Azure Firewall masked ips

Maneesh Patha 20 Reputation points
2023-07-06T06:00:26.46+00:00

We hosted the APIs in one of our virtual machines and linked the Azure firewall to the subnet of the virtual machine. The issue now is that in IIS logs, we cannot see the customers' public ips and can only see the Azure firewall private ips as the customer's source ips. Customers public ips are masked with the azure firewall private ips.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
780 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KapilAnanth-MSFT 49,611 Reputation points Microsoft Employee Moderator
    2023-07-06T06:38:36.6966667+00:00

    @Maneesh Patha

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to preserve the client IP for web requests coming in via Azure Firewall.

    I wouldn't say that the IP is "masked" by Azure Firewall instances' IP.

    The correct term here is "NATed".

    This is by design

    • As you now, DNAT rules perform a NAT translation, the source IP changes along with it to Firewall's private IPs.
    • This is an expected behavior and unfortunately, we cannot override this.

    For Web traffic, the recommended Load Balancing and WAF protection is offered by Azure Application Gateway WAF SKU

    • App Gateway, still does NAT and translates the source IP
    • However, the original client IP is preserved in "X-Fowarded-For" header
    • Also, App Gateway provides additional security features if Web Application Firewall is enabled.

    In case your environment requires that you have Azure Firewall,

    • Then you can consider placing the Azure App gateway in front of Firewall
    • This scenario is well explained here
    • User's image

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.