Update firewall-faq with ESP packet support details

aktsmm · web-flow · commit 55be3d4a47b4 · 2025-10-09T14:18:18.000+09:00
Added information on Azure Firewall's support for ESP packets and configuration details for allowing ESP traffic through network rules. Included recommendations for IPsec VPN configurations

### Summary
This PR adds a new FAQ entry explaining how to allow ESP (Encapsulating Security Payload) traffic for IPSec VPN scenarios in Azure Firewall and NSG.

### Details
- Added a new question: **"Can Azure Firewall pass ESP packets (IPSec VPN)?"**
- Provided configuration steps for Azure Firewall:
  - Protocol: Any
  - Source port: * (Any)
  - Destination port: * (Any)
  - Source/Destination: Specify IP addresses as needed
- Included guidance for NSG:
  - Protocol: Any
  - Port: * (Any)
- Added recommendations:
  - Use Azure VPN Gateway for IPSec VPN configurations
  - Consider NVA (Network Virtual Appliance) for advanced scenarios

### Why
Some customers frequently attempt to implement this configuration when setting up IPSec VPN with Azure Firewall. Without clear documentation, this often leads to confusion, misconfiguration, and support cases. This FAQ provides explicit guidance, a documented workaround, and best practices to ensure proper implementation and avoid operational issues.

### Impact
- Improves clarity for customers configuring IPSec VPN with Azure Firewall
- Reduces support cases related to ESP traffic blocking
- Aligns with internal design guidance (ESP_Design.docx).
diff --git a/articles/firewall/firewall-faq.yml b/articles/firewall/firewall-faq.yml
@@ -112,6 +112,32 @@ sections:
         answer: |
           No, Azure Firewall doesn't natively support BGP peering. However, the [Autolearn SNAT routes feature](../firewall/snat-private-range.md#auto-learn-snat-routes-preview) indirectly uses BGP through Azure Route Server.
 
+
+
+      - question: Can Azure Firewall pass ESP packets (IPSec VPN)?
+        answer: |
+          Azure Firewall does not natively support ESP (Encapsulating Security Payload), but you can allow ESP traffic by configuring a network rule as follows:
+
+          **Azure Firewall configuration (Network Rule):**
+          - Protocol: Any
+          - Source port: * (Any)
+          - Destination port: * (Any)
+          - Source/Destination: Specify IP addresses as needed
+
+          This configuration allows ESP packets (IP protocol number 50) and other non-TCP/UDP traffic to match the rule. However, note that Azure Firewall does not inspect ESP payloads.
+
+          **<Reference> If using NSG (Network Security Group) instead of Azure Firewall:**
+          NSG does not provide a direct option to specify ESP (IP protocol number 50), but ESP packets can be allowed by using the following settings:
+          - Protocol: Any
+          - Port: * (Any)
+          - Source/Destination: Specify IP addresses as needed
+
+          **Recommendations:**
+          - For IPsec VPN configurations, using Azure VPN Gateway is recommended.
+          - Consider using an NVA (Network Virtual Appliance) pattern depending on your requirements.
+
+
+
   - name: Management and configuration
     questions: 
       - question: How can I stop and start Azure Firewall?
