Filter inbound Internet traffic with Azure Firewall DNAT using the Azure portal

You can configure Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. When you configure DNAT, the NAT rule collection action is set to Dnat. Each rule in the NAT rule collection can then be used to translate your firewall public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. For security reasons, the recommended approach is to add a specific Internet source to allow DNAT access to the network and avoid using wildcards. To learn more about Azure Firewall rule processing logic, see Azure Firewall rule processing logic.

In this article, you learn how to:

  • Set up a test network environment
  • Deploy a firewall
  • Create a default route
  • Configure a DNAT rule
  • Test the firewall

Note

This article uses classic Firewall rules to manage the firewall. The preferred method is to use Firewall Policy. To complete this procedure using Firewall Policy, see Tutorial: Filter inbound Internet traffic with Azure Firewall policy DNAT using the Azure portal

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Create a resource group

  1. Sign in to the Azure portal at https://portal.azure.com.
  2. On the Azure portal home page, select Resource groups, then select Add.
  3. For Subscription, select your subscription.
  4. For Resource group name, type RG-DNAT-Test.
  5. For Region, select a region. All other resources that you create must be in the same region.
  6. Select Review + create.
  7. Select Create.

Set up the network environment

For this article, you create a two peered VNets:

  • VN-Hub - the firewall is in this VNet.
  • VN-Spoke - the workload server is in this VNet.

First, create the VNets and then peer them.

Create the Hub VNet

  1. From the Azure portal home page, select All services.

  2. Under Networking, select Virtual networks.

  3. Select Add.

  4. For Resource group, select RG-DNAT-Test.

  5. For Name, type VN-Hub.

  6. For Region, select the same region that you used before.

  7. Select Next: IP Addresses.

  8. For IPv4 Address space, accept the default 10.0.0.0/16.

  9. Under Subnet name, select default.

  10. Edit the Subnet name and type AzureFirewallSubnet.

    The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.

    Note

    The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see Azure Firewall FAQ.

  11. For Subnet address range, type 10.0.1.0/26.

  12. Select Save.

  13. Select Review + create.

  14. Select Create.

Create a spoke VNet

  1. From the Azure portal home page, select All services.
  2. Under Networking, select Virtual networks.
  3. Select Add.
  4. For Resource group, select RG-DNAT-Test.
  5. For Name, type VN-Spoke.
  6. For Region, select the same region that you used before.
  7. Select Next: IP Addresses.
  8. For IPv4 Address space, edit the default and type 192.168.0.0/16.
  9. Select Add subnet.
  10. For the Subnet name type SN-Workload.
  11. For Subnet address range, type 192.168.1.0/24.
  12. Select Add.
  13. Select Review + create.
  14. Select Create.

Peer the VNets

Now peer the two VNets.

  1. Select the VN-Hub virtual network.
  2. Under Settings, select Peerings.
  3. Select Add.
  4. Under This virtual network, for the Peering link name, type Peer-HubSpoke.
  5. Under Remote virtual network, for Peering link name, type Peer-SpokeHub.
  6. Select VN-Spoke for the virtual network.
  7. Accept all the other defaults, and then select Add.

Create a virtual machine

Create a workload virtual machine, and place it in the SN-Workload subnet.

  1. From the Azure portal menu, select Create a resource.
  2. Under Popular, select Windows Server 2016 Datacenter.

Basics

  1. For Subscription, select your subscription.
  2. For Resource group, select RG-DNAT-Test.
  3. For Virtual machine name, type Srv-Workload.
  4. For Region, select the same location that you used previously.
  5. Type a username and password.
  6. Select Next: Disks.

Disks

  1. Select Next: Networking.

Networking

  1. For Virtual network, select VN-Spoke.
  2. For Subnet, select SN-Workload.
  3. For Public IP, select None.
  4. For Public inbound ports, select None.
  5. Leave the other default settings and select Next: Management.

Management

  1. For Boot diagnostics, select Disable.
  2. Select Review + Create.

Review + Create

Review the summary, and then select Create. This will take a few minutes to complete.

