowershell
 $VNetSpoke = New-AzureRmVirtualNetwork -Name $VnetNameSpoke -ResourceGroupName $RG1 `
 -Location $Location1 -AddressPrefix $VNetSpokePrefix -Subnet $Spokesub,$GWsubSpoke
 ```
 
-## Create and configure the OnPrem VNet
+## Create the on-premises virtual network
 
-Define the subnets to be included in the VNet:
+Define the subnets to be included in the virtual network:
 
 ```azurepowershell
 $Onpremsub = New-AzureRmVirtualNetworkSubnetConfig -Name $SNNameOnprem -AddressPrefix $SNOnpremPrefix
 $GWOnpremsub = New-AzureRmVirtualNetworkSubnetConfig -Name $SNnameGW -AddressPrefix $SNGWOnpremPrefix
 ```
 
-Now, create the OnPrem VNet:
+Now, create the on-premises virtual network:
 
 ```azurepowershell
 $VNetOnprem = New-AzureRmVirtualNetwork -Name $VNetnameOnprem -ResourceGroupName $RG1 `
 -Location $Location1 -AddressPrefix $VNetOnpremPrefix -Subnet $Onpremsub,$GWOnpremsub
 ```
 
-Request a public IP address to be allocated to the gateway you will create for the VNet. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your gateway. 
+Request a public IP address to be allocated to the gateway you will create for the virtual network. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your gateway. 
 
   ```azurepowershell
   $gwOnprempip = New-AzureRmPublicIpAddress -Name $GWOnprempipName -ResourceGroupName $RG1 `
@@ -157,7 +166,7 @@ Request a public IP address to be allocated to the gateway you will create for t
 
 ## Configure and deploy the firewall
 
-Now deploy the firewall into the hub VNet.
+Now deploy the firewall into the hub virtual network.
 
 ```azurepowershell
 # Get a Public IP for the firewall
@@ -193,9 +202,9 @@ Set-AzureRmFirewall -AzureFirewall $Azfw
 
 ## Create and connect the VPN gateways
 
-The hub and OnPrem VNets are connected via VPN gateways.
+The hub and on-premises virtual networks are connected via VPN gateways.
 
-### Create a VPN gateway for the hub VNet
+### Create a VPN gateway for the hub virtual network
 
 Create the VPN gateway configuration. The VPN gateway configuration defines the subnet and the public IP address to use.
 
@@ -206,15 +215,15 @@ Create the VPN gateway configuration. The VPN gateway configuration defines the
   -Subnet $subnet1 -PublicIpAddress $gwpip1
   ```
 
-Now create the VPN gateway for the hub VNet. VNet-to-VNet configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
+Now create the VPN gateway for the hub virtual network. Network-to-network configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
 
 ```azurepowershell
 New-AzureRmVirtualNetworkGateway -Name $GWHubName -ResourceGroupName $RG1 `
 -Location $Location1 -IpConfigurations $gwipconf1 -GatewayType Vpn `
 -VpnType RouteBased -GatewaySku basic
 ```
 
-### Create a VPN gateway for the OnPrem VNet
+### Create a VPN gateway for the on-premises virtual network
 
 Create the VPN gateway configuration. The VPN gateway configuration defines the subnet and the public IP address to use.
 
@@ -225,7 +234,7 @@ $gwipconf2 = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfNameOnprem
   -Subnet $subnet2 -PublicIpAddress $gwOnprempip
   ```
 
-Now create the VPN gateway for the OnPrem VNet. VNet-to-VNet configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
+Now create the VPN gateway for the on-premises virtual network. Network-to-network configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
 
 ```azurepowershell
 New-AzureRmVirtualNetworkGateway -Name $GWOnpremName -ResourceGroupName $RG1 `
@@ -235,7 +244,7 @@ New-AzureRmVirtualNetworkGateway -Name $GWOnpremName -ResourceGroupName $RG1 `
 
 ### Create the VPN connections
 
-Now you can create the VPN connections between the hub and OnPrem gateways
+Now you can create the VPN connections between the hub and on-premises gateways
 
 #### Get the VPN gateways
 
@@ -246,14 +255,14 @@ $vnetOnpremgw = Get-AzureRmVirtualNetworkGateway -Name $GWOnpremName -ResourceGr
 
 #### Create the connections
 
-In this step, you create the connection from the hub VNet to the OnPrem VNet. You'll see a shared key referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.
+In this step, you create the connection from the hub virtual network to the on-premises virtual network. You'll see a shared key referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.
 
 ```azurepowershell
 New-AzureRmVirtualNetworkGatewayConnection -Name $ConnectionNameHub -ResourceGroupName $RG1 `
 -VirtualNetworkGateway1 $vnetHubgw -VirtualNetworkGateway2 $vnetOnpremgw -Location $Location1 `
 -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'
 ```
-Create the OnPrem to hub VNet connection. This step is similar to the previous one, except you create the connection from Vnet-Onprem to VNet-hub. Make sure the shared keys match. The connection will be established after a few minutes.
+Create the on-premises to hub virtual network connection. This step is similar to the previous one, except you create the connection from VNet-Onprem to VNet-hub. Make sure the shared keys match. The connection will be established after a few minutes.
 
