Deploy an Azure Firewall with multiple public IP addresses using Azure PowerShell

This feature enables the following scenarios:

  • DNAT - You can translate multiple standard port instances to your backend servers. For example, if you have two public IP addresses, you can translate TCP port 3389 (RDP) for both IP addresses.
  • SNAT - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. Azure Firewall randomly selects the first source public IP address to use for a connection and selects another public IP after ports from the first IP have been exhausted. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall. Consider using a Public IP prefix to simplify this configuration.

Azure Firewall with multiple public IP addresses is available via the Azure portal, Azure PowerShell, Azure CLI, REST, and templates.
You can deploy an Azure Firewall with up to 250 public IP addresses, however DNAT destination rules will also count toward the 250 maximum. Public IPs + DNAT destination rule = 250 max.

Note

In scenarios with high traffic volume and throughput, it is recommended to use a NAT Gateway to provide outbound connectivity. SNAT ports are dynamically allocated across all public IPs associated with NAT Gateway. To learn more see integrate NAT Gateway with Azure Firewall.

The following Azure PowerShell examples show how you can configure, add, and remove public IP addresses for Azure Firewall.

Important

You can't remove the first ipConfiguration from the Azure Firewall public IP address configuration page. If you want to modify the IP address, you can use Azure PowerShell.

Create a firewall with two or more public IP addresses

This example creates a firewall attached to virtual network vnet with two public IP addresses.

$rgName = "resourceGroupName"

$vnet = Get-AzVirtualNetwork `
  -Name "vnet" `
  -ResourceGroupName $rgName

$pip1 = New-AzPublicIpAddress `
  -Name "AzFwPublicIp1" `
  -ResourceGroupName "rg" `
  -Sku "Standard" `
  -Location "chinaeast" `
  -AllocationMethod Static

$pip2 = New-AzPublicIpAddress `
  -Name "AzFwPublicIp2" `
  -ResourceGroupName "rg" `
  -Sku "Standard" `
  -Location "chinaeast" `
  -AllocationMethod Static

New-AzFirewall `
  -Name "azFw" `
  -ResourceGroupName $rgName `
  -Location chinaeast `
  -VirtualNetwork $vnet `
  -PublicIpAddress @($pip1, $pip2)

Add a public IP address to an existing firewall

In this example, the public IP address azFwPublicIp1 is attached to the firewall.

$pip = New-AzPublicIpAddress `
  -Name "azFwPublicIp1" `
  -ResourceGroupName "rg" `
  -Sku "Standard" `
  -Location "chinaeast" `
  -AllocationMethod Static

$azFw = Get-AzFirewall `
  -Name "AzureFirewall" `
  -ResourceGroupName "rg"

$azFw.AddPublicIpAddress($pip)

$azFw | Set-AzFirewall

Remove a public IP address from an existing firewall

In this example, the public IP address azFwPublicIp1 is detached from the firewall.

$pip = Get-AzPublicIpAddress `
  -Name "azFwPublicIp1" `
  -ResourceGroupName "rg"

$azFw = Get-AzFirewall `
  -Name "AzureFirewall" `
  -ResourceGroupName "rg"

$azFw.RemovePublicIpAddress($pip)

$azFw | Set-AzFirewall

Next steps