Merge pull request #25 from duongau/zero-trust-include-review-563016

Fix broken links, redirect issues, and add SKU prerequisite in Zero Trust includes

Author: mbender-ms

articles/networking/security/includes/25535.md

@@ -13,11 +13,13 @@ ms.custom: Network-Secure-Recommendation
 # userimpact: Low
 # implementationcost: Medium
 ---
-Azure Firewall is a cloud-native network security service that provides centralized inspection, logging, and enforcement for outbound traffic. However, using Azure Firewall alone for outbound connectivity can lead to SNAT port exhaustion under high-traffic workloads. The recommendation is to deploy NAT Gateway alongside Azure Firewall — Azure Firewall handles outbound security inspection (threat intelligence filtering, intrusion detection and prevention, TLS inspection, and egress policy enforcement), while NAT Gateway provides scalable SNAT ports for the actual outbound traffic flow. In a secure network architecture, outbound traffic from VNet-integrated workloads such as VMs, AKS clusters, App Service, and Functions should be explicitly routed through Azure Firewall before reaching external services, with NAT Gateway configured on the AzureFirewallSubnet to handle outbound translation. Without this combined approach, organizations risk either uninspected outbound traffic or SNAT port exhaustion leading to dropped connections. This check verifies that effective network routes direct outbound traffic to the firewall's private IP address for eligible workloads across all subscriptions.
+Azure Firewall is a cloud-native network security service that provides centralized inspection, logging, and enforcement for outbound traffic. In a secure network architecture, outbound traffic from VNet-integrated workloads such as VMs, AKS clusters, App Service, and Functions should be explicitly routed through Azure Firewall before reaching external services. This routing ensures that outbound security inspection — including threat intelligence filtering, intrusion detection and prevention, TLS inspection, and egress policy enforcement — is applied to all outbound flows. Without this routing, outbound traffic bypasses the firewall entirely, leaving the environment exposed to data exfiltration and command-and-control communication. This check verifies that effective network routes direct outbound traffic to the firewall's private IP address for eligible workloads across all subscriptions.
+
+For high-traffic workloads that risk SNAT port exhaustion, consider deploying [Azure NAT Gateway alongside Azure Firewall](/azure/firewall/integrate-with-nat-gateway). NAT Gateway provides up to 64,512 SNAT ports per public IP address compared to Azure Firewall's 2,496 SNAT ports per public IP per instance. When associated with the AzureFirewallSubnet, NAT Gateway handles outbound translation while Azure Firewall continues to inspect traffic — with no double NAT.
 
 **Remediation action**
 
-- [Configure Azure Firewall routing](/azure/firewall/tutorial-firewall-deploy-portal#configure-routing)
+- [Configure Azure Firewall routing](/azure/firewall/tutorial-firewall-deploy-portal#create-a-default-route)
 - [Manage route tables and routes](/azure/virtual-network/manage-route-table)
 - [Control App Service outbound traffic with Azure Firewall](/azure/app-service/network-secure-outbound-traffic-azure-firewall)
 - [Azure Firewall security rules](/azure/firewall/rule-processing)

articles/networking/security/includes/25537.md

@@ -15,6 +15,9 @@ ms.custom: Network-Secure-Recommendation
 ---
 Azure Firewall Threat Intelligence-based filtering alerts and denies traffic from and to known malicious IP addresses, fully qualified domain names (FQDNs), and URLs sourced from the Microsoft Threat Intelligence feed. When enabled, Azure Firewall evaluates traffic against threat intelligence rules before applying network address translation (NAT), network, or application rules. This check verifies that Threat Intelligence is enabled in "Alert and deny" mode in the Azure Firewall policy. Without this feature enabled, the environment remains exposed to known malicious IPs, domains, and URLs, creating risk of compromise or data exfiltration.
 
+> [!NOTE]
+> "Alert and deny" mode requires Azure Firewall Standard or Premium. Azure Firewall Basic supports alert mode only. For a full feature comparison, see [Choose the right Azure Firewall SKU](/azure/firewall/choose-firewall-sku).
+
 **Remediation action**
 
 - [Azure Firewall threat intelligence configuration](/azure/firewall-manager/threat-intelligence-settings)

articles/networking/security/includes/26885.md

@@ -17,7 +17,7 @@ Azure DDoS Protection provides advanced mitigation capabilities for public IP ad
 
 **Remediation action**
 
-- [Configure Azure DDoS Protection metrics and diagnostic logs](/azure/ddos-protection/diagnostic-logging)
+- [Configure Azure DDoS Protection metrics and diagnostic logs](/azure/ddos-protection/ddos-view-diagnostic-logs)
 - [Configure diagnostic settings for Azure resources](/azure/azure-monitor/essentials/diagnostic-settings)
 - [Azure DDoS Protection overview](/azure/ddos-protection/ddos-protection-overview)
 - [Create and configure Azure DDoS Network Protection using the Azure portal](/azure/ddos-protection/manage-ddos-protection)

articles/networking/security/includes/26886.md

@@ -17,7 +17,5 @@ When Azure DDoS Protection is enabled for public IP addresses, diagnostic loggin
 
 **Remediation action**
 
-- [Configure Azure DDoS Protection diagnostic logging](/azure/ddos-protection/diagnostic-logging)
-- [View and configure DDoS diagnostic logs](/azure/ddos-protection/diagnostic-logging#configure-ddos-diagnostic-logs)
-- [Azure DDoS Protection monitoring and logging](/azure/ddos-protection/monitor-ddos-protection)
-- [View and analyze DDoS logs](/azure/ddos-protection/monitor-ddos-protection)
+- [View and configure DDoS Protection diagnostic logs](/azure/ddos-protection/ddos-view-diagnostic-logs)
+- [Monitor Azure DDoS Protection](/azure/ddos-protection/monitor-ddos-protection)