Share via

Azure Firewall Policy API - SNAT ranges

Peter Stieber 245 Reputation points
2025-08-20T11:29:15.55+00:00

Is there a way to get SNAT range information from the API, especially when a firewall uses a base policy that has a parent policy?

When I enable “Use the IP ranges defined in parent policy”, the API response for that policy does not include any information about it. That means I cannot tell whether the policy is inheriting SNAT settings from the parent, or if it is just falling back to the default SNAT behavior (which also isn’t shown in the response).

Policy with default SNAT settings:
User's image

Policy that inherits SNAT settings from parent policy

User's image

You can check the SNAT settings in the parent policy, but the API still doesn’t tell you whether the child policy is actually inheriting them

From what I see, SNAT settings for policy are only visible if you explicitly configure them (Always, Never, or manual IP ranges). Otherwise, the API result does not contains SNAT property.

Example where SNAT settings are configured to always
User's image

How can I determine whether a policy is using default SNAT settings or inheriting them from the parent?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Accepted answer
  1. Pranitha Maddi 395 Reputation points Microsoft External Staff Moderator
    2025-08-21T04:31:01.4766667+00:00

    Hi Peter Stieber,

    Welcome to Microsoft QnA Portal and thanks for posting your query!

    Please find the solution for the Azure Firewall Policy API and how to get SNAT range information, especially when using a child policy that inherits SNAT settings from a parent policy.

    Here’s what’s happening:

    • When you enable “Use the IP ranges defined in parent policy” for SNAT on a child policy, the API response for that child policy does not include SNAT details. Because of this, the API cannot directly tell you whether the child is inheriting SNAT settings from the parent or just using the default SNAT behavior.
    • The API only shows SNAT settings if they’re explicitly configured on a policy, such as “Always,” “Never,” or specific manual IP ranges.
    • If SNAT settings are inherited or defaulted, the SNAT property won’t appear in the API result of the child policy.
    • To determine what SNAT settings apply, you need to manually check the parent policy’s SNAT configuration. If the parent has SNAT settings, the child policy inherits them; otherwise, the default SNAT behavior applies.

    Unfortunately, the API does not have a clear flag or property to say “this child policy is inheriting SNAT” or not.

    Useful documents:

    https://learn.microsoft.com/en-us/azure/firewall/snat-private-range

    https://learn.microsoft.com/en-us/rest/api/virtualnetwork/firewall-policies/get?view=rest-virtualnetwork-2024-05-01&tabs=HTTP

    Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others

     

    Thanks,

    Pranitha

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.