This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 47%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECP%3C/text%3E%3C/svg%3E)
Hello,
I'm currently setting a new azure environment and I'm having troubles to understand what is the best course of action here.
I have a Vnet with 2 subnets, Subnet 1 for Azure firewall and Subnet 2 for Azure VM.
I want my VMs to be able to communicate outbound but only going through the Azure Firewall. I made a default route 0.0.0.0/0 with next hop on the firewall private address using this tutorial : https://video2.skills-academy.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
I currently have 2 issues :
I don't know if I'm actually supposed to use a NAT Gateway so I'll use the firewall public IP for Inbound and the NAT Gateway for Outbound or if I can change something on my network to change this parameter ?
I thought SNAT in the firewall strategy settings would work but apparently not.
Thank you for your help !
Hi,
You will not need NAT gateway. Azure Firewall can perform SNAT and send Internet traffic. You will need to create a Network rule to allow outbound traffic to Internet explicitly. Can you try post creating outbound access rule ?
Regards,
Karthik Srinivas
Hello,
Thank you for answering !
Here is the rule I created :
I can contact internet from this subnet but as I said previously any ping is dropped and my private address can be seen when reaching outside.
Have a nice day !
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 51%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Hi,
For the ping issue, if you are able to reach the internet, then ICMP might be blocked by an NSG applied on the NIC or the subnet of the VM.
For the private IP issue, It believe it is practically impossible to reach any destination on the internet with your private IP, so assuming from the first issue that you can reach the internet through Azure FW that means that you are successfully NATed. Please advise how you are assuming that you are discovered outside by your private IP address ? And please confirm also that your destination is public, not private using a VPN gateway or any tunneling to reach it.
Best regards,
Hi @NaderBaky ,
For the ping issue, I added this rule to the NSG applied to my VM without any luck.
It's still not working but I can (and could also without this rule) ping VM that are in my Office Network through a VPN Gateway.
So I think that the issue is mostly on the Azure firewall (I disabled Windows firewall completely on the VM for my tests). But I added a network rule on the firewall that should let pass any ping :
So I have to say I'm at a loss with the ping issue.
About the private ip issue, I used the site http://www.mon-ip.com/ and it could see my private address as well as the public ip address from the firewall but classified as proxy. This is no longer an issue because I installer a NAT Gateway anyway on my network.
Thank you for your help!
Hi,
I will need to understand the setup more, how the firewall is integrated with the NAT Gateway ? Are they both having public IPs and can be a gateway to the internet ?
However, if you can ping private IP only and not public IPs outside. I would guess that your issue that the return traffic is taking a different path internally and couldn't be deNATed on the FW. Azure FW is performing SNAT by default for any outgoing traffic hitting a network rule and destined only to public IPs. You can try disabling the SNAT from the firewall as a work around and check if this solves the issue then you have asymmetric routing issue that need to be resolved.
Hi,
I found the answer, you just can't use ICMP through a NAT Gateway :
Here is the documentation stating this : https://video2.skills-academy.com/en-us/azure/virtual-network/nat-gateway/troubleshoot-nat
The reason I put a NAT Gateway is also because I learned that if you put several public IP on your FW you won't be able to choose which one a VM will use to go outbound so having a NAT Gateway allow for a static IP address for outbound connection.
Thank you for your help !