Azure Firewall - SNAT learnedIPPrefixes

Hi Peter Stieber,

Welcome to Microsoft Q&A and Thank you for posting your query here!

Let me try to provide my insights here about interaction between the configuration of your Azure Firewall when using 255.255.255.255/32 for forced SNAT and the Auto-learn IP Prefixes feature.

Using 255.255.255.255/32 for SNAT Enforcement: When you configure Azure Firewall with the private IP range 255.255.255.255/32, you're instructing it to apply Source Network Address Translation (SNAT) to all traffic, regardless of its destination. This setup ensures that every packet processed by network rules is SNATed without exception.

Auto-learn IP Prefixes Feature: This feature enables Azure Firewall to dynamically discover IP prefixes from routes and treat them as internal addresses. As a result, SNAT is not applied to traffic destined for these learned prefixes. However, to use this feature, the Azure Route Server must be deployed within the same virtual network as the Azure Firewall and properly configured to support prefix learning.

Precedence Between Configurations: In your scenario, the SNAT enforcement using 255.255.255.255/32 overrides the Auto-learn IP Prefixes behavior. Even if Azure Firewall learns certain internal IP prefixes, the forced SNAT configuration takes priority, meaning all outbound traffic will still be SNATed.

• Manual exclusions (like 255.255.255.255/32) take precedence over auto-learned IP prefixes.

So, you'd redirect all traffic through your firewall, and it will SNAT using its own private IP even if those learned prefixes are established.

Learn Document: https://learn.microsoft.com/en-us/azure/firewall/snat-private-range

if you found the above response is helpful to you, please do not forget to "Accept the answer" and “Upvote it" this can be beneficial to other community members.

Thank you again for your time. I'm happy to continue supporting you, and your engagement helps strengthen the community.

Thanks

Harish.