Forum Discussion

Petri-X's avatar
Petri-X
Bronze Contributor
Feb 06, 2024

Public IPs on Azure

Hi, I have been trying to read documentation, but most likely I have used wrong search terms. But does anybody knows if the following kind of setup is possible on Azure?     The main idea b...
azure firewall
virtual network
Petri-X's avatar
Petri-X
Bronze Contributor
Feb 09, 2024

It is well guessed from _AndreG 🙂 I indeed thought to setup kind of traditional DMZ solution on the Azure. And thanks to jmoriss7 as well for your reply.

 

No, we are not willing to give public IPs to the servers 🙂 We tried to use the NATing with selected FW instances, but did not work as that requires external load balancer, and that is having limitations for the NATs.

 

Because of that I started to think if if I could associate the pIP to the host then. So the question was following the traditional DMZ solution where host have the public IP. Then FW takes care of the traffic filtering.

 

I have also tried to see how I could control the associated public IPs on the hosts, but that I have not been able to seen. But thanks to reminding the NSGs, I believe I need to take a look deeply that. Even so, we have aim to use already known FW instances (not Azure FW).

 

Load balancer would not working, as these are like a webRTC hosts and requires direct connections.

 

 

 

 

_AndreG's avatar
_AndreG
Copper Contributor
Feb 09, 2024

Petri-X I am still a little confused as to what is not working when using Azure FW DNAT. You could assign an Azure Prefix to the Azure firewall and use DNAT to forward traffic from a specific public IP to a specific host server. An example could be like described here: Azure Firewall NAT Behaviors - Microsoft Community Hub

 

If you do not want to use Azure Firewall but a third party NVA it gets, I think, a bit more complicated. In that scenario you would definitely need to use a (standard) load balancer and the rules get a bit complicated from there. You can assign multiple public ips to the LB, but you'd need  to either create load balancing rules to different (backend) ports on the NVA (and DNAT from there again) or have an NVA solution with multiple NICs. That does not scale very well depending on your needs.

 

Using a standard load balancer directly to a (group of) server(s) is an option, but that does have a minimum of 4 minutes idle timout.

 

Using public ips directly on the server is also an option but afaik you cannot do much with regards to IDS/IPS. You can use flow logs and Network Watcher traffic analysis to create some insights and potentially DDoS protection on the public ips.

 

I have no experience with webRTC so I cant be more specific 😞

Resources