   ```azurepowershell
   New-AzureRmVirtualNetworkGatewayConnection -Name $ConnectionNameOnprem -ResourceGroupName $RG1 `
@@ -278,9 +287,9 @@ After the cmdlet finishes, view the values. In the following example, the connec
 "egressBytesTransferred": 4142431
 ```
 
-## Peer the hub and spoke VNets
+## Peer the hub and spoke virtual networks
 
-Now peer the spoke and hub VNets.
+Now peer the hub and spoke virtual networks.
 
 ```azurepowershell
 # Peer hub to spoke
@@ -290,15 +299,15 @@ Add-AzureRmVirtualNetworkPeering -Name HubtoSpoke -VirtualNetwork $VNetHub -Remo
 Add-AzureRmVirtualNetworkPeering -Name SpoketoHub -VirtualNetwork $VNetSpoke -RemoteVirtualNetworkId $VNetHub.Id -AllowForwardedTraffic -UseRemoteGateways
 ```
 
-## Create routes
+## Create the routes
 
 Next, create a couple routes:
 
 - A route from the hub gateway subnet to the spoke subnet through the firewall IP address
 - A default route from the spoke subnet through the firewall IP address
 
 > [!NOTE]
-> Azure Firewall learns your on-premise networks using BGP. This may include a default route, which will route Internet traffic back through your on-premise network. If instead you want Internet traffic to be sent directly from the firewall to the Internet, add a user-defined default route (0.0.0.0/0) on the AzureFirewallSubnet with next hop type **Internet**. Your on-premise destined traffic is still forced-tunneled through the VPN/ExpressRoute gateway using the more specific routes learned from BGP.
+> Azure Firewall learns your on-premises networks using BGP. This may include a default route, which routes Internet traffic back through your on-premises network. In a production deployment, you might want Internet traffic to be sent directly from the firewall to the Internet. You could add a user-defined default route (0.0.0.0/0) on the AzureFirewallSubnet with next hop type **Internet**. Your on-premises destined traffic is still forced-tunneled through the VPN/ExpressRoute gateway using the more specific routes learned from BGP.
 
 ```azurepowershell
 #Create a route table
@@ -359,11 +368,11 @@ Set-AzureRmVirtualNetwork
 
 ## Create virtual machines
 
-Now create the spoke workload and OnPrem virtual machines, and place them in the appropriate subnets.
+Now create the spoke workload and on-premises virtual machines, and place them in the appropriate subnets.
 
 ### Create the workload virtual machine
 
-Create a virtual machine in the spoke VNet, running IIS, with no public IP address, and allows pings in.
+Create a virtual machine in the spoke virtual network, running IIS, with no public IP address, and allows pings in.
 When prompted, type a user name and password for the virtual machine.
 
 ```azurepowershell
@@ -411,9 +420,9 @@ Set-AzureRmVMExtension `
     -SettingString '{"commandToExecute":"powershell New-NetFirewallRule –DisplayName “Allow ICMPv4-In” –Protocol ICMPv4"}' `
     -Location $Location1--->
 
-### Create the OnPrem virtual machine
+### Create the on-premises virtual machine
 
-This is a simple virtual machine that you can connect to using Remote Desktop to the public IP address. From there, you can then connect to the OnPrem server through the firewall. When prompted, type a user name and password for the virtual machine.
+This is a simple virtual machine that you use to connect using Remote Desktop to the public IP address. From there, you then connect to the on-premises server through the firewall. When prompted, type a user name and password for the virtual machine.
 
 ```azurepowershell
 New-AzureRmVm `
@@ -428,29 +437,29 @@ New-AzureRmVm `
 
 ## Test the firewall
 
-First, get and note the private IP address for **VM-spoke-01** virtual machine.
+First, get and then note the private IP address for **VM-spoke-01** virtual machine.
 
 ```azurepowershell
 $NIC.IpConfigurations.privateipaddress
 ```
 
-1. From the Azure portal, connect to the **VM-Onprem** virtual machine.
+From the Azure portal, connect to the **VM-Onprem** virtual machine.
 <!---2. Open a Windows PowerShell command prompt on **VM-Onprem**, and ping the private IP for **VM-spoke-01**.
 
    You should get a reply.--->
-2. Open a web browser on **VM-Onprem**, and browse to http://\<VM-spoke-01 private IP\>
+Open a web browser on **VM-Onprem**, and browse to http://\<VM-spoke-01 private IP\>.
 
-   You should see the Internet Information Services default page.
+You should see the Internet Information Services default page.
 
-3. From **VM-Onprem**, open a remote desktop to **VM-spoke-01** at the private IP address.
+From **VM-Onprem**, open a remote desktop to **VM-spoke-01** at the private IP address.
 
-   Your connection should succeed, and you should be able to sign in using your chosen username and password.
+Your connection should succeed, and you should be able to sign in using your chosen username and password.
 
 So now you have verified that the firewall rules are working:
 
 <!---- You can ping the server on the spoke VNet.--->
-- You can browse web server on the spoke VNet.
-- You can connect to the server on the spoke VNet using RDP.
+- You can browse web server on the spoke virtual network.
+- You can connect to the server on the spoke virtual network using RDP.
 
 Next, change the firewall network rule collection action to **Deny** to verify that the firewall rules work as expected. Run the following script to change the rule collection action to **Deny**.
 
@@ -469,15 +478,6 @@ You can keep your firewall resources for the next tutorial, or if no longer need
 
 ## Next steps
 
-In this tutorial, you learned how to:
-
-> [!div class="checklist"]
-> * Set up the network environment
-> * Configure and deploy the firewall
-> * Create the routes
-> * Create the virtual machines
-> * Test the firewall
-
 Next, you can monitor the Azure Firewall logs.
 
 > [!div class="nextstepaction"]