Azure Firewall Outbound DNAT rules

Son 60 Reputation points
2024-06-10T14:23:49.4133333+00:00

Hi,

We are migrating DMZ services to our Azure environment with our Azure premium firewall. I have tested inbound DNAT from an external source without issue. Where we NAT one of the public IP addresses on the Azure firewall to an internal resource.

However, I am looking to implement an outbound DNAT rule. I'd like all traffic sourcing from one of the DMZ servers in Azure to communicate to external services on a specific public IP address that I assign (we currently have two). Is this possible? I started constructing a DNAT rule to achieve this but I am not sure it can be done. From my understanding the Azure firewall will connect outbound on any of its available public IP addresses. I don't want to request our 3rd parties open up around 6/7 public IP addresses that we could be using once all services are deployed as that is as many public IPs we would need (using 1:1 NAT, we are not using PAT).

Hoping someone can help.

Thanks

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
589 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,228 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 48,511 Reputation points Microsoft Employee
    2024-06-11T07:09:12.73+00:00

    Hello @Son ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to use a single dedicated Public IP address for Azure Firewall SNAT when connecting outbound from Azure.

    When you deploy an Azure Firewall with multiple Public IP addresses, additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. By design, Azure Firewall randomly selects the source public IP address to use for a connection. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/deploy-multi-public-ip-powershell

    One of the challenges with using a large number of public IP addresses with Azure Firewall is when there are downstream IP address filtering requirements. Azure Firewall randomly selects the source public IP address to use for a connection, so you need to allow all public IP addresses associated with it. Even if you use Public IP address prefixes and you need to associate 250 public IP addresses to meet your outbound SNAT port requirements, you still need to create and allow 16 public IP address prefixes.

    As of today, Azure Firewall doesn't allow selection of a dedicated Public IP for SNAT outbound connections, and the IP address is selected randomly.

    This feature request is already under review by the Azure Firewall Product Group team but no ETA available for it yet. You can upvote the feature in the below feedback forum:

    https://feedback.azure.com/d365community/idea/e25495e5-e025-ec11-b6e6-000d3a4f06a4

    A better option to scale and dynamically allocate outbound SNAT ports is to use an Azure NAT Gateway.

    When a NAT gateway resource is associated with an Azure Firewall subnet, all outbound Internet traffic automatically uses the public IP address of the NAT gateway. There’s no need to configure User Defined Routes. Response traffic to an outbound flow also passes through NAT gateway.

    So, you can associate a NAT gateway with an Azure Firewall subnet to make sure that the outbound connections are using a single Public IP address i.e. the Public IP address of the NAT gateway.

    Few things to keep in mind when adopting this setup:

    • If there are multiple IP addresses associated with the NAT gateway, the IP address is randomly selected. It isn't possible to specify what address to use.
    • Azure NAT Gateway is not currently supported in secured virtual hub network (vWAN) architectures. You must deploy using a hub virtual network architecture.
    • Deploying NAT gateway with a zone redundant firewall is not recommended deployment option, as the NAT gateway does not support zonal redundant deployment at this time. In order to use NAT gateway with Azure Firewall, a zonal Firewall deployment is required.

    Refer: https://learn.microsoft.com/en-us/azure/firewall/integrate-with-nat-gateway

    https://azure.microsoft.com/en-us/blog/scale-azure-firewall-snat-ports-with-nat-gateway-for-large-workloads/

    https://learn.microsoft.com/en-us/azure/nat-gateway/tutorial-hub-spoke-nat-firewall

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

0 additional answers

Sort by: Most helpful