Filter inbound Internet or intranet traffic with Azure Firewall DNAT using the Azure portal

You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets or intranet traffic between private networks (preview). When you configure DNAT, the NAT rule collection action is set to Dnat. Each rule in the NAT rule collection can then be used to translate your firewall public or private IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see Azure Firewall rule processing logic.

Note

This article uses classic Firewall rules to manage the firewall. The preferred method is to use Firewall Policy. To complete this procedure using Firewall Policy, see Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal

Prerequisites

If you don't have an Azure subscription, create a trial subscription before you begin.

Create a resource group

  1. Sign in to the Azure portal.
  2. On the Azure portal home page, select Resource groups, then select Create.
  3. For Subscription, select your subscription.
  4. For Resource group, type RG-DNAT-Test.
  5. For Region, select a region. All other resources that you create must be in the same region.
  6. Select Review + create.
  7. Select Create.

Set up the network environment

For this article, you create a two peered VNets:

  • VN-Hub - the firewall is in this VNet.
  • VN-Spoke - the workload server is in this VNet.

First, create the VNets and then peer them.

Create the Hub VNet

  1. From the Azure portal home page, select All services.

  2. Under Networking, select Virtual networks.

  3. Select Create.

  4. For Resource group, select RG-DNAT-Test.

  5. For Name, type VN-Hub.

  6. For Region, select the same region that you used before.

  7. Select Next.

  8. On the Security tab, select Next.

  9. For IPv4 Address space, accept the default 10.0.0.0/16.

  10. Under Subnets, select default.

  11. For Subnet template, select Azure Firewall.

    The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.

    Note

    The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see Azure Firewall FAQ.

  12. Select Save.

  13. Select Review + create.

  14. Select Create.

Create a spoke VNet

  1. From the Azure portal home page, select All services.
  2. Under Networking, select Virtual networks.
  3. Select Create.
  4. For Resource group, select RG-DNAT-Test.
  5. For Name, type VN-Spoke.
  6. For Region, select the same region that you used before.
  7. Select Next.
  8. On the Security tab, select Next.
  9. For IPv4 Address space, edit the default and type 192.168.0.0/16.
  10. Under Subnets, select default.
  11. For the subnet Name type SN-Workload.
  12. For Starting address, type 192.168.1.0.
  13. For Subnet size, select /24.
  14. Select Save.
  15. Select Review + create.
  16. Select Create.

Peer the VNets

Now peer the two VNets.

  1. Select the VN-Hub virtual network.
  2. Under Settings, select Peerings.
  3. Select Add.
  4. Under This virtual network, for the Peering link name, type Peer-HubSpoke.
  5. Under Remote virtual network, for Peering link name, type Peer-SpokeHub.
  6. Select VN-Spoke for the virtual network.
  7. Accept all the other defaults, and then select Add.

Create a virtual machine

Create a workload virtual machine, and place it in the SN-Workload subnet.

  1. From the Azure portal menu, select Create a resource.
  2. Under Popular products, select Windows Server 2019 Datacenter.

Basics

  1. For Subscription, select your subscription.
  2. For Resource group, select RG-DNAT-Test.
  3. For Virtual machine name, type Srv-Workload.
  4. For Region, select the same location that you used previously.
  5. Type a username and password.
  6. Select Next: Disks.

Disks

  1. Select Next: Networking.

Networking

  1. For Virtual network, select VN-Spoke.
  2. For Subnet, select SN-Workload.
  3. For Public IP, select None.
  4. For Public inbound ports, select None.
  5. Leave the other default settings and select Next: Management.

Management

  1. Select Next: Monitoring.

Monitoring

  1. For Boot diagnostics, select Disable.
  2. Select Review + Create.

Review + Create

Review the summary, and then select Create. This takes a few minutes to complete.

After deployment finishes, note the private IP address for the virtual machine. It is used later when you configure the firewall. Select the virtual machine name. Select Overview, and under Networking note the private IP address.

