Azure Firewall: Private IP Addresses

Azure Firewall relies on both public and private IP addresses to function within your virtual network and to communicate with your on-premises networks.

Understanding Private IP Addresses for Azure Firewall

When you deploy an Azure Firewall instance, it requires a dedicated subnet named AzureFirewallSubnet. This subnet must have a minimum prefix size of /26. The Azure Firewall resource is deployed into this subnet and is assigned a private IP address from within this subnet.

Key Characteristics:

Dedicated Subnet: Always use a subnet named AzureFirewallSubnet. Do not place any other resources in this subnet.
IP Assignment: The Azure Firewall's private IP address is automatically assigned by Azure from the AzureFirewallSubnet. You cannot manually assign a specific private IP address to the firewall itself.
Network Address Translation (NAT): The firewall uses its private IP address for internal routing and communication within the virtual network. It also performs source NAT (SNAT) for outbound traffic originating from your internal networks to the internet or other Azure services using its public IP address.
For Forced Tunneling: If you configure forced tunneling, the firewall's private IP address is used as the next hop for traffic destined for the internet or other networks that should be routed through your on-premises firewall.

Configuring Private IP Addresses

The private IP address for Azure Firewall is automatically provisioned when you deploy the firewall resource in its dedicated subnet. There is no direct configuration required for the firewall's *private* IP address itself beyond ensuring the AzureFirewallSubnet is correctly sized and named.

Tip: The Azure Firewall service automatically manages the private IP address assigned to the firewall resource. You can view this IP address in the Azure portal under the firewall's overview page.

Default Route Configuration

To ensure traffic is routed through the firewall, you typically configure a default route (0.0.0.0/0) in your virtual network's route table. This route should point to the Azure Firewall's private IP address as the next hop. This forces all traffic from your subnets to pass through the firewall for inspection and policy enforcement.


Resource "azurerm_route_table" "example" {
  name                = "example-routetable"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  route {
    name           = "default"
    address_prefix = "0.0.0.0/0"
    next_hop_type  = "VirtualAppliance"
    next_hop_ip_address = azurerm_firewall.example.ip_configuration[0].private_ip_address # This refers to the firewall's private IP
  }
}

# Associate route table with subnets
resource "azurerm_subnet_route_table_association" "example" {
  subnet_id      = azurerm_subnet.example.id
  route_table_id = azurerm_route_table.example.id
}

Scenarios

Hub-Spoke Topology: In a hub-spoke network architecture, Azure Firewall is typically deployed in the hub virtual network. Its private IP address is used as the next hop in spoke virtual networks to route traffic through the firewall.
On-Premises Connectivity: When connecting your virtual network to an on-premises network via Azure VPN Gateway or Azure ExpressRoute, the firewall's private IP acts as the gateway for traffic that needs to be inspected before reaching the on-premises environment.

Note: While the firewall has a private IP for internal operations, it also requires at least one public IP address for NATing outbound traffic and for management. Ensure you allocate sufficient public IPs when deploying the firewall.

For more detailed configuration and best practices, refer to the Azure Firewall Architecture and Azure Firewall Rules documentation.