Azure NAT Gateway attached to the Checkpoint NVA Cluster firewall for external subnet for Egress Internet

Question

Proposed Architecture

Third-party NVA: Check Point CloudGuard ClusterXL (Active/Standby)

Inbound: Azure Standard Load Balancer (public IP acting as cluster VIP)

Outbound: Azure NAT Gateway attached to the firewall external subnet

Routing: UDRs directing traffic through the firewall layer.

Traffic Flow

• Inbound: Internet → Load Balancer → Active firewall node
• Outbound: Workload → Firewall (inspection + SNAT) → NAT Gateway → InternetProposed Architecture
  • Third-party NVA: Check Point CloudGuard ClusterXL (Active/Standby)
    • Inbound: Azure Standard Load Balancer (public IP acting as cluster VIP)
      • Outbound: Azure NAT Gateway attached to the firewall external subnet
        • Routing: UDRs directing traffic through the firewall layer
        Traffic Flow

        - Inbound: Internet → Load Balancer → Active firewall node
        
           - Outbound: Workload → Firewall (inspection + SNAT) → NAT Gateway → Internet
        

Please confirm this design will work same as Azure Firewall NAT gateway.

Answer 1

Hello Shan Vasudevan

your proposed flow will work the same way as it does with Azure Firewall, as long as you treat the Azure NAT Gateway exactly like the Azure Firewall + NAT-gateway integration. Here’s what you need to keep in mind:

Disable SNAT on the Check Point NVA

• If the NVA SNATs first, your NAT Gateway never sees the original private source IP and you end up with double-NAT. Make sure your Check Point policy is set to preserve the workload’s IP on outbound.

Attach the NAT Gateway to the firewall’s external subnet

  - The subnet hosting the NVA’s external NIC must have the NAT Gateway resource linked. Azure NAT Gateway then becomes the next-hop for all outbound “Internet” traffic that reaches that subnet.
  
  User-Defined Routes (UDRs)
  
     - Your spoke/workload subnets route 0.0.0.0/0 → NVA internal IP.
     
        - The NVA external subnet uses the default Internet route (0.0.0.0/0) → Azure Internet (NAT Gateway).
        
           - No extra UDR is needed on the external subnet; once NAT Gateway is attached, it overrides any outbound LB or default-outbound rules.
           
           NSGs and other policies
           
              - Ensure your NSGs on the external subnet allow outbound to the Internet.
              
                 - Make sure there’s no conflicting UDR that points 0.0.0.0/0 to something other than the NAT Gateway.
                 
                 SKU and feature notes
                 
                    - If you need IPv6 outbound, use a StandardV2 NAT Gateway (it’s the only one that supports IPv6).
                    
                       - Standard NAT Gateway doesn’t support delegated subnets or IPv6.
                       

Once SNAT is off on the NVA and the NAT Gateway is attached properly, all outbound egress will be SNAT’d by Azure, and you’ll get the same static-IP SNAT behavior you see with an Azure Firewall + NAT Gateway.

Follow-Up Questions

• Have you already disabled SNAT on the Check Point appliances and verified that the workloads’ IP addresses are preserved on packets leaving the NVA?
• Which NAT Gateway SKU are you planning to use (Standard or StandardV2)? Do you need IPv6 support

Reference Docs

What is Azure Virtual Network NAT:

Design virtual networks with NAT gateway

Scale SNAT ports with Azure Virtual Network NAT (Azure Firewall integration)

Troubleshoot NAT gateway connectivity

---

If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This helps others in the community as well.

Answer 2

Hi @ Shan Vasudevan,

Welcome to Microsoft Q&A Platform

This architecture will work for egress pretty much the same way Azure Firewall + NAT Gateway works—your Check Point cluster sits in an “external” subnet with a NAT Gateway attached, and all internet‐bound traffic flows:

1. Workload subnet → UDR → Check Point (inspect ± SNAT)
2. Check Point external interface → NAT Gateway on that subnet → Internet

A few things to watch out for:

• NAT Gateway attachment ---You can only attach one NAT Gateway per subnet, and it must be a Standard- or StandardV2-SKU NAT Gateway (no Basic SKUs or gateway subnets).
• SNAT behavior – If your NVA already SNATs traffic, you’ll end up with double‐NAT. If preserving original client IP is important downstream, look to disable SNAT on the Check Point or use a policy that preserves source IP.
• Zonal redundancy – Standard NAT Gateway is zonal; for zone-resilient egress, either split your external subnet per AZ (one NAT Gateway per zone) or use StandardV2 (zone-redundant in supported regions).
• SNAT port limits & idle timeouts – NAT Gateway gives you up to 16 public IPs (per gateway) and a default 4 min TCP idle timeout. If you see port exhaustion, scale out by adding IPs or adjusting timeouts carefully.
• UDR ordering – Make sure your firewall UDR for 0.0.0.0/0 points to the NVA, and that there’s no other UDR on the external subnet overriding the NAT Gateway route.
• If you don’t need deep FQDN/TLS inspection on egress or centralized logging, this pattern is totally valid for third-party NVAs. Otherwise consider Azure Firewall (native FQDN/TLS filtering + built-in NAT Gateway integration) as an alternative.

Reference: NAT gateway association with subnet (single‐gateway per subnet, no basic SKUs)
Design virtual networks with Azure NAT Gateway (NAT Gateway supersedes outbound on LB/public IP)

Pleaseand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.