Last Update: Sep 04, 2024 | Published: Feb 12, 2019
Most people will use the phrase of NAT to describe sharing a service through a firewall, but Microsoft calls it Destination Network Address Translation (DNAT) in their documentation, but a NAT rule in the Azure Portal; I will just use the regularly employed NAT term.
The goal of NAT is to publish an otherwise private service, through a firewall, via an IP address. Typically, a NAT rule will contain settings such as:
Using different external port numbers allows an internal port number to be used across many services. For example, TCP 3389 on Server1 might be shared as TCP 50001 on the firewall, and Server2 might be shared as TCP 50002. The remote desktop client will connect to TCP 50002 on the firewall’s external address to connect to Server2.
A NAT rule contains the following criteria to pattern match traffic coming into the firewall. If traffic matches the protocol and source and destinations patterns, then it will be forwarded to the translated address and port:
NAT rules are grouped into NAT rule collections; even a single NAT rule must reside in NAT rule collection. I have not seen any best practices from Microsoft on this part of the design, but I would suggest placing similar rules together in a single NAT rule collection.
The NAT rule collection has the following two properties:
Priority allows you to list collections in order from high priority (specific rules) to low priority (general rules). A typical good practice is to stagger the priorities, such as 100, 200, 300, so you can drop in a rule with a priority of 150 without having to renumber existing rule collections.
You can create NAT rules in the Azure Portal; start by opening the Public IP Address (PIP) resource of the Azure Firewall and noting it’s address – you will need this to create the NAT Rules.
Open your Azure Firewall resource and browse to Rules. Open NAT Rule Collection (the default location in Rules) and click + Add NAT Rule Collection.
Enter the properties of the NAT Rule Collection, specifying its name and priority versus other NAT Rule Collections.
Then add a rule for each NAT rule that you require. In the below example, I am publishing two services to the Internet. I am only allowing connections from a specific range of IPv4 addresses (the CIDR block of my on-premises firewall). RDP (TCP 3389) will be listened to on TCP 50001 of the firewall’s PIP, and SSH (TCP 22) will be listened to on TCP 50002 on the firewall’s PIP. Both connections will be forwarded to different “jump box” virtual machines.
When traffic is coming into your firewall and a matching NAT rule is found, an implicit network rule is created to allow the traffic. If you wish, you can create Network Rules (in Network Rules Collections) to allow this traffic or to create very granular deny rules.