Forum Discussion

StanAzure1792's avatar
StanAzure1792
Copper Contributor
Nov 23, 2021

NAT Gateway after firewall for outgoing network traffic

Hi guys,

 

I have a bunch of VMs in a subnet. I would like them to have a static outbound IP from a NAT gateway, however I also want to filter the outbound traffic from these VMs through an Azure Firewall. Is it possible to route the traffic back to a NAT gateway, after the traffic has gone through the Firewall. I do not wish to put a NAT gateway on my AzureFirewallSubnet, as I want different public IP outbound addresses for different services.

 

Is it possible to link a different outbound IP address for different subnets of VMs? Or do I need multiple Azure Firewalls for this purpose?

 

So again. The traffic will go like this:

(outbound) VM Subnet -> Firewall -> NAT Gateway -> Internet

 

Thanks in advance.

 

Stan

azure firewall
virtual network
  • Seshadrr's avatar
    Seshadrr
    Iron Contributor
    Nov 23, 2021
    One of the ways you can manage access to outbound networks from an Azure subnet is with Azure Firewall.
    Create a default route for Outbound and Inbound connectivity through the firewall to a default route to 0.0.0.0/0 with the private IP address of next-hop to Virtual appliance. Once the route is created associate the workloads subnets for this route. Configure the necessary application and network rule for outbound access for the VMs should traverse through route traffic
    • JorgenWoortman's avatar
      JorgenWoortman
      Copper Contributor
      Jan 05, 2022
      Although this is true (and basic setup for the Azure Firewall), if the Azure Firewall has multiple public IP addresses, the firewall will randomly select the publi IP address it sees fit (according to MS Docs).
      I have the same question as StanAzure1792: Is it possible to implement Azure NAT Gateway at the trusted or untrusted side of the Azure Firewall, in order to use the same outbound public IP address that is bound to the Azure Firewall?

      Logically seen:
      VM --> NAT Gateway with pub IP --> Azure Firewall (no NAT) --> Internet
      or VM --> Azure Firewall --> NAT Gateway with pub IP --> Internet

      Root cause of this question is a feature failure/lacking in Azure Firewall, as it does not support designating a specific public IP address for specific outbound traffic through.
      This is dearly needed for e.g. sFTP, SSH, coinmining, basically any outbound service...

Resources