Note

Azure provides a default outbound access IP for VMs that either aren't assigned a public IP address or are in the backend pool of an internal basic Azure load balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

The default outbound access IP is disabled when one of the following events happens:

  • A public IP address is assigned to the VM.
  • The VM is placed in the backend pool of a standard load balancer, with or without outbound rules.
  • An Azure NAT Gateway resource is assigned to the subnet of the VM.

VMs that you create by using virtual machine scale sets in flexible orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Default outbound access in Azure and Use Source Network Address Translation (SNAT) for outbound connections.

Deploy the firewall

  1. From the portal home page, select Create a resource.

  2. Search for Firewall, and then select Firewall.

  3. Select Create.

  4. On the Create a Firewall page, use the following table to configure the firewall:

    Setting Value
    Subscription <your subscription>
    Resource group Select RG-DNAT-Test
    Name FW-DNAT-test
    Region Select the same location that you used previously
    Firewall SKU Standard
    Firewall management Use Firewall rules (classic) to manage this firewall
    Choose a virtual network Use existing: VN-Hub
    Public IP address Add new, Name: fw-pip.
  5. Accept the other defaults, and then select Review + create.

  6. Review the summary, and then select Create to create the firewall.

    This takes a few minutes to deploy.

  7. After deployment completes, go to the RG-DNAT-Test resource group, and select the FW-DNAT-test firewall.

  8. Note the firewall's private and public IP addresses. You'll use them later when you create the default route and NAT rule.

Create a default route

For the SN-Workload subnet, you configure the outbound default route to go through the firewall.

Important

You do not need to configure an explicit route back to the firewall at the destination subnet. Azure Firewall is a stateful service and handles the packets and sessions automatically. If you create this route, you'll create an asymmetrical routing environment that interrupts the stateful session logic and results in dropped packets and connections.

  1. From the Azure portal home page, select Create a resource.

  2. Search for Route table and select it.

  3. Select Create.

  4. For Subscription, select your subscription.

  5. For Resource group, select RG-DNAT-Test.

  6. For Region, select the same region that you used previously.

  7. For Name, type RT-FWroute.

  8. Select Review + create.

  9. Select Create.

  10. Select Go to resource.

  11. Select Subnets, and then select Associate.

  12. For Virtual network, select VN-Spoke.

  13. For Subnet, select SN-Workload.

  14. Select OK.

  15. Select Routes, and then select Add.

  16. For Route name, type FW-DG.

  17. For Destination type, select IP Addresses.

  18. For Destination IP addresses/CIDR ranges, type 0.0.0.0/0.

  19. For Next hop type, select Virtual appliance.

    Azure Firewall is actually a managed service, but virtual appliance works in this situation.

  20. For Next hop address, type the private IP address for the firewall that you noted previously.

  21. Select Add.

Configure a NAT rule

  1. Open the RG-DNAT-Test resource group, and select the FW-DNAT-test firewall.
  2. On the FW-DNAT-test page, under Settings, select Rules (classic).
  3. Select Add NAT rule collection.
  4. For Name, type RC-DNAT-01.
  5. For Priority, type 200.
  6. Under Rules, for Name, type RL-01.
  7. For Protocol, select TCP.
  8. For Source type, select IP address.
  9. For Source, type *.
  10. For Destination Addresses, type the firewall's public IP address.
  11. For Destination ports, type 3389.
  12. For Translated Address type the private IP address for the Srv-Workload virtual machine.
  13. For Translated port, type 3389.
  14. Select Add.

This takes a few minutes to complete.

Test the firewall

  1. Connect a remote desktop to firewall public IP address. You should be connected to the Srv-Workload virtual machine.
  2. Close the remote desktop.

Clean up resources

You can keep your firewall resources for further testing, or if no longer needed, delete the RG-DNAT-Test resource group to delete all firewall-related resources.

Next steps

Next, you can monitor the Azure Firewall logs.

Tutorial: Monitor Azure Firewall logs