Forum Discussion
Solved
Azure Firewall has no capacity to maintain source IP on outbound traffic?
Hello all, My use case: To have multiple static public IP addresses attached to Azure Firewall with SNAT rules configured so that the public IP isn't just randomly selected. We have multiple service...
Hello,
You're absolutely right in identifying the challenges with Azure Firewall and source network address translation (SNAT) behavior. Azure Firewall does support static SNAT, but it applies it automatically and does not allow explicit configuration per rule, unlike traditional firewall solutions.
Here are a few potential workarounds for maintaining static public IP assignment while still routing outbound traffic through Azure Firewall:
Use Azure NAT Gateway (Recommended)
- Why? Azure NAT Gateway provides deterministic outbound public IPs for a subnet.
- How? Deploy NAT Gateway to the subnet where your VMs reside and assign multiple static public IPs to it.
- Challenge? NAT Gateway cannot be directly used with Azure Firewall, meaning you need to configure routing carefully.
Deploy a Load Balancer with Outbound Rules
- Use Case: If you want all outbound traffic to have a consistent source IP.
- How?
- Deploy a Public Load Balancer in front of Azure Firewall.
- Attach a Frontend IP (static public IP) to the Load Balancer.
- Use Outbound Rules to SNAT traffic to the assigned public IP.
- Ensure return traffic is routed back via the Load Balancer.
- Challenge? Since Azure Firewall is stateful, it may interfere with this configuration. You must ensure symmetric routing.
Configure Firewall Policy with DNAT & SNAT Rules (Limited)
- How? Assign multiple public IPs to Azure Firewall and use DNAT for inbound traffic.
- Challenge? Azure Firewall still does not allow explicit SNAT mapping, so outbound traffic may still select an IP randomly.
Use Third-Party NVAs (If Compliance Allows)
- Why? Many third-party network virtual appliances (NVAs) on Azure (e.g., Palo Alto, FortiGate, CheckPoint) allow static SNAT configuration.
- How? Deploy an NVA in a hub network and set up routing to use its static public IPs.
- Challenge? Increases cost and complexity but offers granular control.
Since your requirement is multiple static public IPs with controlled outbound SNAT, the best approach would be.
✅ Use NAT Gateway for the subnet where your servers reside.
✅ If NAT Gateway does not work due to routing constraints, try Azure Load Balancer outbound rules.
✅ If strict control is needed, deploy a third-party NVA instead of relying solely on Azure Firewall.
I hope its will be helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Hello,
You're absolutely right in identifying the challenges with Azure Firewall and source network address translation (SNAT) behavior. Azure Firewall does support static SNAT, but it applies it automatically and does not allow explicit configuration per rule, unlike traditional firewall solutions.
Here are a few potential workarounds for maintaining static public IP assignment while still routing outbound traffic through Azure Firewall:
Use Azure NAT Gateway (Recommended)
- Why? Azure NAT Gateway provides deterministic outbound public IPs for a subnet.
- How? Deploy NAT Gateway to the subnet where your VMs reside and assign multiple static public IPs to it.
- Challenge? NAT Gateway cannot be directly used with Azure Firewall, meaning you need to configure routing carefully.
Deploy a Load Balancer with Outbound Rules
- Use Case: If you want all outbound traffic to have a consistent source IP.
- How?
- Deploy a Public Load Balancer in front of Azure Firewall.
- Attach a Frontend IP (static public IP) to the Load Balancer.
- Use Outbound Rules to SNAT traffic to the assigned public IP.
- Ensure return traffic is routed back via the Load Balancer.
- Challenge? Since Azure Firewall is stateful, it may interfere with this configuration. You must ensure symmetric routing.
Configure Firewall Policy with DNAT & SNAT Rules (Limited)
- How? Assign multiple public IPs to Azure Firewall and use DNAT for inbound traffic.
- Challenge? Azure Firewall still does not allow explicit SNAT mapping, so outbound traffic may still select an IP randomly.
Use Third-Party NVAs (If Compliance Allows)
- Why? Many third-party network virtual appliances (NVAs) on Azure (e.g., Palo Alto, FortiGate, CheckPoint) allow static SNAT configuration.
- How? Deploy an NVA in a hub network and set up routing to use its static public IPs.
- Challenge? Increases cost and complexity but offers granular control.
Since your requirement is multiple static public IPs with controlled outbound SNAT, the best approach would be.
✅ Use NAT Gateway for the subnet where your servers reside.
✅ If NAT Gateway does not work due to routing constraints, try Azure Load Balancer outbound rules.
✅ If strict control is needed, deploy a third-party NVA instead of relying solely on Azure Firewall.
I hope its will be helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Thanks for that Alikoc I appreciate your thorough response :) I think we will go the NAT gateway route for SNAT port exhaustion reasons, we will just have to deploy a few NAT gateways since there is a few different subnets that the backend servers sit in.
Thanks again :)
