Azure Firewall is an intelligent, cloud-native network firewall security service that can be integrated into many different use cases. It's a full-fledged firewall as a service with built-in high availability and unlimited cloud scalability, enabling east-west and north-south traffic control. There are expected NAT behaviors depending on how traffic flows through Azure Firewall. NAT or Network Address Translation is a method of remapping one IP address to another by changing the network address information in the IP packet header. When traffic passes through Azure Firewall, the firewall can perform NAT to translate the source or destination IP addresses and ports of the packets. The specific behavior of NAT depends on the firewall configuration and the type of NAT used. In this blog we cover what behaviors to expect when traffic is flowingincoming traffic, through DNAT rules and for outgoing traffic viamesh, IApplicationRules Azure vatrozida.
Azure Firewall can translate incoming Internet network traffic to its public IP address and filter it to private IP addresses in your virtual networks or to another public IP address. This is achieved using Destination Network Address Translation (DNAT) rules in Azure Firewall rules. When a new flow matches a DNAT rule in Azure Firewall, the source and destination IP addresses are translated to the new values. If the destination is a private IP address in the virtual network, the source IP address is translated to one of the IP addresses in the virtual networkAzureFirewallSubnetvirtual network while translating the destination IP address to what is configured as in the DNAT ruleTranslated address. Also, the source port used by the source computer is preserved across the connection.
Below is an example of a network flow using a DNAT rule targeting a virtual machine hosting an IIS server listening on TCP port 80. The client computer is a virtual computer hosted in Azure that goes directly to the Internet to reach the public IP of the Azure Firewall. Below is the DNAT rule configuration targeting the backend IIS server.
The client sends an Invoke-WebRequest command to the FQDN (fully qualified domain name), which resolves to the firewall's public IP, 40.122.188.187. The Invoke-WebRequest cmdlet sends HTTP and HTTPS requests to a website or web service. It parses the response and returns collections of links, images, and other important HTML elements.
From the customer's point of view, recording the package provides relevant information. The source IP is the private IP of the client virtual machine, 10.100.0.4, and the destination IP is the Azure Firewall, 40.122.188.187. The packet capture also shows source port 56393 and destination port 80.
After Azure Firewall receives a stream, it writes the action to the configured log analysis workspace. The following log shows the source IP and port that the client computer uses when traversing the Internet, 20.29.103.252:80, the destination IP and port, 40.122.188.187:80, and the translated IP and port, which is the private IP address of the target virtual machine in Azure, 10.200 .0.4:80.
Now focus on Azure Firewall's NAT behavior by analyzing packet capture coming from the destination virtual machine. The packet capture shows that the source IP has been translated to a new value, 10.0.0.5. This IP is derived from the AzureFirewallSubnet within the virtual network. The target IP is also translated to 10.200.0.4, the target VM hosting IIS.
*Note: As a recommended best practice, in this configuration, it is recommended to limit incoming traffic on the destination port to an IP range when using NSGs (Network Security Groups) in the environmentAzureFirewallSubnet. Explicitly denying all rules in the NSG will cause this DNAT traffic to fail unless a higher priority NSG rule is configured with itAzureFirewallSubnetIP range.
Azure Firewall DNAT behavior is easy to monitor and provides easy troubleshooting when a flow needs to be monitored end-to-end. Although the source and destination IPs are translated, and in some scenarios the destination port is also translated, values are kept within the flow that can help identify packets for network troubleshooting. For example, Azure Firewall manages the source port, IP ID, and sequence numbers when using actual values rather than values generated by the packet capture application.
Azure Firewall allows you to centrally create network filtering rules to allow or deny based on source and destination IP address, port, and protocol. The firewall has full stateful monitoring, so it can distinguish between legitimate packets for different connection types. Azure Firewall supports layer 3 and layer 4 network protocol state filtering. When it comes to Azure Firewall's NAT behavior via network rules, the behaviors differ depending on how the environment is configured. In the following sections, we cover various common Azure Firewall scenarios and explain the NAT behavior for each.
