Merge pull request #298182 from varunkalyana/patch-2

Azure Firewall issues and limitations - (updated the dns policy inheritance issue)

Author: prmerger-automator[bot]

articles/firewall/firewall-known-issues.md

@@ -5,7 +5,7 @@ services: firewall
 author: varunkalyana
 ms.service: azure-firewall
 ms.topic: concept-article
-ms.date: 04/11/2025
+ms.date: 04/13/2025
 ms.author: varunkalyana
 ---
 
@@ -32,7 +32,8 @@ Azure Firewall Standard has the following known issues:
 |---------|---------|---------|
 |DNAT support for private IP addresses limited to Standard and Premium versions|Support for DNAT on Azure Firewall private IP address is intended for enterprises, so is limited to the Standard and Premium Firewall versions.| None|
 |Network filtering rules for non-TCP/UDP protocols (for example ICMP) don't work for Internet bound traffic|Network filtering rules for non-TCP/UDP protocols don't work with SNAT to your public IP address. Non-TCP/UDP protocols are supported between spoke subnets and VNets.|Azure Firewall uses the Standard Load Balancer, [which doesn't support SNAT for IP protocols today](../load-balancer/outbound-rules.md#limitations). We're exploring options to support this scenario in a future release.|
-|When an Azure Firewall is deallocated and then allocated again, sometimes it may be assigned a new private IP address that differs from the previous one.| In such scenarios, the existing User Defined Routes (UDRs) configured with the old private IP address will need to be reconfigured to reflect the new private IP address.|A fix for this issue to retain the previously assigned private IP address is in our roadmap.|
+|When an Azure Firewall is deallocated and then allocated again, sometimes it may be assigned a new private IP address that differs from the previous one.| After the deallocation and application process of the Azure Firewall, a private IP address is assigned dynamically from the Azure Firewall subnet. When a new private IP address is assigned that is different from the previous one, it will cause routing issues. |The existing User Defined Routes (UDRs) configured with the old private IP address will need to be reconfigured to reflect the new private IP address. A fix is being investigated to retain the private IP address after the allocation process.|
+|Azure Firewall DNS proxy server configurations in the parent policy is not inherited by child policies.|Changes made to the Azure Firewall parent policy will result in DNS resolution failures for Fully Qualified Domain Name (FQDN) based rules within the child policies that are linked to the parent policy.| To avoid this issue, configure the DNS proxy settings directly on the child policies instead of relying on inheritance from the parent policy. A fix is being investigated to allow child policies to interhit DNS configurations from the parent policy.|
 |Missing PowerShell and CLI support for ICMP|Azure PowerShell and CLI don't support ICMP as a valid protocol in network rules.|It's still possible to use ICMP as a protocol via the portal and the REST API. We're working to add ICMP in PowerShell and CLI soon.|
 |FQDN tags require a protocol: port to be set|Application rules with FQDN tags require port: protocol definition.|You can use **https** as the port: protocol value. We're working to make this field optional when FQDN tags are used.|
 |Moving a firewall to a different resource group or subscription isn't supported|Moving a firewall to a different resource group or subscription isn't supported.|Supporting this functionality is on our road map. To move a firewall to a different resource group or subscription, you must delete the current instance and recreate it in the new resource group or subscription.|