MicrosoftThanks for the response davidfrazee! Yes, I believe we're talking about the same scenario. I have a situation where I need to use a public IP address (non RFC 1918 address) on our private virtual network. This public IP address should not be accessible from the internet. I believe the scenario you describe in East-West Traffic Flow (Non-IANA RFC 1918 & Non-IANA RFC 6598 Private Address Space) is the same thing, but I guess my main question is how to assign the public IP address to a resource and to confirm that the traffic will flow to the public IP address over the private network.
You said "Since the firewall is aware of a private network path to this address space, it will use the IP of the AzureFirewallSubnet to SNAT rather than use its public IP." SNAT is not a concern (although it's good to know that behavior can be modified), but I just want to confirm that the Azure Firewall will keep the traffic within the private network when connecting to our public IP address.
For the example configuration, you said "The destination is a virtual machine hosted in Azure that uses a public IP space for its network." Does that mean that the VM is assigned a public IP address just like you'd do if you wanted to make the VM accessible from the internet?
(By the way, I know this configuration is a silly way to design your network, but it's required by certain healthcare vendors I've worked with in the past. Previously, I've simply DNATed the public IP to the private IP within an NVA, but I was curious if I could achieve the same result with Azure Firewall.)
