Azure Firewall - DNAT Rules

Jeffrey Lucal 1 Reputation point
2023-03-28T22:22:51.9566667+00:00

Azure Firewall "Basic" Tier with a DNAT "443" rule from Public IP to Private Network IP on IaaS machine (All in Azure). Is there anyway to expose the "Source" IP Addresses connecting to the IaaS machine? All traffic flows fine and no problems accessing the server, but all incoming traffic is NAT/SNAT from the Firewall Subnet and not showing the external IP connections. We can parse logs from the firewall but wanted to know if there was a way to allow the source IP information for direct connectivity issues with a web server.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
578 questions
Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
982 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,180 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ChaitanyaNaykodi-MSFT 23,106 Reputation points Microsoft Employee
    2023-03-28T23:58:07.9866667+00:00

    @Jeffrey Lucal

    Thank you for reaching out on the Microsoft Q&A forum.

    If I understand correctly, on Azure Firewall due to SNAT the incoming traffic does not contain the original source IP address of the request and you want to know if there is a way to send source IP information to the backend web server.

    I think this can be done by deploying an Azure Application Gateway before the Firewall. This design is appropriate for applications that need to know incoming client source IP addresses, for example to serve geolocation-specific content or for logging. Application Gateway in front of Azure Firewall captures the incoming packet's source IP address in the X-forwarded-for header, so the web server can see the original IP address in this header. This is currently documented here.

    Hope this helps! Please let me know if you have any additional questions. Thank you!

    ​​Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Antonio Valenzuela 20 Reputation points
    2023-12-05T17:21:42.9666667+00:00

    Hello, I'm asking about the same thing.

    I use a DNAT SMTP TCP 25 and the mail server sees the source IP of the private segment of the firewall VNet.

    Client 139.99.134.X --> FW 20.197.194.X & 10.2.1.X --> Mail Server 172.16.0.X

    Source IP 10.2.1.X (SPF Failed)

    I know perfectly well that I can associate a public IP in the VM network, but I would like to know if the origin can be maintained through the firewall.