Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Azure Firewall DNAT rules - SNAT
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 4%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Peter Stieber
245
Reputation points
I am looking at this example on the right where the firewall applies SNAT when a DNAT rule is matched. How does it decide whether to change the source IP to its public or private IP address?
If the load Balancer was internal then it would change the source IP to its private IP address. Is it based on the IP address I am translating it to ? If translated IP is public then FW changes source to its public and if it is private then FW changes source to its private IP address (address from firewall subnet) ?
Azure Firewall
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 42%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Priya ranjan Jena 265 Reputation points Microsoft External Staff Moderator2025-08-13T14:17:35.7633333+00:00 Hi @ Peter Stieber,
Thank you for reaching out on Microsoft Q&A forum.
Regarding to 1st query : How does the firewall decide whether to change the source IP to its public or private IP address while applying SNAT with a DNAT rule matched?
Azure Firewall decides which IP to use for SNAT based on where the DNAT rule is sending the traffic. If the DNAT rule points to a public IP (like the public load balancer’s frontend IP in the workaround diagram), the firewall uses its own public IP as the source.
If it points to a private IP (like a VM or an internal load balancer), it uses one of its private IPs from the AzureFirewallSubnet. This way, traffic flows symmetrically and is handled correctly in both directions.
For the 2nd query: If the load balancer was internal, would it change the source IP to its private IP address? Is it based on the IP address I am translating it to? If translated IP is public, does the FW change source to its public, and if it is private, does it change source to its private IP address (address from firewall subnet)?
Yes, the internal load balancer uses a private frontend IP & the firewall will use one of its own private IPs from the AzureFirewallSubnet for SNAT, as long as the DNAT rule is applied sending traffic to that private IP.
In addition to the translated IP in the DNAT rule: If it’s public (like a public load balancer’s frontend IP), the firewall uses its public IP as the SNAT source.
If it’s private (like an internal load balancer or VM’s private IP), it uses a private IP from its subnet. This approach keeps the traffic flowing in the right direction and avoids routing issues.
Hope the above answer helps! Please let us know if you have any further queries.Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to community members.
-
Priya ranjan Jena 265 Reputation points Microsoft External Staff Moderator
2025-08-14T08:53:32.31+00:00 Hi Peter,
If you find above comment as helpful, please “up-vote” for the information provided , this can be beneficial to community members.
Please let us know if you have any further queries.
Thanks
-
Priya ranjan Jena 265 Reputation points Microsoft External Staff Moderator
2025-08-18T01:47:02.0866667+00:00 Hi Peter,
Please share your update on above comments please.
Sign in to comment
Sign in to answer