Outbound traffic flow with Azure Firewall & NAT Gateway

Question

Outbound traffic flow with Azure Firewall & NAT Gateway

Peter Stieber 245

I have a spoke VNet that’s peered with a hub VNet. The hub contains an Azure Firewall, and the firewall subnet has a NAT Gateway associated with it.

I’m trying to understand the traffic flow when a VM in the spoke initiates a connection to an Internet destination (and the traffic is allowed).

How many times does the source IP get translated?

Does the Azure Firewall perform SNAT (changing the source to its own public IP), or does it leave the source as-is?

Since the NAT Gateway is in place, will the source IP be changed twice — first by the firewall, and then again by the NAT Gateway — or only once to the NAT Gateway’s public IP?

Peter Stieber 245 Reputation points

2025-08-14T06:04:51.1966667+00:00

Why when I issue curl ifconfig.me on the VM I see that NAT gateway public IP addresses is used for outbound ? :)
Peter Stieber 245 Reputation points

2025-08-14T06:09:54.6733333+00:00

I think I found the answer
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-14T06:30:25.4166667+00:00
Hi Peter Stieber

Great to hear you have found the answer.

When a NAT Gateway is associated with the Azure Firewall subnet, Azure Firewall sends outbound traffic using its private IP, and the NAT Gateway performs SNAT.

This is by design and overrides the firewall’s own public IP.

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

1 answer

Your answer

Peter Stieber 245 Reputation points

2025-08-14T06:04:51.1966667+00:00

Why when I issue curl ifconfig.me on the VM I see that NAT gateway public IP addresses is used for outbound ? :)
Peter Stieber 245 Reputation points

2025-08-14T06:09:54.6733333+00:00

I think I found the answer
G Sree Vidya 4,250 Reputation points Microsoft External Staff Moderator

2025-08-14T06:30:25.4166667+00:00

Hi Peter Stieber

Great to hear you have found the answer.

When a NAT Gateway is associated with the Azure Firewall subnet, Azure Firewall sends outbound traffic using its private IP, and the NAT Gateway performs SNAT.

This is by design and overrides the firewall’s own public IP.

If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Answer 1

Hello Peter Stieber

It looks like you're trying to understand the outbound traffic flow when a VM in a spoke VNet connects to the internet through an Azure Firewall and NAT Gateway setup.

Please check the below details:

1.Traffic Flow and NAT Behavior in VM in Spoke VNet initiates outbound traffic:

Traffic is routed to the Azure Firewall in the hub via VNet peering.

2.Azure Firewall processes the traffic, If the firewall allows the traffic, it will perform SNAT (Source Network Address Translation) unless:

The destination is within the same VNet or peered VNet.

You’ve configured Network Rules with “Translate” disabled (only possible with DNAT).

For Internet-bound traffic, Azure Firewall will perform SNAT by default, using its own public IP.

3.NAT Gateway on the firewall subnet:

Does not apply to traffic already SNAT’d by the Azure Firewall.

NAT Gateway only applies to resources in the subnet that are not performing their own SNAT.

Since Azure Firewall already SNATs the traffic, NAT Gateway does not re-SNAT it.

so Final Summary is the VM’s private IP is replaced by the Azure Firewall’s public IP and the NAT Gateway does not perform SNAT on traffic already processed by the firewall.

The final source IP seen by the Internet destination is the Azure Firewall’s public IP, not the NAT Gateway’s.

I hope this helps! If these answers your query, do click the "Upvote" of which might be beneficial to other community members reading this thread.

If the above is unclear or you are unsure about something, please add a comment below.

Share via

Outbound traffic flow with Azure Firewall & NAT Gateway

1 answer

Your answer