Azure Firewall

Handian Sudianto 4,431

Hello,

Currently i have 3 server with Public IP enabled, and each server have specific rule to allow some ports accessing from internet. What i do is block incoming connection on the NSG.

If i have azure firewall, can i block incoming connection from the firewall? Also can we assign the VM public ip from Azure firewall like we create NAT on the on-prem firewall so we no need to assign public ip to each azure VM NIC.

KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-07-02T06:06:33.1+00:00

@Handian Sudianto ,

Just checking in to see if the answer helped.

If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

And, if you have any further query do let us know.

Thanks,

Kapil

Accepted answer

KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-06-26T12:40:20.8333333+00:00
@Handian Sudianto ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

To answer your query "I think DNAT is like Port Forwarding and not One to One NAT, am I right?"

Correct.

Please note that, with Multiple Firewall IPs,

You can specify the IP and Port for DNAT Traffic (incoming to Azure)

However, you cannot exclusively specify the IP (and Port) used for SNAT (outgoing from Azure)

See : Azure Firewall with multiple public IP

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.
Please sign in to rate this answer.
Handian Sudianto 4,431 Reputation points

2024-06-26T23:33:01.7733333+00:00

Hi @KapilAnanth-MSFT

So for azure which have public ip address, the public ip should be assign directly into the NIC and for blocking incoming/outgoing traffic should be done by NSG and can't be done by Azure Firewall. Am i correct?

KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-06-27T13:04:26.17+00:00

@Handian Sudianto ,

If you assign a Public IP to a VM's NIC and the Subnet does not have any UDR for "0.0.0.0/0" route :

There is a guarantee that both incoming and outgoing connections use the Public IP assigned to the NIC

And this IP is static (fixed)

You should use NSGs to restrict access to such VMs.

If there is a UDR on the Subnet with "0.0.0.0/0" route pointing to Azure Firewall:

Then all the outgoing connections use the Azure Firewall's Public IP

The catch here is that you cannot control which IP would be used in case the Firewall has multiple IP Addresses

All incoming connections should come from Azure Firewall using DNAT Rules.

Here, you can control which Azure Fw Public IP should be used with a particular VM.

This is the case even if the Azure VM has a standalone public IP associated with it.

Thanks,

Kapil

Please Accept an answer if correct.

Original posters help the community find answers faster by identifying the correct answer.

Handian Sudianto 4,431 Reputation points

2024-06-27T13:27:53.86+00:00

Hi @KapilAnanth-MSFT , noted. So if i want to publish an application which hosting inside the Azure VM to the internet, the only way is to associate the Public IP directly into the NIC and use NSG to restrict the access.

KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-07-01T05:25:53.1333333+00:00

@Handian Sudianto ,

That is one way.

You can also use Azure Firewall with NAT Rules.

See : Filter inbound Internet traffic with Azure Firewall DNAT

By using "Source" as "*", you can allow access to every IP

Similarly, if you specify a IP Range, you can control the allowed IPs.

Note:

When I said "outgoing connections use the Azure Firewall's Public IP and you cannot control which IP would be used in case the Firewall has multiple IP Addresses",

This only applies if the traffic originates from the VM itself.

But if the VM responds to a DNAT request, it will still use the same Azure Firewall IP for return traffic

i.e., in a flow, the IP remains constant.

In addition, you can consider

Azure App Gateway

Firewall and Application Gateway in parallel

Application Gateway before Firewall

Application Gateway after firewall

depending on your requirement.

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Handian Sudianto 4,431 Reputation points

2024-07-01T06:35:50.1566667+00:00

Hi @KapilAnanth-MSFT

This make me a little bit confuse.

Let say i have internal website hosting on Azure VM, and this website should accessible from Internet. The VM IP is 10.100.20.10 then i have public ip let say 3.3.3.3, also i have azure premium firewall for outbound any VM except VM 10.100.20.10 to the internet.

What i do now is i assign the public ip 3.3.3.3 to the VM NIC and use NSG to block unwanted access.

I believe the Azure Firewall is ore powerful to protecting internal resource from any attacker from internet than NSG.

In on-prem or traditional firewall we can assign many public ip into firewall interface and assign one to one NAT if there any VM needed accessible from internet.

So i want to know if we can implement same scenario on Azure Firewall so the azure firewall can do one to one NAT if there any VM needed accessible from internet and block unwanted access rather than using NSG.

KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-07-01T06:50:20.8+00:00

@Handian Sudianto ,

Wrt, "What i do now is i assign the public ip 3.3.3.3 to the VM NIC and use NSG to block unwanted access."

Yes, this is possible

Wrt, "I believe the Azure Firewall is ore powerful to protecting internal resource from any attacker from internet than NSG."

Correct

Wrt, "So i want to know if we can implement same scenario on Azure Firewall so the azure firewall can do one to one NAT if there any VM needed accessible from internet and block unwanted access rather than using NSG."

You can use Azure Firewall DNAT rules to achieve this, yes.

See : Filter inbound Internet traffic with Azure Firewall DNAT

Hope this clarifies.

