Azure Load Balancer
An Azure service that delivers high availability and network performance to applications.
Firewall NAT 1:1 for inbound and outbound
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 3%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Glenn
20
Reputation points
I have 2 firewalls that are behind a public load balancer. The two FTDs can't have a limitation that it can't accept secondary IP on the NICs. So the backend is limited to 2 outbound IP addresses. Unfortunately, using GWLB is not applicable since the East-West traffic is not supported.
I defined 2 backends using the two interfaces, and I used that to have a 1:1 NAT translation for inbound traffic.
Thus, the inbound connections have the following 1:1 mapping:
Public IP 1 -> ServerA
Public IP2 -> Server B
However, the problem is the outbound. Since technically I'm using the same backend IPs 10.0.1.6 and 10.0.17, the public load balancer can't properly NAT it 1:1
I have the following outbound rules in the public load balancer:
The effect is that when the server initiates an outbound connection, it gets the following IP address:
Server A -> Gets public IP 1
Server B -> Gets public IP 1 (but I'm expecting that this should be public IP2)
- Is there a way in the load balancer to get around this? The outbound and inbound should traverse via the firewall
- I believe this is possible using the public load balancer, then stitched with the GWLB; 1:1 NAT translation for inbound and outbound (please correct me if I'm wrong). However, the problem is that the East-West traffic should go via the FW. Is there a way in Azure to have the east-west traffic inspection?
Azure Load Balancer
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Praveen Bandaru 6,850 Reputation points Microsoft External Staff Moderator2025-08-12T04:42:03.2166667+00:00 Hello Glenn
i understand that you are you looking to configure a NAT in Azure, particularly with managing inbound and outbound traffic through your firewalls and load balancer. Here’s a summary addressing your concerns:
- Outbound NAT Issue: The issue where Server A and Server B share the same public IP for outbound traffic is due to the Azure Load Balancer’s NAT handling. Azure Load Balancer doesn’t provide 1:1 NAT for outbound connections by default. To assign different public IPs for outbound traffic per server, consider using Azure NAT Gateway. Set up a NAT Gateway, associate it with your subnet, and configure it with the desired public IP addresses.
- East-West Traffic Inspection: For inspecting East-West (internal) traffic, Azure Firewall is a common solution. You can route this traffic through the firewall by creating user-defined routes (UDRs) in your virtual network. Additionally, Network Security Groups (NSGs) can help refine your traffic control alongside firewall rules.
Check the below public document for more understanding:
Manage inbound NAT rules for Azure Load BalancerOutbound rules Azure Load Balancer
https://docs.azure.cn/en-us/load-balancer/load-balancer-outbound-connections
Hope the above answer helps! Please let us know do you have any further queries.
Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Sign in to comment
Sign in to answer