Azure Firewall DNAT to Web Server

James Tillson 20 Reputation points
2023-07-15T08:56:30.37+00:00

Hi all,

Please could I have some support/explanation of the following setup...

I have an Azure Firewall in one VNET & a Windows Web Servers running IIS in another VNET. On the Web Server I have setup a test web site and if from the web server I open a browser and navigate to http://"IP Address" (itself) the test web site loads fine.

On the Azure Firewall I have created a public IP and a DNAT rule that translates the public IP to the private IP of the web server. I have removed all NSGs and local windows firewall so that there is nothing additional that would be blocking connections.

My issue is that if I telnet to the public IP from my laptop (external to Azure) on port 80 it connects through fine and in the Azure Firewall logs I can see that my DNAT rule was used. If I put http://"IP Address" into a web browser on my laptop (external to Azure) it times out and does not connect. What is the browser doing different to telnet?

If I run wireshark on the web server when I run the browser test I "believe" I can see the connections coming in from the browser test. The DNAT rule is being used again in the Firewall logs and I see http connections at the time I run the test coming from 168.63.129.16 which I assume is source natting from the Azure Firewall. I have read that when DNAT is used the Firewall should source NAT from an address within the Firewall subnet so I am not sure why it is using this address?

Can anyone advise why with this setup external telnet connections to the public IP work but browser connections don't. I have removed the browser settings that add www before the IP address.

Your help is very much appreciated.

James

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
712 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 48,576 Reputation points Microsoft Employee
    2023-07-18T05:29:55.0033333+00:00

    @James Tillson

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to access your site at Port 80 using Azure Firewall DNAT.

    I created a Lab and I was able to get this working on HTTP.

    I suggested you to make sure whether RDP works or not. (non-HTTP Protocol).

    You informed that the target server was migrated to Azure and was still running an old virtual NIC.

    Once you replaced this with a new NIC, both the RDP & HTTP DNAT rules have started to work.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.