Forum Discussion
Solved
Azure Firewall has no capacity to maintain source IP on outbound traffic?
Hello all,
My use case: To have multiple static public IP addresses attached to Azure Firewall with SNAT rules configured so that the public IP isn't just randomly selected. We have multiple services that have whitelisting configured for specific public load balancer IPs and now we are trying to move them behind Azure Firewall. Since there is whitelisting on the destination, the public IP being randomly selected won't work.
My resources: One instance of premium SKU Azure Firewall. Hub and spoke architecture. Route tables being used to force traffic through Firewall (routed to private IP of firewall)
The research I have conducted: I have tried absolutely everything I can think of before coming to this forum and from what I can tell the 4 ways of outbound connectivity provided by Azure are:
- Default outbound connectivity. Against best practice to do this and won't work since its routing through a virtual appliance (firewall)
- Associate a NAT gateway to a subnet. This won't work since we have only one instance of Azure Firewall and the requirement for multiple public IPs to be used.
- Assign a public IP to a virtual machine. Not applicable, sitting in backend pool of a load balancer, single public IP to be used for multiple member servers.
- Using the frontend IP address(es) of a load balancer for outbound via outbound rules. Needs to go through the firewall, impossible unless we can somehow integrate the firewall between the load balancer and the backend pool?
Expanding more on the load balancer scenario, I ran across this documentation in Microsoft Learn.
This looks great to tackle the asymmetric routing issue, however, we are only interested in maintaining the source IP for outbound traffic, this would again just use the firewalls public IP for outbound traffic and again randomly select it.
Consensus: It seems bizarre to me that Azure has no capacity for static SNAT configuration like most firewalls do. I would have thought a large amount of use cases would require this function. Am I missing something? Is there another workaround? Or is Azure just behind the 8ball with networking.
Thanks heaps in advance for any help :)
Much Appreciated,
usernameone101
Hello,
You're absolutely right in identifying the challenges with Azure Firewall and source network address translation (SNAT) behavior. Azure Firewall does support static SNAT, but it applies it automatically and does not allow explicit configuration per rule, unlike traditional firewall solutions.
Here are a few potential workarounds for maintaining static public IP assignment while still routing outbound traffic through Azure Firewall:
Use Azure NAT Gateway (Recommended)
- Why? Azure NAT Gateway provides deterministic outbound public IPs for a subnet.
- How? Deploy NAT Gateway to the subnet where your VMs reside and assign multiple static public IPs to it.
- Challenge? NAT Gateway cannot be directly used with Azure Firewall, meaning you need to configure routing carefully.
Deploy a Load Balancer with Outbound Rules
- Use Case: If you want all outbound traffic to have a consistent source IP.
- How?
- Deploy a Public Load Balancer in front of Azure Firewall.
- Attach a Frontend IP (static public IP) to the Load Balancer.
- Use Outbound Rules to SNAT traffic to the assigned public IP.
- Ensure return traffic is routed back via the Load Balancer.
- Challenge? Since Azure Firewall is stateful, it may interfere with this configuration. You must ensure symmetric routing.
Configure Firewall Policy with DNAT & SNAT Rules (Limited)
- How? Assign multiple public IPs to Azure Firewall and use DNAT for inbound traffic.
- Challenge? Azure Firewall still does not allow explicit SNAT mapping, so outbound traffic may still select an IP randomly.
Use Third-Party NVAs (If Compliance Allows)
- Why? Many third-party network virtual appliances (NVAs) on Azure (e.g., Palo Alto, FortiGate, CheckPoint) allow static SNAT configuration.
- How? Deploy an NVA in a hub network and set up routing to use its static public IPs.
- Challenge? Increases cost and complexity but offers granular control.
Since your requirement is multiple static public IPs with controlled outbound SNAT, the best approach would be.
✅ Use NAT Gateway for the subnet where your servers reside.
✅ If NAT Gateway does not work due to routing constraints, try Azure Load Balancer outbound rules.
✅ If strict control is needed, deploy a third-party NVA instead of relying solely on Azure Firewall.
I hope its will be helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Hello,
You're absolutely right in identifying the challenges with Azure Firewall and source network address translation (SNAT) behavior. Azure Firewall does support static SNAT, but it applies it automatically and does not allow explicit configuration per rule, unlike traditional firewall solutions.
Here are a few potential workarounds for maintaining static public IP assignment while still routing outbound traffic through Azure Firewall:
Use Azure NAT Gateway (Recommended)
- Why? Azure NAT Gateway provides deterministic outbound public IPs for a subnet.
- How? Deploy NAT Gateway to the subnet where your VMs reside and assign multiple static public IPs to it.
- Challenge? NAT Gateway cannot be directly used with Azure Firewall, meaning you need to configure routing carefully.
Deploy a Load Balancer with Outbound Rules
- Use Case: If you want all outbound traffic to have a consistent source IP.
- How?
- Deploy a Public Load Balancer in front of Azure Firewall.
- Attach a Frontend IP (static public IP) to the Load Balancer.
- Use Outbound Rules to SNAT traffic to the assigned public IP.
- Ensure return traffic is routed back via the Load Balancer.
- Challenge? Since Azure Firewall is stateful, it may interfere with this configuration. You must ensure symmetric routing.
Configure Firewall Policy with DNAT & SNAT Rules (Limited)
- How? Assign multiple public IPs to Azure Firewall and use DNAT for inbound traffic.
- Challenge? Azure Firewall still does not allow explicit SNAT mapping, so outbound traffic may still select an IP randomly.
Use Third-Party NVAs (If Compliance Allows)
- Why? Many third-party network virtual appliances (NVAs) on Azure (e.g., Palo Alto, FortiGate, CheckPoint) allow static SNAT configuration.
- How? Deploy an NVA in a hub network and set up routing to use its static public IPs.
- Challenge? Increases cost and complexity but offers granular control.
Since your requirement is multiple static public IPs with controlled outbound SNAT, the best approach would be.
✅ Use NAT Gateway for the subnet where your servers reside.
✅ If NAT Gateway does not work due to routing constraints, try Azure Load Balancer outbound rules.
✅ If strict control is needed, deploy a third-party NVA instead of relying solely on Azure Firewall.
I hope its will be helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks for that Alikoc I appreciate your thorough response :) I think we will go the NAT gateway route for SNAT port exhaustion reasons, we will just have to deploy a few NAT gateways since there is a few different subnets that the backend servers sit in.
Thanks again :)
