Home / Azure Documentation / Azure Firewall / IP Addresses

Azure Firewall IP Addresses

This document details the IP address considerations for Azure Firewall, including public and private IP addresses, and how they are used for communication and management.

Public IP Addresses

Azure Firewall requires a public IP address for outbound internet connectivity and inbound management traffic. This IP address is assigned to the firewall itself.

  • Outbound Connectivity: All outbound traffic from your virtual network that is routed through Azure Firewall will originate from this public IP address. This allows your internal resources to access the internet without exposing their private IP addresses directly.
  • Management Traffic: Azure manages and updates your firewall instance. The management traffic for these operations also uses a public IP address managed by Azure.
  • SNAT (Source Network Address Translation): By default, Azure Firewall performs SNAT for outbound traffic. This means that the source IP address of outbound traffic is translated to the firewall's public IP address.

Private IP Addresses

In addition to a public IP address, Azure Firewall can also have one or more private IP addresses associated with it. These are crucial for routing traffic through the firewall within your virtual network.

  • Internal IP Address: The firewall's primary private IP address is used as the next-hop address in your virtual network's route tables. This directs traffic destined for the internet or other networks through the firewall.
  • Multiple Private IPs (Optional): You can associate additional private IP addresses with the firewall's network interface. These can be used for specific scenarios, such as:
    • High Availability: In an availability set or availability zone deployment, each firewall instance will have its own private IP.
    • Specific routing requirements: Though less common, additional IPs can sometimes facilitate complex routing designs.

IP Address Requirements and Limitations

When configuring your Azure Firewall, keep the following requirements and limitations in mind:

  • A public IP address is mandatory for Azure Firewall to function.
  • At least one private IP address is required for the firewall's network interface to enable internal routing.
  • The public IP address assigned to the firewall cannot be the same as any private IP address used within your network.
  • Azure Firewall supports IPv4 addresses.

Note: When you create an Azure Firewall, Azure automatically assigns a public IP address. You can choose to associate an existing public IP address or create a new one.

Example Scenario

Consider a virtual network with multiple subnets. To route all outbound internet traffic through Azure Firewall, you would configure a default route (0.0.0.0/0) on the subnet(s) to point to the firewall's private IP address. When a virtual machine in that subnet initiates a connection to an external website, the traffic is sent to the firewall. The firewall then performs SNAT, replacing the VM's private source IP with the firewall's public IP, and forwards the request to the internet.

Tip: For enhanced security and management, consider using Azure Firewall Premium features like IP Groups for easier management of frequently used IP addresses in your rules.

Next Steps

Now that you understand the IP address configurations, you may want to explore: