cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

NAT Gateway after firewall for outgoing network traffic

StanAzure1792
Copper Contributor

‎Nov 23 2021 05:41 AM

‎Nov 23 2021 05:41 AM

NAT Gateway after firewall for outgoing network traffic

Hi guys,

 

I have a bunch of VMs in a subnet. I would like them to have a static outbound IP from a NAT gateway, however I also want to filter the outbound traffic from these VMs through an Azure Firewall. Is it possible to route the traffic back to a NAT gateway, after the traffic has gone through the Firewall. I do not wish to put a NAT gateway on my AzureFirewallSubnet, as I want different public IP outbound addresses for different services.

 

Is it possible to link a different outbound IP address for different subnets of VMs? Or do I need multiple Azure Firewalls for this purpose?

 

So again. The traffic will go like this:

(outbound) VM Subnet -> Firewall -> NAT Gateway -> Internet

 

Thanks in advance.

 

Stan

2,879 Views
0 Likes
2 Replies
Reply
2 Replies
Seshadrr

‎Nov 23 2021 07:22 AM

‎Nov 23 2021 07:22 AM

Re: NAT Gateway after firewall for outgoing network traffic

One of the ways you can manage access to outbound networks from an Azure subnet is with Azure Firewall.
Create a default route for Outbound and Inbound connectivity through the firewall to a default route to 0.0.0.0/0 with the private IP address of next-hop to Virtual appliance. Once the route is created associate the workloads subnets for this route. Configure the necessary application and network rule for outbound access for the VMs should traverse through route traffic
0 Likes
Reply
JorgenWoortman

‎Jan 05 2022 01:06 AM

‎Jan 05 2022 01:06 AM

Re: NAT Gateway after firewall for outgoing network traffic

Although this is true (and basic setup for the Azure Firewall), if the Azure Firewall has multiple public IP addresses, the firewall will randomly select the publi IP address it sees fit (according to MS Docs).
I have the same question as @StanAzure1792: Is it possible to implement Azure NAT Gateway at the trusted or untrusted side of the Azure Firewall, in order to use the same outbound public IP address that is bound to the Azure Firewall?

Logically seen:
VM --> NAT Gateway with pub IP --> Azure Firewall (no NAT) --> Internet
or VM --> Azure Firewall --> NAT Gateway with pub IP --> Internet

Root cause of this question is a feature failure/lacking in Azure Firewall, as it does not support designating a specific public IP address for specific outbound traffic through.
This is dearly needed for e.g. sFTP, SSH, coinmining, basically any outbound service...
0 Likes
Reply