Azure Firewall - SNAT

Question

Azure Firewall - SNAT

Peter Stieber 180

When a DNAT rule is matched in Azure Firewall, is source NAT (SNAT) always applied — regardless of the SNAT configuration defined in Azure Firewall SNAT behavior for private IP ranges?
Does Azure Firewall always apply SNAT when the destination is a public IP address, even if SNAT is explicitly set to "never"? In my lab testing, I observe that SNAT is still applied in such cases. I have a UDR on FW subnet that redirects traffic for specific public IP ranges to another NVA, and the firewall still performs SNAT even when it's configured not to
When FW is in forced tunneling mode ( no public IP ) does it always SNAT the traffic regardless of what is configured in FW SNAT settings ?

Peter Stieber 180 Reputation points

2025-07-22T10:02:39.02+00:00
I'm a bit confused by this comment: "SNAT is applied even when a DNAT rule is matched, unless explicitly configured otherwise." My understanding is that SNAT is always applied when a DNAT rule is matched, regardless of the firewall's SNAT settings. Is it actually possible to match a DNAT rule and not apply SNAT to the traffic? I was under the impression that the SNAT settings in the firewall only apply to network rules, and that application rules and DNAT rules always result in SNAT

So if FW is in forced tunneling mode does that mean I cannot configure a DNAT rule to translate the firewall’s private IP to an internal destination?
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-23T00:14:56.5566667+00:00

Hello

Apologies for the inconvenience caused,

Is it actually possible to match a DNAT rule and not apply SNAT to the traffic?

No, it is not possible. SNAT is always applied in DNAT scenarios, regardless of the SNAT settings configured in the firewall.

There is no supported configuration in Azure Firewall that allows you to match a DNAT rule and not apply SNAT.2.In forced tunneling mode, Azure Firewall still performs SNAT, typically to one of its private IPs to maintain session state.

However, DNAT is not supported in forced tunneling mode unless the firewall is deployed with a public IP on a management NIC.

Can I configure a DNAT rule to translate the firewall’s private IP to an internal destination in forced tunneling mode?

No, not unless the firewall has a public IP on a management NIC. Without it, DNAT is unsupported in forced tunneling mode.

I hope this is clear ! and do let me know if you have further queries
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-23T23:12:43.02+00:00

Hi Peter Stieber

I am following up on this thread and wanted to check if you had a chance to review the information we posted in the comments.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-24T22:36:51.22+00:00

Hi Peter Stieber

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.

1 answer

Your answer

Peter Stieber 180 Reputation points

2025-07-22T10:02:39.02+00:00

I'm a bit confused by this comment: "SNAT is applied even when a DNAT rule is matched, unless explicitly configured otherwise." My understanding is that SNAT is always applied when a DNAT rule is matched, regardless of the firewall's SNAT settings. Is it actually possible to match a DNAT rule and not apply SNAT to the traffic? I was under the impression that the SNAT settings in the firewall only apply to network rules, and that application rules and DNAT rules always result in SNAT

So if FW is in forced tunneling mode does that mean I cannot configure a DNAT rule to translate the firewall’s private IP to an internal destination?
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-23T00:14:56.5566667+00:00

Hello

Apologies for the inconvenience caused,

Is it actually possible to match a DNAT rule and not apply SNAT to the traffic?

No, it is not possible. SNAT is always applied in DNAT scenarios, regardless of the SNAT settings configured in the firewall.

There is no supported configuration in Azure Firewall that allows you to match a DNAT rule and not apply SNAT.2.In forced tunneling mode, Azure Firewall still performs SNAT, typically to one of its private IPs to maintain session state.

However, DNAT is not supported in forced tunneling mode unless the firewall is deployed with a public IP on a management NIC.

Can I configure a DNAT rule to translate the firewall’s private IP to an internal destination in forced tunneling mode?

No, not unless the firewall has a public IP on a management NIC. Without it, DNAT is unsupported in forced tunneling mode.

I hope this is clear ! and do let me know if you have further queries
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-23T23:12:43.02+00:00

Hi Peter Stieber

I am following up on this thread and wanted to check if you had a chance to review the information we posted in the comments.

Please let us know if you have any questions or concerns. We are happy to assist you.
G Sree Vidya 4,005 Reputation points Microsoft External Staff Moderator

2025-07-24T22:36:51.22+00:00

Hi Peter Stieber

We haven't heard back from you regarding our last response and wanted to check if you had the opportunity to review our previous post.

Please let us know if you have any questions or concerns. We are happy to assist you.

Answer 1

Hello Peter Stieber

Please find below details:

When a DNAT rule is matched in Azure Firewall, is source NAT (SNAT) always applied — regardless of the SNAT configuration defined in Azure Firewall SNAT behavior for private IP ranges?

1.Yes, when a DNAT rule is matched, SNAT is typically applied. SNAT is typically applied to the source IP address. The source IP is translated to one of the firewall’s internal IPs (from the AzureFirewallSubnet), even if the destination is a private IP.

This behavior is by design to ensure return traffic flows back through the firewall, maintaining session state.

So yes, SNAT is applied even when a DNAT rule is matched, unless explicitly configured otherwise.

Does Azure Firewall always apply SNAT when the destination is a public IP address, even if SNAT is explicitly set to "never"? In my lab testing, I observe that SNAT is still applied in such cases. I have a UDR on FW subnet that redirects traffic for specific public IP ranges to another NVA, and the firewall still performs SNAT even when it's configured not to

2.Azure Firewall automatically applies SNAT for outbound traffic to public IP addresses, regardless of SNAT settings, unless:

You explicitly define 0.0.0.0/0 in the private IP address ranges configuration to disable SNAT globally.

This means If your destination is a public IP and SNAT is set to "never" but 0.0.0.0/0 is not included in the private IP ranges, SNAT will still occur.

This explains your lab observation — SNAT is still applied because Azure treats public IP destinations as requiring SNAT by default.

3.In forced tunneling mode, azure Firewall still performs SNAT — typically to one of its private IPs. This is done to maintain session state and ensure return traffic is routed correctly.

Even without a public IP, SNAT is applied unless you configure the firewall to never SNAT by setting 0.0.0.0/0 as a private IP range.

However, DNAT is not supported in forced tunneling mode unless the firewall has a Management NIC with a public IP

Refer: https://learn.microsoft.com/en-us/azure/firewall/forced-tunneling

I hope this helps! If these answers your query, do click the "Upvote" and click "Accept the answer" of which might be beneficial to other community members reading this thread.

If the above is unclear or you are unsure about something, please add a comment below.

Share via

Azure Firewall - SNAT

1 answer

Your answer