Azure Firewall Public IP Address
This document provides comprehensive information about managing public IP addresses with Azure Firewall. Understanding how public IP addresses are assigned and used is crucial for securing your network perimeter.
Overview
Azure Firewall is a managed, cloud-native network security service that protects your virtual network resources. It acts as a centralized firewall to enforce policies across subscriptions and virtual networks. Public IP addresses are essential for enabling inbound and outbound connectivity for your Azure Firewall instance.
Assigning a Public IP Address to Azure Firewall
When you create an Azure Firewall instance, you typically associate one or more public IP addresses with it. These addresses serve several purposes:
- Outbound Connectivity: By default, Azure Firewall uses a public IP address to source outbound traffic to the internet.
- Inbound Connectivity: You can configure inbound NAT rules to allow specific traffic from the internet to reach resources within your virtual network through the firewall. This requires a public IP address associated with the firewall.
Steps to Assign a Public IP:
- Navigate to your Azure Firewall resource in the Azure portal.
- In the firewall's overview blade, click the Public IP address link.
- If no public IP is assigned, click "Add public IP address".
- Choose to create a new public IP address or select an existing one. For new IPs, ensure you select a SKU of Standard.
- Configure the IP address name, SKU, assignment type (Static is recommended), and region.
- Click "OK" to associate the public IP with the firewall.
Public IP Address SKUs
Azure Firewall requires a public IP address with the Standard SKU. Basic SKU IP addresses are not supported. Ensure that any public IP address you assign to Azure Firewall is of the Standard SKU to avoid configuration issues.
Multiple Public IP Addresses
Azure Firewall supports multiple public IP addresses. You can associate up to 100 public IP addresses with a single Azure Firewall instance. This is useful for scenarios such as:
- Distributing outbound traffic: By assigning multiple public IPs, you can distribute outbound traffic across different IP addresses, potentially improving performance and resilience.
- Hosting multiple public-facing services: Each public IP can be used for inbound NAT rules, allowing you to expose different services on distinct public IP addresses.
Configuring Multiple Public IPs:
To add more public IP addresses to an existing Azure Firewall:
- Go to the Azure Firewall resource.
- Under "Settings", select "IP addresses".
- Click "Add public IP address".
- Select an existing Standard SKU public IP address or create a new one.
- Click "Add".
Important Considerations:
When associating public IP addresses with Azure Firewall, keep the following in mind:
- All public IP addresses must be in the same region as the Azure Firewall.
- Standard SKU public IP addresses are required.
- Static assignment is recommended for consistent connectivity.
- Ensure your network security groups (NSGs) and Azure Firewall rules allow traffic to and from the assigned public IP addresses.
Example Scenario: Inbound NAT Rule
Let's say you have a web server in a private subnet that needs to be accessible from the internet. You can configure an inbound NAT rule on Azure Firewall:
{
"name": "Allow-Webserver-HTTP",
"properties": {
"ruleCollectionType": "NetworkRuleCollection",
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "HTTP-In",
"properties": {
"protocol": "TCP",
"sourcePortRanges": [ "*" ],
"destinationPorts": [ "80" ],
"destinationAddresses": [ "*" ],
"translatedAddress": "10.0.1.4", // Private IP of your web server
"translatedPort": "80",
"destinationFqdn": null,
"sourceAddresses": [ "*" ]
}
}
]
}
}
In this example, traffic arriving at the firewall's public IP on port 80 will be translated and forwarded to the web server at 10.0.1.4 on port 80.