question

OJA-4975 avatar image
1 Vote"
OJA-4975 asked GitaraniSharmaMSFT-4262 commented

Azure Firewall outbound through specific public IP

As far as I have read, it's not possible to NAT certain subnets through a specific public IP on the firewall.
I.e the firewall will pick the outbound IP randomly.
As I'm trying to consolidate our public IPs into an Az Firewall this is a little unfortunate as we have external partners that have whitelisted one or another of the IPs I want to add to the firewall.
Do you know if it's in the backlog to add this functionality to Az Firewall, or would we need to look into a 3rd party NVA?

azure-firewall
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @OJA-4975 ,

Yes, it is not possible to NAT certain subnets through a specific public IP on the firewall. Azure Firewall randomly selects the source public IP address to use for a connection.
Refer : https://docs.microsoft.com/en-us/azure/firewall/deploy-multi-public-ip-powershell

This is on our roadmap but we don't have an ETA yet.

As mentioned by @AlanKinane, the workaround is to use Public IP prefix and use the Prefix to whitelist.
Refer : https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-address-prefix

You can upvote the feature in the below feedback forum:
https://feedback.azure.com/d365community/idea/59931e39-8426-ec11-b6e6-000d3a4f0789

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 Vote 1 ·

1 Answer

AlanKinane avatar image
1 Vote"
AlanKinane answered

I'm not sure if this is on the backlog or not but for now I think you have two options here when using Azure Firewall.

Option 1. Use an IP address prefix for your outbound public IP addresses so at least then you will know the range to whitelist.
https://docs.microsoft.com/en-us/azure/virtual-network/ip-services/public-ip-address-prefix

Option 2: Deploy a NAT gateway to the Azure Firewall subnet, this will route all outbound traffic through the NAT gateway and use its public IP address.
https://docs.microsoft.com/en-us/azure/virtual-network/nat-gateway/nat-overview

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.