![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
681 questions
Hello @Son ,
Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.
I understand that you would like to use a single dedicated Public IP address for Azure Firewall SNAT when connecting outbound from Azure.
When you deploy an Azure Firewall with multiple Public IP addresses, additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. By design, Azure Firewall randomly selects the source public IP address to use for a connection. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall.
Refer: https://learn.microsoft.com/en-us/azure/firewall/deploy-multi-public-ip-powershell
One of the challenges with using a large number of public IP addresses with Azure Firewall is when there are downstream IP address filtering requirements. Azure Firewall randomly selects the source public IP address to use for a connection, so you need to allow all public IP addresses associated with it. Even if you use Public IP address prefixes and you need to associate 250 public IP addresses to meet your outbound SNAT port requirements, you still need to create and allow 16 public IP address prefixes.
As of today, Azure Firewall doesn't allow selection of a dedicated Public IP for SNAT outbound connections, and the IP address is selected randomly.
This feature request is already under review by the Azure Firewall Product Group team but no ETA available for it yet. You can upvote the feature in the below feedback forum:
https://feedback.azure.com/d365community/idea/e25495e5-e025-ec11-b6e6-000d3a4f06a4
A better option to scale and dynamically allocate outbound SNAT ports is to use an Azure NAT Gateway.
When a NAT gateway resource is associated with an Azure Firewall subnet, all outbound Internet traffic automatically uses the public IP address of the NAT gateway. There’s no need to configure User Defined Routes. Response traffic to an outbound flow also passes through NAT gateway.
So, you can associate a NAT gateway with an Azure Firewall subnet to make sure that the outbound connections are using a single Public IP address i.e. the Public IP address of the NAT gateway.
Few things to keep in mind when adopting this setup:
- If there are multiple IP addresses associated with the NAT gateway, the IP address is randomly selected. It isn't possible to specify what address to use.
- Azure NAT Gateway is not currently supported in secured virtual hub network (vWAN) architectures. You must deploy using a hub virtual network architecture.
- Deploying NAT gateway with a zone redundant firewall is not recommended deployment option, as the NAT gateway does not support zonal redundant deployment at this time. In order to use NAT gateway with Azure Firewall, a zonal Firewall deployment is required.
Refer: https://learn.microsoft.com/en-us/azure/firewall/integrate-with-nat-gateway
https://learn.microsoft.com/en-us/azure/nat-gateway/tutorial-hub-spoke-nat-firewall
Kindly let us know if the above helps or you need further assistance on this issue.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.