East-West Traffic Flow (IANA RFC 1918 & IANA RFC 6598)
East-west traffic flow refers to traffic between Azure virtual networks, either subnets within virtual networks or between voice virtual networks, as well as traffic between Azure virtual networks and on-premises networks via Virtual Private Network (VPN) or ExpressRoute (ExR) connections. If this traffic is within an RFC 1918 or RFC 6598 address space, and the flow is filtered by a network rule, Azure Firewall does not perform Source Network Address Translation (SNAT) on the flow. This means that all network flow tuples are preserved when passing through the Azure Firewall. This behavior can be manipulated by configuring private IP ranges in Azure Firewall rules. Changes can be made within this configuration to accommodate different Azure Firewall SNAT behaviors for network rules.
- First, force SNAT firewall traffic flows destined for the RFC 1918/RFC 6598 address space to the IP addressAzureFirewallSubnet.
- Second, prevent the firewall from SNAT traffic regardless of destination. This configuration prevents Azure Firewall from directing traffic directly to the Internet. Use this when using Azure Firewall in a forced tunnel configuration where another network device is the starting point.
- Finally, set the range of IP addresses for which the firewall does not perform SNAT. Non-IANA RFC-1918 and non-IANA RFC-6598 address spaces are defined in this configuration.
East-West Traffic Flow (Non-IANA Private Address Space RFC 1918 and Non-IANA RFC 6598)
There are scenarios where organizations need to use public IP address spaces to define their private networks. By default, when this is done, Azure Firewall performs SNAT of these network flows. If those public realms are defined in Azure or on-premises, and Azure Firewall has a direct path through the virtual network or VPN/ExR connections, our targets will see the IP addresses of those inAzureFirewallSubnet. Because the firewall knows the private network path to this address space, it uses the IP addressAzureFirewallSubnetto SNAT instead of using your public IP.
Below is an example of what traffic looks like when using public IP address spaces on private networks. The client machine is an Azure-hosted virtual machine that passes through the Azure Firewall and is filtered by a layer 3 network rule. The target is an Azure-hosted virtual machine that uses a public IP range for its network. Below is the network rule configuration that allows this traffic.
On the client computer, the client uses Test-NetConnection to send ICMP (Internet Control Message Protocol) traffic to the destination 200.35.0.4. The Test-NetConnection cmdlet displays diagnostic information for the connection. It supports ping testing, Transmission Control Protocol (TCP) testing, route tracing, and route selection diagnostics.
From the client's perspective, the packet capture shows an ICMP packet destined for 200.35.0.4, and the source IP is 10.100.0.4.
After Azure Firewall receives this stream, a network rule will filter it and let it reach its destination. The log below shows the original source IP and destination IP and the protocol defined as ICMP Type=8.
From the target's perspective, packet capture indicates that SNAT is being performed. The source IP address was changed from the original IP address 10.100.0.4 to that ofAzureFirewallSubnet, 10.0.0.6, even though the target is technically a private network.
This behavior is expected since the destination address space is a public IP range even when used as a private network. Manipulation of this behavior is simple and can be done by selectionForall IP addresses except those listed belowand then define the area inSource Exclusive NAT (SNAT)Address.
Below is what the ping behavior looks like when the above change is applied. Here is the new ping from the client computer after the change was made.
This is a ping from the target page. Note that SNAT no longer runs Azure Firewall.
North-south traffic flow
Instead of application rules, network rules can also be used to filter north-south traffic. North-South traffic refers to traffic flowing in and out of the data center or in this case the Azure region. If you use network and application rules for HTTP/s filtering, the network rules are applied to the flow before the application rules. In this case, the following NAT behavior is expected.
On the client computer, the client performs Nslookup for the FQDN cxefirewall.centralus.cloudapp.azure.com and then Invoke-WebRequest for the same domain to push HTTP traffic through the firewall. Nslookup returns a target IP of 104.43.236.2, a public IP mapped directly to the virtual machine hosting IIS.
