Internal private IPs are getting SNAT'd due to NAT rule in firewall

David Beitler 31 Reputation points
2021-04-27T21:49:07.103+00:00

Have what I believe should be a simple question. New to Azure Firewall. In "rules (classic)" i have a NAT rule:
Allow any IP to enter on a specific public IP, get translated to an internal private IP, keeping the port the same.
Unfortunately when I add this rule, other internal private IP space servers (that also pass through the firewall) get their source IPs NAT'd, even though their destination is the private IP of the end server, and not the public one in the NAT rule.

To keep the internal ones from getting SNAT'd, I have to change the NAT rule in the firewall rule from source=any, to specific public IP addresses or spaces.

All I am needing to do is create a rule in the firewall, to allow public access to a private server. And I don't understand why the rule is getting applied, when the destination IP does not match what is in the rule.

There is not much in the firewall at the moment, as this is a new installation.

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
655 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Pablo Varela 6 Reputation points
    2022-06-27T13:29:44.813+00:00

    The same issue is happening to us with public IP addresses.

    1 person found this answer helpful.
    0 comments No comments

  2. GitaraniSharma-MSFT 49,481 Reputation points Microsoft Employee
    2021-05-03T10:04:24.43+00:00

    Hello @David Beitler ,

    Apologies for the delay in response. Thank you for reaching out & hope you are doing well.

    This was found to be a known issue already identified by Azure Firewall Product Group team and they are working on the fix but we do not have a definite ETA.

    Symptom:
    DNAT Rules don't seem to be working as expected in Azure Firewall, Source NAT is applied to private IPs when DNAT rule has source IP as a wildcard.

    Workaround:
    For now, the workaround is to add "Public IP Range" as the source (everything minus private ranges) as you are doing it.

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.