![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 4%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 25%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Hi, “SNAT private ranges” is just the list of destinations the firewall must treat as private → for those prefixes SNAT is skipped and the original source IP is preserved. The name is historical: by default the list contains the IANA private ranges (10/8, 172.16/12, 192.168/16, plus 100.64/10). The engine doesn’t enforce “private-only”: you can add any CIDR, including public ones (as you did with 20.30.0.0/24). That tells Azure Firewall “don’t SNAT when going to these addresses.”
Use with care: skipping SNAT only works when the destination has a return route to your original source IPs (e.g., on-prem via VPN/ExpressRoute, partner prefixes reachable over a private circuit, other VNets/DMZ NVAs). If you exclude general Internet prefixes, most sites won’t be able to route replies to your private sources and flows will fail or look asymmetric.
So: the field is called “privateRanges” because it defines addresses to treat as private (no SNAT). It’s valid to put public CIDRs there, but do it only when those “public” ranges are actually privately reachable and can route back without NAT.