Share via

Clarification on Public IP Addresses and DNAT Rules in Azure Firewall

MatthewHendry-4985 25 Reputation points
2025-07-14T20:49:29.3833333+00:00

Documentation mentions that the number of public IP addresses attached to a Firewall and the unique destinations in DNAT rules both contribute to the total limit of 250 public IP addresses. I have confusion regarding how DNAT rules operate.

  1. Does the use of a public IP address in a DNAT rule reserve that PIP only for use in DNAT flows?
    1. As I understand it, when the Azure Firewall performs SNAT, it selects a public IP address randomly. Is there a mechanism to prevent the Firewall from using a public IP address already included in a DNAT rule for SNAT? Or are all public IP addresses available for SNAT as long as there isn't active traffic flowing through a specific DNAT rule on that IP?
  2. In the past there has been documentation stating that each "unique destination" (PIP + port) contributes to the 250 limit. This seems contradictory; if the limit refers to public IP addresses, how do two DNAT rules with the same public IP but different ports impact the count twice? E.g. 1 PIP allocated to a Firewall with 2 DNAT rules using it on different ports results in 248 PIPs left to be allocated to the Firewall. (Rather than 249, which is what would be expected.)

My understanding based on the documentation would be that you need to determine how many SNAT ports you need, allocate X amount of public IPs based on that. Then that amount subtracted from 250 would give you however many unique destination DNAT rules you can have. But if that is the case, it is not clear from the documentation as to why that is.

Or is it simply that since you have to have PIP to use in a DNAT rule, of course the total number of PIPs has to decrease? (This still would not solve the confusion around the "unique destinations" scenario.)

Thanks!

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Accepted answer
  1. G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator
    2025-07-14T23:31:50.7166667+00:00

    Hello MatthewHendry-4985

    Please check below details on DNAT rules and brief:

    1.Does the use of a public IP address in a DNAT rule reserve that PIP only for use in DNAT flows?

    1. No, a public IP address used in a DNAT rule is not reserved exclusively for DNAT flows. All public IP addresses associated with the Azure Firewall are available for both DNAT (inbound) and SNAT (outbound) operations, unless explicitly configured otherwise (e.g., by using a NAT Gateway for SNAT). https://learn.microsoft.com/en-us/azure/firewall/features Explanation: Azure Firewall does not segregate public IP addresses between DNAT and SNAT. A public IP used in a DNAT rule can still be selected randomly for SNAT unless the DNAT rule is actively handling traffic, in which case port availability may influence SNAT selection (see next question). This is why Microsoft recommends allowing all associated public IPs in downstream filtering.

    2.Azure Firewall randomly selects from its pool of public IP addresses for SNAT, and this selection is independent of DNAT rule usage. However, Azure Firewall is stateful, so it avoids port conflicts by tracking active connections.

    For example, if a DNAT rule uses a specific public IP and port (e.g., 13.xx.xxx.xxx:3389), SNAT will not use that exact IP/port combination for outbound traffic while the DNAT connection is active.

    To ensure a specific public IP is used for SNAT (and avoid DNAT IPs), you can integrate a NAT Gateway with the firewall’s subnet, which will handle all outbound traffic using the NAT Gateway’s public IP(s). Refer: https://learn.microsoft.com/en-us/azure/firewall/integrate-with-nat-gateway

    3.The 250 limit refers to the combined total of public IP addresses and unique destinations (where a unique destination is a public IP + port + protocol combination in a DNAT rule). Each DNAT rule with a distinct port count as a separate unique destination, even if it uses the same public IP, because each rule consumes firewall resources for stateful tracking. Thus, one public IP with two DNAT rules (different ports) counts as one public IP + two unique destinations, reducing the remaining limit by three (250 - 3 = 247).

    One of the challenges with using a large number of public IP addresses with Azure Firewall is when there are downstream IP address filtering requirements. Azure Firewall randomly selects the source public IP address to use for a connection, so you need to allow all public IP addresses associated with it. Even if you use Public IP address prefixes and you need to associate 250 public IP addresses to meet your outbound SNAT port requirements, you still need to create and allow 16 public IP address prefixes.

    As of today, Azure Firewall doesn't allow selection of a dedicated Public IP for SNAT outbound connections, and the IP address is selected randomly.

    Hope this clears things up! If you have more specific scenarios or need further assistance, feel free to ask!

    If the above is unclear or you are unsure about something, please add a comment below. If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

    User's image

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Burlachenko 13,330 Reputation points Volunteer Moderator
    2025-07-15T13:53:55.66+00:00

    Matthew thanks for dropping this question, yes, when u use a public ip in a dnat rule, azure firewall reserves that ip specifically for dnat flows. it won't randomly pick that same ip for snat, even if no traffic is currently hitting the dnat rule. think of it like reserving a parking spot - once its taken, others can't use it )) https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#how-does-azure-firewall-handle-nat-traffic

    now about the 250 limit - its actually two separate things adding up

    1. all public ips attached to the firewall (whether used for snat or dnat)

    each unique 'destination' in dnat rules (meaning pip + port combo counts as one)

    so if u have 1 pip with two dnat rules on different ports, that counts as 2 against the 250 limit. why? because azure firewall treats each destination as a separate entry in its internal tables. its not just about the raw ip count.

    check this example from the docs https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#can-i-deploy-multiple-azure-firewalls-in-a-single-virtual-network

    as for planning, calculate how many snat ports u need first, then allocate those ips. subtract that number from 250 to see how many dnat 'destinations' u can have. remember each pip in dnat rules also counts toward the total

    Many cloud firewalls have similar concepts about ip allocation. worth looking into how aws or gcp handle their nat rules if u ever work with those ))

    the 'unique destination' counting can feel weird at first, but its actually helpful. it means u can have multiple services on same ip, just different ports, without eating up all your ip quota.

    here's another doc that shows some examples https://docs.microsoft.com/en-us/azure/firewall/overview#azure-firewall-features

    hope this clears things up

    Best regards,

    Alex

    and "yes" if you would follow me at Q&A - personaly thx.
P.S. If my answer help to you, please Accept my answer

    https://ctrlaltdel.blog/

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.