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Handian Sudianto 4,431 Reputation points

2024-07-02T06:14:14.5933333+00:00

Hi @KapilAnanth-MSFT > You can use Azure Firewall DNAT rules to achieve this, yes.

So if the VM have public IP enabled on the NIC, outgoing traffic from this VM will be pass thru Public IP (3.3.3.3). How can Azure Firewall can filter inbound traffic from internet to this vm since the public ip 3.3.3.3 assigned directly to the NIC?

KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-07-02T07:05:17.7533333+00:00

@Handian Sudianto ,

"So if the VM have public IP enabled on the NIC, outgoing traffic from this VM will be pass thru Public IP (3.3.3.3)"

If you do not have a UDR in the VM's subnet, your observation is correct

But If you have a UDR with 0.0.0.0/0 pointing nextHop as Azure Firewall, all the outgoing traffic from this VM will be pass through the firewall

i.e., it will not directly go to Internet

Now, from Firewall to Internet, the IP used will be the IP of the Firewall

Provided you have Network Rules allowing outbound traffic

"How can Azure Firewall can filter inbound traffic from internet to this vm since the public ip 3.3.3.3 assigned directly to the NIC"

If you have UDR with 0.0.0.0/0 pointing nextHop as Azure Firewall, the same logic applies.

Let's say you have a DNAT Rule in Azure Firewall.

When traffic hits the Azure Firewall IP, DNAT Rules process the traffic and sends the traffic to the VM - Inbound done

Now for response traffic from VM to internet, because of UDR, VM will send traffic to Firewall - Outbound done

Hope this clarifies.

Cheers,

Kapil

Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

Handian Sudianto 4,431 Reputation points

2024-07-03T01:51:56.3866667+00:00

Hi @KapilAnanth-MSFT

Noted and thank for your explanation.

KapilAnanth-MSFT 39,211 Reputation points Microsoft Employee

2024-07-03T03:04:27.6+00:00

@Handian Sudianto ,

You are welcome :)

Thanks for your continued contribution on Q&A and appreciate much for taking the time to share your feedback.
Sign in to comment

1 additional answer

Deepanshukatara-6769 6,715 Reputation points

2024-06-24T07:44:20.79+00:00
Hi @handian, Welcome to MS Q&A

I understand your concern about using Azure Firewall to block incoming connections and assigning public IPs to Azure VM NICs. Let me provide some information to address your questions:

Azure Firewall allows you to define what traffic to allow or deny through your firewall by creating rule collections. These rule collections include DNAT (Destination Network Address Translation), Network, and Application rules. The Network rule collections can be used to allow or deny traffic based on source IP addresses, destination IP addresses, ports, and protocols, including the ability to filter traffic using service tags. Additionally, you can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound internet traffic to your subnets, allowing you to control incoming connections

.

As for assigning public IPs to Azure VM NICs, Azure Firewall can help in this scenario by allowing you to translate and filter inbound internet traffic without the need to assign a public IP to each Azure VM NIC. This can be achieved by configuring DNAT rules in the Azure Firewall to translate your firewall public IP and port to a private IP and port, effectively providing NAT functionality similar to an on-premises firewall .

I hope this information helps address your concerns about using Azure Firewall to block incoming connections and assign public IPs to Azure VM NICs.

For more detailed instructions, you can view solutions:

https://video2.skills-academy.com/en-us/azure/firewall/tutorial-firewall-dnat

https://video2.skills-academy.com/en-us/azure/firewall/tutorial-firewall-dnat-policy

Kindly accept if it helps

If you have any questions , please let us know

Thanks

Deepanshu
Please sign in to rate this answer.
Handian Sudianto 4,431 Reputation points

2024-06-24T07:53:19.46+00:00

Hi,

I think DNAT is like Port Forwarding and not One to One NAT, am I right?

With DNAT i have a thought in the firewall i add 3 more public ip address and make DNAT rule to forwarding or map the public ip to the vm private ip address?

How for outgoing connection, example :

VM-1 will use Public IP-1 for internet access

VM-2 will use Public IP-2 for internet access

VM-3 will use Public IP-3 for internet access

Rest if VM will user Azure Firewall Public IP?

Deepanshukatara-6769 6,715 Reputation points

2024-06-24T08:10:50.3066667+00:00

I understand your question about using DNAT in Azure Firewall and how to ensure that specific VMs use different public IPs for outgoing connections. Let me provide some information to address your questions:

How Azure Firewall manages network traffic depends on where the traffic originates:

For allowed inbound traffic, Azure Firewall uses DNAT to translate the firewall's public IP address to the private IP address of the appropriate destination resource in the virtual network.

For allowed outbound traffic, Azure Firewall uses SNAT to translate the source IP address to the firewall's public IP address.

Hence by using concept of SNAT and DNAT we can have one public IP with inbound and outbound connections

Please check this for detailed steps by step process and functioning https://video2.skills-academy.com/en-us/training/modules/introduction-azure-firewall/3-how-azure-firewall-works

Deepanshukatara-6769 6,715 Reputation points

2024-06-24T08:56:15.27+00:00

@handian , did your query resolved or you have further questions?
Sign in to comment

Share via

Azure Firewall

1 additional answer