Hi everyone! I'm working on a setup in Azure and I have a particular use case. I need a virtual machine (VM) to send its outbound traffic to the internet, but I want this traffic to go through the Azure Firewall for logging and inspection. However, here's the catch: I want the outbound traffic to use a specific Public IP address (let's call it Public IP N2) instead of the Azure Firewall's default public IP address. I know Azure Firewall supports multiple Public IPs, but it looks like the SNAT selection process is automatic, leaving me unable to specify that traffic from this VM (or its subnet) should always use Public IP N2. Has anyone else faced this issue or found a solution? Thanks for your help!
5 Answers
There might be a workaround if you know the destination of the connection you're targeting.
I'm just curious, what's the main reason you need a separate public IP just for this VM?
I need to test some external endpoints without whitelisting the Firewall's public IP, which would open up all outbound Azure traffic.
It sounds like you might need a NAT gateway in front of your Azure Firewall to manage this case. Just keep in mind that this setup would mean traffic leaves the Azure Firewall using the NAT Gateway’s IP rather than the Firewall's IP.
I see your point! But my goal is to have one specific public IP for just this one VM while leaving other Azure traffic unchanged.
Another idea could be to avoid SNAT at the Firewall and go through a public route, but I understand you need the Firewall in place for compliance. Alternatively, you might consider NAT before the Firewall and prevent SNATing that specific IP. It adds an extra layer, but that might be what you need.
Yeah, bypassing SNAT at the Firewall isn't an option for me due to compliance rules. I can see how NAT before the Firewall could work, but I'm not sure how to set it up to exclude that specific IP from SNAT.
That's an interesting challenge! As far as I know, there isn't a method that allows you to designate a specific public IP for this kind of scenario while still routing through the Azure Firewall. One approach could be to use a NAT gateway behind the firewall; it might sound complicated, but it could give you more control over the IP being used. What do you think about that?
I'm testing an external endpoint from this Azure VM and I don't want to whitelist the Azure Firewall's public IP for all outbound Azure traffic. I definitely need to explore the NAT gateway option further, but I'm curious if I can configure the Azure Firewall not to SNAT traffic from this VM.
Thanks for the suggestion, but I'm not really grasping what you mean by that.