Edit

Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal

  • Article

You can configure Azure Firewall policy Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the rule collection action is set to DNAT. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see Azure Firewall rule processing logic.

In this tutorial, you learn how to:

  • Set up a test network environment
  • Deploy a firewall and policy
  • Create a default route
  • Configure a DNAT rule
  • Test the firewall

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Create a resource group

  1. Sign in to the Azure portal.
  2. On the Azure portal home page, select Resource groups, then select Add.
  3. For Subscription, select your subscription.
  4. For Resource group name, type RG-DNAT-Test.
  5. For Region, select a region. All other resources that you create must be in the same region.
  6. Select Review + create.
  7. Select Create.

Set up the network environment

For this tutorial, you create a two peered VNets:

  • VN-Hub - the firewall is in this VNet.
  • VN-Spoke - the workload server is in this VNet.

First, create the VNets and then peer them.

Create the Hub VNet

  1. From the Azure portal home page, select All services.

  2. Under Networking, select Virtual networks.

  3. Select Add.

  4. For Resource group, select RG-DNAT-Test.

  5. For Name, type VN-Hub.

  6. For Region, select the same region that you used before.

  7. Select Next: IP Addresses.

  8. For IPv4 Address space, accept the default 10.0.0.0/16.

  9. Under Subnet name, select default.

  10. Edit the Subnet name and type AzureFirewallSubnet.

    The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.

    Note

    The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see Azure Firewall FAQ.

  11. For Subnet address range, type 10.0.1.0/26.

  12. Select Save.

  13. Select Review + create.

  14. Select Create.

Create a spoke VNet

  1. From the Azure portal home page, select All services.
  2. Under Networking, select Virtual networks.
  3. Select Add.
  4. For Resource group, select RG-DNAT-Test.
  5. For Name, type VN-Spoke.
  6. For Region, select the same region that you used before.
  7. Select Next: IP Addresses.
  8. For IPv4 Address space, edit the default and type 192.168.0.0/16.
  9. Select Add subnet.
  10. For the Subnet name type SN-Workload.
  11. For Subnet address range, type 192.168.1.0/24.
  12. Select Add.
  13. Select Review + create.
  14. Select Create.

Peer the VNets

Now peer the two VNets.

  1. Select the VN-Hub virtual network.
  2. Under Settings, select Peerings.
  3. Select Add.
  4. Under This virtual network, for the Peering link name, type Peer-HubSpoke.
  5. Under Remote virtual network, for Peering link name, type Peer-SpokeHub.
  6. Select VN-Spoke for the virtual network.
  7. Accept all the other defaults, and then select Add.

Create a virtual machine

Create a workload virtual machine, and place it in the SN-Workload subnet.

  1. From the Azure portal menu, select Create a resource.
  2. Under Popular, select Windows Server 2016 Datacenter.

Basics

  1. For Subscription, select your subscription.
  2. For Resource group, select RG-DNAT-Test.
  3. For Virtual machine name, type Srv-Workload.
  4. For Region, select the same location that you used previously.
  5. Type a username and password.
  6. Select Next: Disks.

Disks

  1. Select Next: Networking.

Networking

  1. For Virtual network, select VN-Spoke.
  2. For Subnet, select SN-Workload.
  3. For Public IP, select None.
  4. For Public inbound ports, select None.
  5. Leave the other default settings and select Next: Management.

Management

  1. For Boot diagnostics, select Disable.
  2. Select Review + Create.

Review + Create

Review the summary, and then select Create. This will take a few minutes to complete.

After deployment finishes, note the private IP address for the virtual machine. It will be used later when you configure the firewall. Select the virtual machine name, and under Settings, select Networking to find the private IP address.

Deploy the firewall and policy

  1. From the portal home page, select Create a resource.

  2. Search for Firewall, and then select Firewall.

  3. Select Create.

  4. On the Create a Firewall page, use the following table to configure the firewall:

    Setting Value
    Subscription <your subscription>
    Resource group Select RG-DNAT-Test
    Name FW-DNAT-test
    Region Select the same location that you used previously
    Firewall management Use a Firewall Policy to manage this firewall
    Firewall policy Add new:
    fw-dnat-pol
    your selected region
    Choose a virtual network Use existing: VN-Hub
    Public IP address Add new, Name: fw-pip.

  5. Accept the other defaults, and then select Review + create.

  6. Review the summary, and then select Create to create the firewall.

    This takes a few minutes to deploy.

  7. After deployment completes, go to the RG-DNAT-Test resource group, and select the FW-DNAT-test firewall.

  8. Note the firewall's private and public IP addresses. You'll use them later when you create the default route and NAT rule.

Create a default route

For the SN-Workload subnet, you configure the outbound default route to go through the firewall.

Important

You do not need to configure an explicit route back to the firewall at the destination subnet. Azure Firewall is a stateful service and handles the packets and sessions automatically. If you create this route, you'll create an asymmetrical routing environment that interrupts the stateful session logic and results in dropped packets and connections.

  1. From the Azure portal home page, select All services.

  2. Under Networking, select Route tables.

  3. Select Add.

  4. For Subscription, select your subscription.

  5. For Resource group, select RG-DNAT-Test.

  6. For Region, select the same region that you used previously.

  7. For Name, type RT-FW-route.

  8. Select Review + create.

  9. Select Create.

  10. Select Go to resource.

  11. Select Subnets, and then select Associate.

  12. For Virtual network, select VN-Spoke.

  13. For Subnet, select SN-Workload.

  14. Select OK.

  15. Select Routes, and then select Add.

  16. For Route name, type fw-dg.

  17. For Address prefix, type 0.0.0.0/0.

  18. For Next hop type, select Virtual appliance.

    Azure Firewall is actually a managed service, but virtual appliance works in this situation.

  19. For Next hop address, type the private IP address for the firewall that you noted previously.

  20. Select OK.

Configure a NAT rule

This rule allows you to connect a remote desktop to the Srv-Workload virtual machine through the firewall.

  1. Open the RG-DNAT-Test resource group, and select the fw-dnat-pol firewall policy.
  2. Under Settings, select DNAT rules.
  3. Select Add a rule collection.
  4. For Name, type rdp.
  5. For Priority, type 200.
  6. For Rule collection group, select DefaultDnatRuleCollectionGroup.
  7. Under Rules, for Name, type rdp-nat.
  8. For Source type, select IP address.
  9. For Source, type *.
  10. For Protocol, select TCP.
  11. For Destination Ports, type 3389.
  12. For Destination Type, select IP Address.
  13. For Destination, type the firewall public IP address.
  14. For Translated address, type the Srv-Workload private IP address.
  15. For Translated port, type 3389.
  16. Select Add.

Test the firewall

  1. Connect a remote desktop to firewall public IP address. You should be connected to the Srv-Workload virtual machine.
  2. Close the remote desktop.

Clean up resources

You can keep your firewall resources for the next tutorial, or if no longer needed, delete the RG-DNAT-Test resource group to delete all firewall-related resources.

Next steps

Deploy and configure Azure Firewall Premium