|
| 1 | +--- |
| 2 | +title: How to set up and monitor Azure Firewall DNAT rules for secure traffic management |
| 3 | +description: Learn how to configure and monitor Azure Firewall DNAT rules to securely manage incoming traffic by translating destination IP addresses and ports, including support for FQDN filtering for dynamic backend configurations. |
| 4 | +services: firewall |
| 5 | +author: duongau |
| 6 | +ms.service: azure-firewall |
| 7 | +ms.topic: concept-article |
| 8 | +ms.date: 4/29/2025 |
| 9 | +ms.author: duau |
| 10 | +ms.custom: ai-usage |
| 11 | +--- |
| 12 | + |
| 13 | +# How to set up and monitor Azure Firewall DNAT rules for secure traffic management |
| 14 | + |
| 15 | +Azure Firewall DNAT (Destination Network Address Translation) rules are used to filter and rout inbound traffic. They allow you to translate the public-facing destination IP address and port of incoming traffic to a private IP address and port within your network. This is useful when you want to expose a service running on a private IP (such as a web server or SSH endpoint) to the internet or another network. |
| 16 | + |
| 17 | +A DNAT rule specifies: |
| 18 | +- **Source**: The source IP address or IP group from which the traffic originates. |
| 19 | +- **Destination**: The destination IP address of the Azure Firewall instance. |
| 20 | +- **Protocol**: The protocol used for the traffic (TCP or UDP). |
| 21 | +- **Destination port**: The port on the Azure Firewall instance that receives the traffic. |
| 22 | +- **Translated address**: The private IP address or FQDN to which the traffic should be routed. |
| 23 | +- **Translated port**: The port on the translated address to which the traffic should be directed. |
| 24 | + |
| 25 | +When a packet matches the DNAT rule, Azure Firewall modifies the packet's destination IP address and port according to the rule before forwarding it to the specified backend server. |
| 26 | + |
| 27 | +Azure Firewall supports *FQDN filtering* in DNAT rules, allowing you to specify a fully qualified domain name (FQDN) as the target for translation instead of a static IP address. This enables dynamic backend configurations and simplifies management in scenarios where the backend server's IP address can change frequently. |
| 28 | + |
| 29 | +## Prerequisites |
| 30 | + |
| 31 | +- An Azure subscription. If you don't have an Azure subscription, [create a free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin. |
| 32 | +- An Azure Firewall instance. |
| 33 | +- An Azure Firewall policy. |
| 34 | + |
| 35 | +## Create a DNAT rule |
| 36 | + |
| 37 | +1. In the Azure portal, navigate to your Azure Firewall instance. |
| 38 | + |
| 39 | +1. In the left pane, select **Rules**. |
| 40 | + |
| 41 | +1. Select **DNAT rules**. |
| 42 | + |
| 43 | +1. Select **+ Add DNAT rule collection**. |
| 44 | + |
| 45 | +1. In the **Add a rule collection** pane, provide the following information: |
| 46 | + |
| 47 | + :::image type="content" source="./media/dnat-rule/add-rule-collection-fqdn.png" alt-text="Screenshot showing a DNAT rule created in a rule collection using an FQDN for the translated address."::: |
| 48 | + |
| 49 | + - **Name**: Enter a name for the DNAT rule collection. |
| 50 | + - **Priority**: Specify a priority for the rule collection. Lower numbers indicate higher priority. The range is 100-65000. |
| 51 | + - **Action**: Destination Network Address Translation (DNAT) (default). |
| 52 | + - **Rule collection group**: This is the name of the rule collection group that contains the DNAT rule collection. You can select a default group or one you created earlier. |
| 53 | + - **Rules**: |
| 54 | + - **Name**: Enter a name for the DNAT rule. |
| 55 | + - **Source type**: Select **IP Address** or [**IP Group**](create-ip-group.md). |
| 56 | + - **Source**: Enter the source IP address or select an IP group. |
| 57 | + - **Protocol**: Select the protocol (TCP or UDP). |
| 58 | + - **Destination Ports**: Enter the destination port or port range (For example: single port 80, port range 80-100, or multiple ports 80,443). |
| 59 | + - **Destination (Firewall IP address)**: Enter the destination IP address of the Azure Firewall instance. |
| 60 | + - **Translated type**: Select **IP Address** or **FQDN**. |
| 61 | + - **Translated address or FQDN**: Enter the translated IP address or FQDN. |
| 62 | + - **Translated port**: Enter the translated port. |
| 63 | + |
| 64 | +1. Repeat step 5 for extra rules as needed. |
| 65 | + |
| 66 | +1. Select **Add** to create the DNAT rule collection. |
| 67 | + |
| 68 | +## Monitor and validate DNAT rules |
| 69 | + |
| 70 | +Once you've created DNAT rules, you can monitor and troubleshoot them using the **AZFWNatRule** log. This log provides detailed insights into the DNAT rules applied to incoming traffic, including: |
| 71 | + |
| 72 | +- **Timestamp**: The exact time the traffic flow occurred. |
| 73 | +- **Protocol**: The protocol used for communication (For example, TCP or UDP). |
| 74 | +- **Source IP and port**: Information about the originating traffic source. |
| 75 | +- **Destination IP and port**: The original destination details before translation. |
| 76 | +- **Translated IP and port**: The resolved IP address (if using FQDN) and the target port after translation. |
| 77 | + |
| 78 | +It's important to note the following when you're analyzing the **AZFWNatRule** log: |
| 79 | + |
| 80 | +- **Translated field**: For DNAT rules using FQDN filtering, the logs display the resolved IP address in the translated field instead of the FQDN. |
| 81 | +- **Private DNS zones**: Supported only within virtual networks (VNets). This feature isn't available for virtual WAN SKUs. |
| 82 | +- **Multiple IPs in DNS resolution**: If an FQDN resolves to multiple IP addresses in a private DNS zone or custom DNS servers, Azure Firewall's DNS proxy selects the first IP address from the list. This behavior is by design. |
| 83 | +- **FQDN resolution failures**: |
| 84 | + - If Azure Firewall can't resolve an FQDN, the DNAT rule doesn't get match, so the traffic isn't processed. |
| 85 | + - These failures are logged in **AZFWInternalFQDNResolutionFailure** logs only if DNS proxy is enabled. |
| 86 | + - Without DNS proxy enabled, resolution failures aren't logged. |
| 87 | + |
| 88 | +### Key considerations |
| 89 | + |
| 90 | +The following considerations are important when using DNAT rules with FQDN filtering: |
| 91 | + |
| 92 | +- **Private DNS zones**: Only supported within the virtual network and not with Azure Virtual WAN. |
| 93 | +- **Multiple IPs in DNS resolution**: Azure Firewall's DNS proxy always selects the first IP address from the resolved list (Private DNS zone or custom DNS server). This is an expected behavior. |
| 94 | + |
| 95 | +Analyzing these logs can help diagnose connectivity issues and ensure traffic is routed correctly to the intended backend. |
| 96 | + |
| 97 | +## Next steps |
| 98 | + |
| 99 | +- Learn how to monitor Azure Firewall logs and metrics using [Azure Monitor](monitor-firewall.md). |
0 commit comments