From the client's perspective, the packet capture shows an HTTP request directed to 104.43.236.2 with a source IP of 10.100.0.4.
When Azure Firewall receives a stream, it is compared to a network rule and then forwarded to the public internet. The log shows the original source and destination IP and the original source and destination port.
On the destination server, the packet capture shows that the source IP has changed to Azure Firewall's public IP. The source port is also changed as the stream is filtered by a network rule and then forwarded to the Internet. In this scenario, other values are preserved when using egress network rules that can help with end-to-end tracing, eg B. Seq number and IP ID.
FQDN filtering (public and internal endpoints)
Azure Firewall can use FQDNs in network rules based on DNS resolution in firewall rules. This feature allows the firewall to filter outbound traffic using any TCP/UDP protocol (including NTP, SSH, RDP, and others). DNS proxy must be enabled when using FQDN filtering in network rules. When FQDN filtering is used in network rules, Azure Firewall SNATs the flow even if the destination is within the RFC 1918 and RFC 6598 address spaces. Below is an example when FQDN filtering is used in network rules and the destination IP is within the RFC 1918 address space.
On the client computer, the client performs an nslookup on the FQDN.www.cxefirewall.netand then Invoke-WebRequest for the same domain to run HTTP traffic through the firewall. Nslookup shows that the destination IP is 10.200.0.4, a private IP.
From the client's perspective, the packet capture shows an HTTP request directed to 10.200.0.4 with a source IP of 10.100.0.4.
After Azure Firewall receives this flow, the network rule uses FQDN filtering to filter it and let it through to its destination. The log shows the original source and destination IP and the source and destination port. Logs generated when a network rule uses an FQDN instead of a defined IP range show the destination as the IP rather than the FQDN configured for the rule.
On the destination server, the packet capture shows that the request arrived with a source IP of 10.0.0.6, an IP that is part ofAzureFirewallSubnet. It also shows that the source port was also handled through Azure Firewall. Even if the destination is a private IP, this SNAT behavior is expected when using FQDN filtering in network rules.
Azure Firewall can use application rules to restrict outbound HTTP/S traffic or Azure SQL traffic to a specific list of FQDNs including wildcards. When a flow matches an application rule, Azure Firewall always SNAT the traffic, regardless of what is configured in the Private IP Ranges feature.
On the client computer, the client performs Nslookup for the FQDN cxefirewall.centralus.cloudapp.azure.com and then Invoke-WebRequest for the same domain to push HTTP traffic through the firewall. Nslookup returns a target IP of 104.43.236.2, a public IP mapped directly to the virtual machine hosting IIS.
From the client's perspective, the packet capture shows an HTTP request directed to 104.43.236.2 with a source IP of 10.100.0.4. Pay attention to the source port 56067 and even the sequence numbers in the packet capture information column, as SNAT behavior differs from network policy to application policy.
After Azure Firewall receives this flow, it is filtered by an application rule and then forwarded to the public internet. The log shows the original source and destination IP and the source and destination port.
On the destination server, the packet capture shows that the source IP has changed to Azure Firewall's public IP. The source port and sequence numbers are also changed because the stream is filtered by an application rule. This SNAT behavior is expected in this configuration.
As mentioned earlier, there are many different use cases that Azure Firewall can be used for and different ways that network traffic can flow through the resource. Knowing what NAT behavior to expect when traffic flows through your Azure Firewall can help you quickly identify potential network issues and monitor traffic end-to-end.
Noticed the simplicity of the protocols used in the examples and want to learn more? Read more about Azure Firewall structured logsHere.
