Best practice for allowing SMTP to an Exchange VM in Azure

mij2020 341 Reputation points

I need to allow incoming public SMTP and HTTPS traffic into one Exchange server in Azure.
What is best practice for this situation?
I could add a public IP address to the nic and allow smtp from specified IP ranges in an NSG. But I believe this is not best practice to allow public IP on a VM nic.
Creating an Azure Application Firewall is not supported for email protocol.
Is it possible using external load balancer?
What are my other options?

Thank you

Azure Web Application Firewall
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
4,599 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,091 questions
{count} votes

Accepted answer
  1. KyleXu-MSFT 25,616 Reputation points

    The installation and manager Exchange in Azure VM is the same as the installation and manager in hyper-v hosted on the local computer.
    About the load balancer, it is mainly used to balance the load of network connections, not connection filtering.

    If you want to filter and only accept the connection from Exchange online, you can just set some network inbound filter rules on your Exchange VM computer's firewall.

    For VM which hosted on Azure, you could also configure the network filter from VM networking configuration in Azure portal:

    Here is a list for URLs and IP address ranges used for Exchange online, it may also be useful to you.

    No comments

2 additional answers

Sort by: Most helpful
  1. Didier3001 891 Reputation points Microsoft Employee

    Hi @mij2020

    The only supported way to send email to external domains from Azure compute resources is through an SMTP relay (otherwise known as an SMTP smart host). The Azure compute resource sends the email message to the SMTP relay, and then the SMTP relay provider delivers the message to the external domain. Microsoft Exchange Online Protection is one provider of a SMTP relay, but a number of third-party providers also offer this service.

    --I hope this helps. Please Accept it as an answer and "Up-Vote" the answer or message(s) that helped you so that it can help others in the community looking for help on similar topics


  2. Jayadeava Balaraja 1 Reputation point

    Hello All,

    I have same issue. I achieved the incoming traffic on port 443 using App gateway behind the firewall.
    However when it comes for inbound request on port 25 for exchange servers, I tried to DNAT port 25 on Azure firewall pointing to my Internal loadbalancer landing the TCP on port 25 to backend pool of exchange boxes.

    This setup is not working.. Am I missing something else ?

    Appreciate your help in advance.

    Thanks & Regards,

    No comments