![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 2%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
781 questions
Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
I understand that you would like to preserve the client IP for web requests coming in via Azure Firewall.
I wouldn't say that the IP is "masked" by Azure Firewall instances' IP.
The correct term here is "NATed".
This is by design
- As you now, DNAT rules perform a NAT translation, the source IP changes along with it to Firewall's private IPs.
- This is an expected behavior and unfortunately, we cannot override this.
For Web traffic, the recommended Load Balancing and WAF protection is offered by Azure Application Gateway WAF SKU
- App Gateway, still does NAT and translates the source IP
- However, the original client IP is preserved in "X-Fowarded-For" header
- Also, App Gateway provides additional security features if Web Application Firewall is enabled.
In case your environment requires that you have Azure Firewall,
- Then you can consider placing the Azure App gateway in front of Firewall
- This scenario is well explained here
-
Kindly let us know if this helps or you need further assistance on this issue.
Thanks,
Kapil
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.