resources
- Overview Azure vatrozida -Je li to bio Azure Firewall? | Microsoft Learn
- Overview of Azure Firewall Manager -Je li to bio Azure Firewall Manager? | Microsoft Learn
- Azure Firewall-SKU-ovi –Choosing the right Azure Firewall SKU for your needs | Microsoft Learn
- Azure Firewall SNAT-Documentation –Privatni Azure Firewall SNAT-IP-Adressbereiche | Microsoft Learn
- Azure Firewall Policy FQDN Filtering (Network Policy) –Azure Firewall Manager filtering in network policies | Microsoft Learn
- Azure Firewall Structured Logs -Dnevnici Azure Structured Firewall (pregled) | Microsoft Learn
- Azure Firewall Limitations -Azure Subscription Limits and Quotas - Azure Resource Manager | Microsoft Learn
FAQs
What is NAT rule in Azure Firewall? ›
A NAT rule provides a mechanism to set up one-to-one translation of IP addresses. NAT can be used to interconnect two IP networks that have incompatible or overlapping IP addresses. A typical scenario is branches with overlapping IPs that want to access Azure VNet resources.
What is the default behavior of Azure Firewall? ›Azure Firewall denies all traffic by default, until rules are manually configured to allow traffic.
Do you need a NAT gateway with Azure Firewall? ›Yes. NAT gateway can be associated with multiple subnets within a virtual network. It isn't required to be associated with all subnets within a virtual network. Each subnet within a virtual network can be configured with its own NAT gateway.
Is Azure a Firewall or NAT gateway? ›Firewalls, like Azure Firewall, enable you to control and log your outbound traffic. Azure Firewall also provides similar SNAT port scale and outbound IP address control to NAT Gateway. NAT Gateway is less costly, but it also has fewer features and is not a security product.
What is the difference between NAT and firewall rules? ›Firewall rules and NAT rules
Firewall rules allow or drop traffic entering and exiting the network. NAT rules translate IP addresses for traffic the firewall rule allows. So, you must create firewall rules even if you have created NAT rules.
Rules for NAT
On the way into an interface, NAT applies before firewall rules, so if the destination is translated on the way in (e.g. port forwards or 1:1 NAT on WAN), then the firewall rules must match the translated destination.
Azure Firewall allows any port in the 1-65535 range in network and application rules, however NAT rules only support ports in the 1-63999 range. This is a current limitation.
What is the difference between Azure Firewall and Firewall? ›Azure Firewall and NSG are both security services offered by Azure. They both operate by securing traffic based upon a set of rules. However, that is where the similarity ends. While NSG is a classic firewall, Azure Firewall offers next-generation firewall capabilities such as packet inspection and intrusion detection.
Does NAT act as a Firewall? ›NAT works by having a firewall act as an intermediary for traffic entering and leaving the protected network. Inbound traffic is directed to a public-facing IP address, which is translated to an internal IP address to the firewall before sending the traffic on to its destination.
What is the difference between NAT and gateway? ›A NAT device forwards traffic from the instances in the private subnet to the internet or other AWS services, and then sends the response back to the instances while Internet Gateway is used to allow resources in your VPC to access internet.
What is the difference between Internet gateway and NAT gateway in Azure? ›
Internet Gateway (IGW) allows instances with public IPs to access the internet. NAT Gateway (NGW) allows instances with no public IPs to access the internet.
What is the difference between Azure Firewall and application gateway vs front door? ›What is the difference between Azure Front Door and Azure Application Gateway? While both Front Door and Application Gateway are layer 7 (HTTP/HTTPS) load balancers, the primary difference is that Front Door is a nonregional service whereas Application Gateway is a regional service.
What is the purpose of NAT rules? ›The NAT rules feature lets you create access rules that define how Cloud NAT is used to connect to the internet. NAT rules support source NAT based on destination address.
What is meant by NAT rule? ›Network Address Translation (NAT) allows the source or destination IP address to be changed for traffic to transition through a router or gateway. There are 2 types of NAT within your edge gateway: Destination NAT (DNAT) – Changes the destination IP of the packet.
What are the 3 types of rules in Azure firewall? ›Azure Firewall has NAT rules, network rules, and applications rules. The rules are processed according to the rule type.
What is the difference between network rule and NAT rule? ›NAT: This is a routing rule, directing traffic from a public IP address to a private IP address. A hidden network rule is automatically created to allow the traffic. Network Rules and Application Rules: These rules specify what traffic is allowed through the Azure Firewall.