How to redirect traffic from public ip of VM to firewall then to private IP of VM?

Question

Hello, I have a problem with unusual infrastructure in Azure. I deployed firewall (pfsense) on default VNET 10.0.0.0/24, assign private IP: 10.0.0.4 for pfsense and I added route table: default route: 0.0.0.0/0 next hop is 10.0.0.4 (priv IP of pfsense) and public IP (WAN). I also created VM with http service. Before associate route table to subnet I was able to reach the http service on the public ip address (I know about asymmetric routing issue that can break functionality). I don't want to deploy service on public IP of firewall and NAT this to private IP of VM but I want to redirect traffic from public IP of VM to firewall then to private IP of VM. I have no intention of using one address or adding additional interfaces on the firewall but I would like to add multiple services and VM's with variable Public IP addresses and all traffic from Public IP's redirect to firewall then to VM's. Anyone know how to configure this on azure? Is it possible at all? Kindly share your thoughts. Thank you.

Answer 1

Hi Dave, Responding your questions based on information share:

[Success Environment]
PFsense-FW <-- PublicIP WAN (Routing Preference?) 
	| 
	| 
priv-ip(10.0.0.4)
	| 
vnet(10.0.0.0/24)
	| 
	| 
priv-ip(?)
	| 
VM (HTTP Service) <-- PublicIP VM (Routing Preference?) <**Inbound** User Call(internet)
														**Outbound**> User Call(internet)

Here the communication is working because it doesn't matter the routing preference the communication is always by the same way. IP public of VM is the method used to receive inbound communication and to transit for outbound communication.

[Fail Environment]
PFsense-FW <-- PublicIP WAN (Routing Preference?) --Outbound--> User Call(internet)
	* ^								  
	* |
priv-ip(10.0.0.4)
	* |
vnet(10.0.0.0/24)+--route-table(default:10.0.0.4)
	* ^
	* |
priv-ip(?)
	* |
VM (HTTP Service) <-- PublicIP VM (Routing Preference?) <**Inbound** User Call(internet)

In this case It's asymmetric routing issue that you already know and detected , this could break the traffic.

[Desire Environment]
PFsense-FW <-- PublicIP WAN (Routing Preference?) --Outbound--> User Call(internet)
	* ^	   <-- PublicIP VM1 (Routing Preference?) <**Inbound** User Call(internet)						  
	* |	   <-- PublicIP VM2 (Routing Preference?) <**Inbound** User Call(internet)						  
	* |
priv-ip(10.0.0.4)
	* |
vnet(10.0.0.0/24)+--route-table(default:10.0.0.4)
	* ^
	* |
priv-ip(?)
	* |
VM (HTTP Service) 

I think this is not possible as I know, The integration between the public IP and the interface of resource is on Microsoft Backbone level and there aren't mechanism to modify this one.

https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access#when-is-default-outbound-access-provided As you can see in the image you can modify the outbound path with mechanism such as NVA , that you already have with pfsense firewall. However this is restricted to use one of them. If you want to use multiple IP publics and route the trafic to different a multiples VMs, you could use an Azure Load Balancer Standard (This one support outbound rules) over your NVA. https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/configure-public-ip-load-balancer You can check this microsoft references about routing and outbound communication:

• https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/routing-preference-overview
• https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/default-outbound-access

Let me know if this information help you. Luis

---

If the information helped address your question, please Accept the answer.