Azure Documentation

Azure Firewall NAT Rules

Azure Firewall Network Address Translation (NAT) rules enable you to control how network traffic is translated when it passes through your Azure Firewall. This is particularly useful for scenarios like exposing internal services to the internet or for directing traffic to specific internal resources.

What are NAT Rules?

NAT rules allow you to perform the following actions:

  • DNAT (Destination Network Address Translation): Translates the destination IP address and/or port of incoming traffic to a specific internal IP address and/or port. This is commonly used to publish services hosted within your virtual network to the internet.
  • SNAT (Source Network Address Translation): Translates the source IP address of outgoing traffic. Azure Firewall automatically provides SNAT for outbound traffic from your virtual network to the internet. However, you can configure specific SNAT rules to override this behavior or for specific scenarios.

Key Concepts and Components

When configuring NAT rules, you'll encounter the following:

  • Rule Collection: A logical grouping of NAT rules. Each rule collection has a priority.
  • Rule: Defines the criteria and action for a specific translation.
  • Priority: Determines the order in which rules are processed. Lower numbers have higher priority.
  • Protocol: The network protocol (e.g., TCP, UDP, Any).
  • Source Type: Can be 'IP Address' or 'Service Tag'.
  • Source Address/IP Groups: The IP address or range of IP addresses that the rule applies to.
  • Destination Type: Typically 'IP Address' for DNAT rules.
  • Destination Address: The public IP address of the Azure Firewall for DNAT rules.
  • Translated Address: The internal IP address to which the traffic will be translated.
  • Translated Port: The internal port to which the traffic will be translated.
  • Frontend IP Configuration: The public IP address of the Azure Firewall.

Creating DNAT Rules

DNAT rules are essential for making internal services accessible from the internet.

Example: Publishing a Web Server

Suppose you have a web server with the internal IP address 10.0.1.4 on port 80, and your Azure Firewall has a public IP address of 20.1.1.1.

  1. Navigate to your Azure Firewall resource in the Azure portal.
  2. Go to NAT rules.
  3. Click Add rule collection.
  4. Give the collection a name (e.g., WebServerDNAT) and set a priority.
  5. Add a rule with the following parameters:
    • Name: HTTP_Webserver
    • Protocol: TCP
    • Source type: Any (or specify allowed source IPs)
    • Source addresses: * (or specific IPs)
    • Destination type: IP Address
    • Destination address: 20.1.1.1 (your firewall's public IP)
    • Destination port: 80
    • Translated address: 10.0.1.4
    • Translated port: 80
    • Action: DNAT
  6. Save the rule collection.

Note: For DNAT rules, the Destination address is the public IP of the Azure Firewall, and the Translated address is the private IP of the internal resource.

Configuring SNAT Rules

While Azure Firewall automatically provides SNAT for outbound traffic, you might need custom SNAT rules for specific requirements.

Scenarios for SNAT Rules:

  • Forcing specific outbound traffic to use a particular Azure Firewall public IP address.
  • Excluding specific internal IP addresses from SNAT.

Example: Forcing Outbound SMTP Traffic

If you need to ensure that all outbound SMTP (port 25) traffic originating from your internal network uses a specific Azure Firewall public IP address.

  1. Navigate to your Azure Firewall resource in the Azure portal.
  2. Go to NAT rules.
  3. Click Add rule collection.
  4. Give the collection a name (e.g., OutboundSMTP_SNAT) and set a priority.
  5. Add a rule with the following parameters:
    • Name: Force_SMTP_SNAT
    • Protocol: TCP
    • Source type: IP Address
    • Source addresses: 10.0.0.0/16 (your internal subnet)
    • Destination type: Any
    • Destination addresses: *
    • Destination port: 25
    • Translated address: [Your Firewall's Specific Public IP]
    • Translated port: * (usually left as is for SNAT)
    • Action: SNAT
  6. Save the rule collection.

Important: SNAT rules are processed after network and application rules. Ensure your SNAT rule priorities are set correctly relative to other rules.

Rule Processing Order

Azure Firewall processes rules in the following order:

  1. Network Rules
  2. Application Rules
  3. NAT Rules

Within NAT rules, they are processed based on their priority. If a packet matches a NAT rule, the translation is applied, and no further NAT rules are evaluated for that packet.

Best Practices

  • Use Specificity: Be as specific as possible with source and destination IP addresses and ports to minimize the attack surface. Avoid using Any or * unless absolutely necessary.
  • Leverage IP Groups: For managing multiple IP addresses, use Azure Firewall IP Groups to simplify rule configuration.
  • Consistent Naming: Use clear and descriptive names for your rule collections and rules.
  • Prioritize Rules Carefully: Ensure your rule priorities align with your security and traffic flow requirements.
  • Regular Audits: Periodically review your NAT rules to ensure they are still relevant and effective.

By effectively configuring NAT rules, you can enhance the security and control over network traffic flowing through your Azure Firewall.