How to preserve source IP in Azure Firewall

Ijaz Muhammad 81

AzureDiagram

Our requirement is to preserve the source IP even when the traffic flows through the Azure firewall and then reaches the destination server. We should be able to see the source IP in the logs of the destination server instead of Azure firewalls IP as source IP.

The expectation is to preserve the source IP address.

Ijaz Muhammad 81 Reputation points

2024-06-05T07:35:54.3333333+00:00

Any help is appreciated.
Ijaz Muhammad 81 Reputation points

2024-06-05T10:01:42.5833333+00:00

@KapilAnanth-MSFT We are already using an Application gateway in front of the Azure firewall. From the application gateway, we are routing the traffic to Azure Firewall. Once this traffic enters the Azure firewall, we are losing the source IP.
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-05T10:22:04.7866667+00:00
@Ijaz Muhammad, Gnrgy ,

What is the value you are seeing in the "X-Fowarded-For header" of the HTTP Request?

Is it empty?

Or is it something else?
Ijaz Muhammad 81 Reputation points

2024-06-06T05:04:54.1933333+00:00

@KapilAnanth-MSFT One more question.

Can we do any work around by changing the SNAT policy of the Azure Firewall?
Right now the rule is Always SNAT.
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-06T05:23:05.0933333+00:00

@Ijaz Muhammad, Gnrgy , sure.

SNAT is for traffic leaving from Azure to Internet/OnPrem via Azure Firewall, i.e., Outbound traffic.

However, in our scenario, it is Traffic from Internet reaching Azure via Firewall, i.e., Inbound traffic.

So, I am afraid this feature matches a completely different scenario, and for your requirement we cannot use this.

See : Azure Firewall SNAT private IP address ranges

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Ijaz Muhammad 81 Reputation points

2024-06-06T10:04:50.2+00:00

@KapilAnanth-MSFT We disabled SNAT in the Azure firewall. But after disabling the SNAT we are not able to connect to our servers over ssh and rdp with P2S connection.

The weird thing is that we have ping telnet and all but not able to connect over ssh and rdp.

When we disabled SNAT we got the exact source IP address in our backend.
Ijaz Muhammad 81 Reputation points

2024-06-06T10:06:16.2433333+00:00

Azure Firewall Default SNAT Behavior

For network traffic, Azure Firewall performs Source Network Address Translation (SNAT) for all destination public IP addresses processed by network rules. However, Azure Firewall does not SNAT if the destination is a private IP range by IANA RFC 1918. For application traffic, Azure Firewall always SNAT regardless of the settings configured here.These settings will only impact traffic processed by network rules.
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-06T16:45:01.79+00:00
@Ijaz Muhammad, Gnrgy ,

Without looking at the exact routing configuration, I am afraid I will not be able to comment on this.

However, as the name indicates, SNAT is for source IPs.

So, disabling SNAT will not have any impact on DNAT rules which convert incoming requests (from App gateway instances)

Especially the private IP range.

Cheers,

Kapil
Ijaz Muhammad 81 Reputation points

2024-06-06T17:38:01.65+00:00

We don't have any issues with Dnat rules.
KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-09T05:26:06.8033333+00:00
@Ijaz Muhammad, Gnrgy ,

I understand.

What exactly is the challenge with disabling the SNAT?

When you say "we are not able to connect to our servers over ssh and rdp with P2S connection.",

Can you share the exact routing configuration on the VPN Gateway?

As you have not shared any info about VPN Gw prior.

Cheers,

Kapil

Accepted answer

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-05T09:50:28.9033333+00:00
@Ijaz Muhammad, Gnrgy ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to preserve the source IP of the incoming DNAT rules via Azure Firewall.

Since DNAT happens at Layer 4, the actual source IP is not preserved by the Azure Firewall.

This is by design.

To work around this, you can consider using Azure Application Gateway in front of the Azure Firewall and make use of the X-Fowarded-For header added by App gateway.

See : Application Gateway before Firewall

Hope this clarifies.

Cheers,

Kapil
Please sign in to rate this answer.

1 person found this answer helpful.
Ijaz Muhammad 81 Reputation points

2024-06-05T11:03:01.69+00:00

@KapilAnanth-MSFT As of now, we do not have any X-Fowarded-For header settings in our Application Gateway rules.

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-05T17:27:05.5833333+00:00

@Ijaz Muhammad, Gnrgy ,

This is not something you have to configure, this is done by default and is by design.

See : Modifications to the request

So, you should check the HTTP Request that your application receives from the

App Gateway ---> Firewall ---> Application from your application logs

Cheers,

Kapil

Ijaz Muhammad 81 Reputation points

2024-06-05T17:42:09.9966667+00:00

We use IIS webserver and in the IIS log files we see the Azure Firewall IP as client IP.

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-05T18:02:14.0266667+00:00

@Ijaz Muhammad, Gnrgy ,

Correct and is expected.

As I mentioned, client IP changes to Azure Firewall's.

You should not check the client IP, instead, you should check the "X-Fowarded-For" header which is appended by the App gateway and contains the IP of the actual client.

Depending on your IIS Version, refer to this blog to set up logging.

Cheers,

Kapil

Ijaz Muhammad 81 Reputation points

2024-06-05T18:45:38.1833333+00:00

Got it. Thanks a ton.

KapilAnanth-MSFT 46,676 Reputation points Microsoft Employee

2024-06-06T04:53:55.2266667+00:00

@Ijaz Muhammad, Gnrgy ,

You're welcome. Glad we could be of assistance.

I have summarized our discussion and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil

Ijaz Muhammad 81 Reputation points

2024-06-06T05:57:17.8433333+00:00

@KapilAnanth-MSFT Also, we disabled SNAT in the Azure firewall.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

How to preserve source IP in Azure Firewall

0 additional answers

Your answer