![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 38%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPP%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
674 questions
Hello @Pranav Prashant ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to know what the source IP for ingress traffic from Internet will be when it comes into Azure Virtual network after passing an Azure Firewall.
The request to the Azure Firewall public IP is distributed to a back-end instance of the firewall, which will be a private IP of the Azure Firewall instance.
You can find the whole traffic flow in the below document:
- The client starts the connection to the public IP address of the Azure Firewall:
- Source IP address: ClientPIP
- Destination IP address: AzFwPIP
- The request to the Azure Firewall public IP is distributed to a back-end instance of the firewall, which is a private IP. The Azure Firewall Destination NAT (DNAT) rule translates the destination IP address to the application IP address inside the virtual network. The Azure Firewall also Source NATs (SNATs) the packet if it does DNAT. For more information, see Azure Firewall known issues. The VM in the Vnet sees the following IP addresses in the incoming packet:
- Source IP address: private IP of Azure Firewall instance.
- Destination IP address: the VM's IP address
- The VM answers the application request, reversing source and destination IP addresses.
- Source IP address: the VM's IP address
- Destination IP address: private IP of Azure Firewall instance.
- Finally, Azure Firewall undoes the SNAT and DNAT operations, and delivers the response to the client:
- Source IP address: AzFwPIP
- Destination IP address: ClientPIP
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.