How can I add a DNAT rule in Azure Firewall policy for incoming traffic to a specific IP address with a port range?

Question

How can I add a DNAT rule in Azure Firewall policy for incoming traffic to a specific IP address with a port range?

Fernando F 20

I'm trying to add a DNAT (Destination Network Address Translation) rule in Azure Firewall policy for incoming traffic to a specific IP address with a port range but encountering an issue where can't add a port range, only single ports.

User's image

If this is not possible, what is the alternate way for doing this?

Alex Burlachenko 13,330 Reputation points Volunteer Moderator

2025-05-22T15:10:50.7333333+00:00

Dear Fernando,

Thank you for posting your question on the Q&A portal be sure it’s a great place to share and learn about Azure. I see you’re trying to set up a DNAT rule for incoming traffic with a port range, and I’d be happy to help clarify this for you.

First, Azure Firewall does support port ranges in DNAT rules, but there’s a small catch: the interface might show an error if the format isn’t exactly right. For example, when entering a range like "34000-35000," make sure there are no spaces or extra characters. The system expects it to be a clean, hyphen-separated range. If you’re still seeing the error, try re-typing it or checking for hidden formatting issues.

If the port range still doesn’t work, an alternative is to create multiple DNAT rules for smaller ranges or individual ports. While this isn’t as efficient, it’s a reliable workaround. Azure Firewall allows you to group these rules under the same rule collection for easier management. You can find more details about DNAT rule configuration in the Microsoft documentation on Azure Firewall DNAT.

Also, I noticed you’re translating the traffic to a Fully Qualified Domain Name (FQDN), which is a neat feature for dynamic destinations like time.windows.com. Just double-check that the FQDN is resolvable from your firewall’s network and that the translated port range matches your intended setup.

If you run into more issues, feel free to share the exact error message it might give us more clues. And don’t worry, Azure Firewall can be a bit tricky at first, but once you get the hang of it, it’s a powerful tool for managing traffic.

Best regards,

Alex

P.S. If my answer help to you, please Accept my answer

PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/

Accepted answer

0 additional answers

Your answer

Alex Burlachenko 13,330 Reputation points Volunteer Moderator

2025-05-22T15:10:50.7333333+00:00

Dear Fernando,

Thank you for posting your question on the Q&A portal be sure it’s a great place to share and learn about Azure. I see you’re trying to set up a DNAT rule for incoming traffic with a port range, and I’d be happy to help clarify this for you.

First, Azure Firewall does support port ranges in DNAT rules, but there’s a small catch: the interface might show an error if the format isn’t exactly right. For example, when entering a range like "34000-35000," make sure there are no spaces or extra characters. The system expects it to be a clean, hyphen-separated range. If you’re still seeing the error, try re-typing it or checking for hidden formatting issues.

If the port range still doesn’t work, an alternative is to create multiple DNAT rules for smaller ranges or individual ports. While this isn’t as efficient, it’s a reliable workaround. Azure Firewall allows you to group these rules under the same rule collection for easier management. You can find more details about DNAT rule configuration in the Microsoft documentation on Azure Firewall DNAT.

Also, I noticed you’re translating the traffic to a Fully Qualified Domain Name (FQDN), which is a neat feature for dynamic destinations like time.windows.com. Just double-check that the FQDN is resolvable from your firewall’s network and that the translated port range matches your intended setup.

If you run into more issues, feel free to share the exact error message it might give us more clues. And don’t worry, Azure Firewall can be a bit tricky at first, but once you get the hang of it, it’s a powerful tool for managing traffic.

Best regards,

Alex

P.S. If my answer help to you, please Accept my answer

PPS That is my Answer and not a Comment

https://ctrlaltdel.blog/

Answer 1

Hello Fernando F

I understand that you're trying to specify the port range and facing challenges. Azure Firewall DNAT rules currently do not support specifying a port range.

Azure Firewall is a robust, cloud-native network security service that provides stateful firewall capabilities, including DNAT rules for inbound traffic. However, DNAT rules in Azure Firewall require explicit port mappings, meaning you cannot use wildcards or ranges for ports. This limitation necessitates creating a separate DNAT rule for each port.

Azure Firewall supports only 250 DNAT rules, if the requirement is below that- you could manually create a separate rule for each port in the Portal or use Azure CLI, PowerShell loop to automate the creation. If there are more than 250 rules, this approach is not feasible.

To overcome this limitation, you can leverage Azure Load Balancer if your goal is port forwarding - Unlike Azure Firewall, Load Balancer does not require explicit port mappings for NAT. Useful link to refer - https://learn.microsoft.com/en-us/azure/load-balancer/tutorial-load-balancer-port-forwarding-portal

This limitation is documented by Microsoft and feature request has been raised by the community- but as of now, port range support for DNAT rules is not yet available.

Refer https://learn.microsoft.com/en-us/answers/questions/2181441/why-does-azure-firewall-dnat-rules-does-not-allow

Please don’t forget to close the thread by clicking "Accept the answer" and "Yes" wherever the information provided helps you, as this can be beneficial to other community members.

Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-23T09:30:37.55+00:00

Hello Fernando F
Following up to see if the above information was helpful. And, if you have any further query do let us know.
Sindhuja Dasari 1,520 Reputation points Microsoft External Staff Moderator

2025-05-26T04:58:48.3166667+00:00

Hello Fernando F

Following up to see if the above information was helpful. And, if you have any further query do let us know.
Andrea Longhitano 155 Reputation points

2025-08-07T14:13:03.5366667+00:00

Hello @sindhuja Dasari , I understand your solution. What If I need to log traffic? Is there a way to force traffic going through firewall and enable IPS functionality?Thanks,

Andrea

Share via

How can I add a DNAT rule in Azure Firewall policy for incoming traffic to a specific IP address with a port range?

0 additional answers

Your answer