After deployment finishes, note the private IP address for the virtual machine. It will be used later when you configure the firewall. Select the virtual machine name, and under Settings, select Networking to find the private IP address.

Note

Azure provides an default outbound access IP for Azure Virtual Machines which aren't assigned a public IP address, or are in the backend pool of an internal Basic Azure Load Balancer. The default outbound access IP mechanism provides an outbound IP address that isn't configurable.

For more information about default outbound access, see Default outbound access in Azure

The default outbound access IP is disabled when a public IP address is assigned to the virtual machine, or the virtual machine is placed in the backend pool of a Standard Load Balancer with or without outbound rules. If a Azure Virtual Network NAT gateway resource is assigned to the subnet of the virtual machine, the default outbound access IP is disabled.

Virtual machines created by Virtual Machine Scale sets in Flexible Orchestration mode don't have default outbound access.

For more information about outbound connections in Azure, see Using Source Network Address Translation (SNAT) for outbound connections.

Deploy the firewall

  1. From the portal home page, select Create a resource.

  2. Search for Firewall, and then select Firewall.

  3. Select Create.

  4. On the Create a Firewall page, use the following table to configure the firewall:

    Setting Value
    Subscription <your subscription>
    Resource group Select RG-DNAT-Test
    Name FW-DNAT-test
    Region Select the same location that you used previously
    Firewall management Use Firewall rules (classic) to manage this firewall
    Choose a virtual network Use existing: VN-Hub
    Public IP address Add new, Name: fw-pip.
  5. Accept the other defaults, and then select Review + create.

  6. Review the summary, and then select Create to create the firewall.

    This will take a few minutes to deploy.

  7. After deployment completes, go to the RG-DNAT-Test resource group, and select the FW-DNAT-test firewall.

  8. Note the firewall's private and public IP addresses. You'll use them later when you create the default route and NAT rule.

Create a default route

For the SN-Workload subnet, you configure the outbound default route to go through the firewall.

  1. From the Azure portal home page, select All services.

  2. Under Networking, select Route tables.

  3. Select Add.

  4. For Subscription, select your subscription.

  5. For Resource group, select RG-DNAT-Test.

  6. For Region, select the same region that you used previously.

  7. For Name, type RT-FWroute.

  8. Select Review + create.

  9. Select Create.

  10. Select Go to resource.

  11. Select Subnets, and then select Associate.

  12. For Virtual network, select VN-Spoke.

  13. For Subnet, select SN-Workload.

  14. Select OK.

  15. Select Routes, and then select Add.

  16. For Route name, type FW-DG.

  17. For Address prefix, type 0.0.0.0/0.

  18. For Next hop type, select Virtual appliance.

    Azure Firewall is actually a managed service, but virtual appliance works in this situation.

  19. For Next hop address, type the private IP address for the firewall that you noted previously.

  20. Select OK.

Configure a NAT rule

  1. Open the RG-DNAT-Test resource group, and select the FW-DNAT-test firewall.
  2. On the FW-DNAT-test page, under Settings, select Rules (classic).
  3. Select Add NAT rule collection.
  4. For Name, type RC-DNAT-01.
  5. For Priority, type 200.
  6. Under Rules, for Name, type RL-01.
  7. For Protocol, select TCP.
  8. For Source type, select IP address.
  9. For Source, type *.
  10. For Destination Addresses, type the firewall's public IP address.
  11. For Destination ports, type 3389.
  12. For Translated Address type the private IP address for the Srv-Workload virtual machine.
  13. For Translated port, type 3389.
  14. Select Add. This will take a few minutes to complete.

Test the firewall

  1. Connect a remote desktop to firewall public IP address. You should be connected to the Srv-Workload virtual machine.
  2. Close the remote desktop.

Clean up resources

You can keep your firewall resources for further testing, or if no longer needed, delete the RG-DNAT-Test resource group to delete all firewall-related resources.

Next steps

Next, you can monitor the Azure Firewall logs.

Tutorial: Monitor Azure Firewall logs