Freigeben über

cant recreate an azure firewall with policy-based DNAT Rules and multiple public IP addresses

Andy Tost 70 Zuverlässigkeitspunkte
2026-02-11T09:39:59.9733333+00:00

hello support,

we are trying to deallocate and allocate the firewall in a specific timeperiod for Disaster Recovery purposes, after we deallocate and allocate the firewall we are getting the following error:

Rule collection "Rule" contains one or more DNAT rules where the DNAT destination does not match the address because a public IP has not been selected yet

i have tried to the firewall start with the following script:

Start the firewall

$azfw = Get-AzFirewall -Name "Firewallname" -ResourceGroupName "rg"

$vnet = Get-AzVirtualNetwork -ResourceGroupName "rg" -Name "vnet"

$pip = Get-AzPublicIpAddress -ResourceGroupName "rg" -Name "afw-dfault-pip"

$mgmtPip = Get-AzPublicIpAddress -ResourceGroupName "rg" -Name "afw-pip-mgmt"

$azfw.Allocate($vnet, $pip, $mgmtPip)

Set-AzFirewall -AzureFirewall $azfw

$Pip2 = Get-AzPublicIpAddress -ResourceGroupName "rg" -Name "afw-pip2"

but i am getting an error to add "Pip2" because of limitation of allowed PublicIPs

how do we get it work to allocate a firewall again and use existing and previous used public IP addresses?

thank you

regards

Andy

Azure Firewall
Azure Firewall

Ein Azure-Netzwerksicherheitsdienst zum Schutz von Azure Virtual Network-Ressourcen.

Antwort, die vom Frageautor angenommen wurde
  1. Ravi Varma Mudduluru 7,995 Zuverlässigkeitspunkte Externe Microsoft-Mitarbeiter Moderator
    2026-02-11T11:48:56.1466667+00:00

    Hallo @Andy Tost,

    Vielen Dank für Ihre Anfrage an Microsoft Q&A.

    Wie besprochen, konnte ich das Problem reproduzieren und die bestehende öffentliche IP-Adresse erfolgreich freigeben und neu zuweisen. Eine kleine Anpassung im Skript ist erforderlich. Bitte verwenden Sie das unten stehende aktualisierte PowerShell-Skript, um Ihre Anforderung umzusetzen.

    Azure PowerShell

    # === Parameters - Customize these ===
$subscriptionId     = "<your-subscription-id>"          # e.g. "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
$resourceGroupName  = "<your-resource-group-name>"      # e.g. "FirewallRG"
$firewallName       = "<your-firewall-name>"            # e.g. "MyAzureFirewall"
$vnetName           = "<your-vnet-name>"                # e.g. "MyVNet" (must contain AzureFirewallSubnet)
# Public IP names (existing ones already associated before)
$publicIpName1      = "Pip1"                            # First public IP name
$publicIpName2      = "Pip2"                            # Second public IP name
# Add more if needed: $publicIpName3 = "Pip3"
# If using forced tunneling with a separate management public IP, uncomment and set:
# $managementPipName = "MgmtPip"
# === Connect to Azure ===
Connect-AzAccount -Subscription $subscriptionId
# === Get required resources ===
$vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $resourceGroupName
$pip1 = Get-AzPublicIpAddress -Name $publicIpName1 -ResourceGroupName $resourceGroupName
$pip2 = Get-AzPublicIpAddress -Name $publicIpName2 -ResourceGroupName $resourceGroupName
# $pip3 = Get-AzPublicIpAddress -Name $publicIpName3 -ResourceGroupName $resourceGroupName   # if more
# Optional: management PIP
# $mgmtPip = Get-AzPublicIpAddress -Name $managementPipName -ResourceGroupName $resourceGroupName
# === Step 1: STOP (Deallocate) the Firewall ===
Write-Host "Deallocating Azure Firewall '$firewallName'..." -ForegroundColor Yellow
$fw = Get-AzFirewall -Name $firewallName -ResourceGroupName $resourceGroupName
$fw.Deallocate()
$fw | Set-AzFirewall
Write-Host "Firewall deallocated. Billing stopped. Waiting 2 minutes for completion..." -ForegroundColor Green
Start-Sleep -Seconds 120
# === Step 2: START (Allocate) the Firewall with existing public IPs ===
Write-Host "Allocating Azure Firewall '$firewallName' with existing public IPs..." -ForegroundColor Yellow
$fw = Get-AzFirewall -Name $firewallName -ResourceGroupName $resourceGroupName   # refresh object
# Allocate with multiple public IPs (most common case)
$fw.Allocate($vnet, @($pip1, $pip2))   # Add more if needed: @($pip1, $pip2, $pip3)
# If forced tunneling with management IP, use this instead:
# $fw.Allocate($vnet, @($pip1, $pip2), $mgmtPip)
$fw | Set-AzFirewall
Write-Host "Allocation triggered. Waiting for provisioning to complete (can take 5-15 minutes)..." -ForegroundColor Green
Write-Host "Monitor status in portal: Azure Firewall > Overview > Provisioning state" -ForegroundColor Cyan
# Optional: Loop to wait and check status
$timeoutMinutes = 20
$startTime = Get-Date
do {
    Start-Sleep -Seconds 60
    $fw = Get-AzFirewall -Name $firewallName -ResourceGroupName $resourceGroupName
    Write-Host "Current provisioning state: $($fw.ProvisioningState)" -ForegroundColor Yellow
} while ($fw.ProvisioningState -ne "Succeeded" -and ((Get-Date) - $startTime).TotalMinutes -lt $timeoutMinutes)
if ($fw.ProvisioningState -eq "Succeeded") {
    Write-Host "Firewall successfully allocated and running!" -ForegroundColor Green
    Write-Host "Associated Public IPs:"
    $fw.IpConfigurations | Select-Object Name, PrivateIpAddress, @{Name="PublicIp";Expression={$_.PublicIpAddress.Id.Split('/')[-1]}}
} else {
    Write-Host "Provisioning did not complete in time or failed. Check Azure portal / Activity log for errors." -ForegroundColor Red
}

    Mein Ergebnis bei Verwendung des obigen PowerShell-Skripts

    Benutzerbild

    Wenn Ihnen die Antwort geholfen hat, klicken Sie bitte auf „Antwort akzeptieren“ und geben Sie ihr ein positives Feedback. Bei weiteren Fragen zu dieser Antwort klicken Sie bitte auf „Kommentar“.

    Eine Person fand diese Antwort hilfreich.
    0 Kommentare

0 zusätzliche Antworten

Sortieren nach: Am hilfreichsten
Am hilfreichsten Neueste Älteste

Ihre Antwort

Antworten können von Fragestellenden als „Angenommen“ und von Moderierenden als „Empfohlen“ gekennzeichnet werden, wodurch Benutzende wissen, dass diese Antwort das Problem des Fragestellenden gelöst hat.