Share via

Assigning a Watchguard FireboxV a public IP to the WAN interface and not have Azure assign it a private address.

kmoul 0 Reputation points
2025-05-07T18:54:17.1533333+00:00

We are attempting to deploy a Watchguard virtual firewall to Azure.

What looks to be happening is Azure is forcing our virtual firewall's WAN interface to have a private IP address. Typically the WAN interface of a firewall has a public IP address. We are not looking to double NAT anything.

It seems that you are forced to create a private IP address when creating a network interface in Azure.

I am unable to see how to resolve this.

Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,734 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andreas Baumgarten 121.2K Reputation points MVP Moderator
    2025-05-07T18:59:22.8733333+00:00

    Hi @kmoul ,

    as far as I know the Watchguard Virtual Firewall is based on an Azure Virtual Machine.

    If so the private IP on the NIC of the VM is required and can't be removed. Even if the private IP is not used on the WAN NIC of the firewall.

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards

    Andreas Baumgarten

  2. Shravan Addagatla 840 Reputation points Microsoft External Staff Moderator
    2025-05-08T00:42:06.7533333+00:00

    Hello kmoul

    I understand you're trying to assign a public IP directly to the WAN interface of your Watchguard virtual firewall (NVA) in Azure, but you're encountering the limitation where Azure automatically assigns a private IP to the network interface. Here’s some information that might help clarify:

    In Azure, every virtual machine (VM) must have at least one private IP address associated with its network interface card (NIC). This is a fundamental aspect of Azure's networking management. Typically, when deploying a firewall, the WAN interface does require a public IP for external communication. However, the private IP cannot be removed.

    To properly configure your Watchguard firewall:

    1. Create a NIC attached to your VM that includes a private IP.
    2. Assign a public IP to this NIC as well; you can accomplish this through the Azure portal or ARM templates:
      • Go to the Public IP addresses blade in the Azure portal.
        • Create a new public IP or use an existing one and associate it with the NIC used by your Watchguard VM.
        1. When configuring the Watchguard firewall, ensure it is set to route traffic correctly through the public IP you’ve assigned.

    This configuration will ensure that your firewall remains operational without double NAT, as the public IP will be directly associated with the WAN interface for external traffic.

    If you’re still having trouble, it could help to double-check that:

    • You have appropriately assigned the public IP to the NIC.
    • Your Azure subscription permits these configurations (permissions, resources, etc.).

    Refer this article: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/configuration_examples/public_ip_behind_firebox_config_example.html https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/virtual-network-network-interface-addresses?tabs=nic-address-portal

    I hope this clarifies things! If you have any additional questions or need further assistance, just add a comment below. so that we shall address your questions.

    Please click "Accept" the answer, if any answer/reply helped, so that others in the community facing similar issues can easily find the solution. This can be beneficial to other community members.

    Thanks,

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.