The same issue is happening to us with public IP addresses.
Internal private IPs are getting SNAT'd due to NAT rule in firewall
Have what I believe should be a simple question. New to Azure Firewall. In "rules (classic)" i have a NAT rule:
Allow any IP to enter on a specific public IP, get translated to an internal private IP, keeping the port the same.
Unfortunately when I add this rule, other internal private IP space servers (that also pass through the firewall) get their source IPs NAT'd, even though their destination is the private IP of the end server, and not the public one in the NAT rule.
To keep the internal ones from getting SNAT'd, I have to change the NAT rule in the firewall rule from source=any, to specific public IP addresses or spaces.
All I am needing to do is create a rule in the firewall, to allow public access to a private server. And I don't understand why the rule is getting applied, when the destination IP does not match what is in the rule.
There is not much in the firewall at the moment, as this is a new installation.
2 answers
Sort by: Most helpful
-
-
GitaraniSharma-MSFT 49,481 Reputation points Microsoft Employee
2021-05-03T10:04:24.43+00:00 Hello @David Beitler ,
Apologies for the delay in response. Thank you for reaching out & hope you are doing well.
This was found to be a known issue already identified by Azure Firewall Product Group team and they are working on the fix but we do not have a definite ETA.
Symptom:
DNAT Rules don't seem to be working as expected in Azure Firewall, Source NAT is applied to private IPs when DNAT rule has source IP as a wildcard.Workaround:
For now, the workaround is to add "Public IP Range" as the source (everything minus private ranges) as you are doing it.Kindly let us know if the above helps or you need further assistance on this issue.
----------------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.