Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.
Your observations are spot on.
Azure Firewall provides SNAT for any resource that is deployed in a Virtual Network and requires OutBound connection.
And the SNATed IP will be one of the IPs you have configured. (so you know what the IPs are).
Now, in your target application, you can use the Firewall solutions it has to offer to filter the SNATed IPs from the Azure Firewall.
Is the observed source IP address in my application from a particular Azure tenant going to be constant ? Is there a subnet I can use?
- Tenant has nothing to do with this
- It completely depends on the Application
- If this is a VM with Static Public IP - The IP won't change
- Or any resource in a VNET that uses Azure Firewall for SNAT - The IP(s) won't change
- Or if this is an App Service - there is a specific list of IP Addresses for your app service that it uses to make outbound calls. See : Inbound and outbound IP addresses in Azure App Service
In summary, if you could specify what exactly is this application that is making outbound calls, we can specify if it would have a fixed range of IPs are not.
Cheers,
Kapil