AVD outbound web access, different outbound public IPs.

Question

AVD outbound web access, different outbound public IPs.

Zuuber 35

Hi

Basically I would like outbound AVD web traffic to use different public IPs. We already have Azure basic firewall, AVD subnet has a route out to Azure Firewall.

The documentation suggests that if you add multiple public IPs to Azure Firewall that a random IP is selected from one of the IPs assigned to the firewall, but this doesn't seem to be the case. All AVD outbound traffic seems to use the same public IP even though multiple public IPs are assigned to the firewall.

How do we get AVD outbound web traffic to use different public IPs?

thanks

Zuuber 35 Reputation points

2025-10-08T12:54:25.5033333+00:00

thank you for your response.

I think we're going to investigate this option > '1.Use Azure NAT Gateway for outbound SNAT'.

Could you also clarify, once we add the NAT gateway to the Azure firewall subnet this only affects outgoing traffic, do we need to make any changes to incoming traffic via the firewall as we have services relying on the incoming traffic. I presume not but would like to check.

Anything else we should be aware of as this is a live environment we're working with.
I presume we just create NAT gateway, assign to 'AzureFirewallSubnet', select an outbound public IP, and then create, and it just works from there on? Then i presume we can assign multiple outbound IPs to the NAT gateway and the NAT gateway will use a randon outbound IP correct?
Thanmayi Godithi 1,885 Reputation points Microsoft External Staff Moderator

2025-10-09T03:07:03.15+00:00
Hi @Zuuber,

When you associate a NAT Gateway to the AzureFirewallSubnet, it only impacts outbound traffic (SNAT). Your existing inbound traffic such as services published through the Azure Firewall using public IPs and DNAT rules will remain completely unaffected. NAT Gateway is specifically designed to provide outbound-only Internet connectivity, and it does not handle or interfere with inbound connections.

Reference: NAT Gateway overview – Outbound only connectivity

In terms of configuration, the setup process is quite straightforward. You simply need to create a NAT Gateway in the same region, assign one or more public IP addresses, and attach it to the AzureFirewallSubnet. Once attached, Azure automatically routes all outbound traffic from that subnet through the NAT Gateway — no route table or UDR changes are required. Reference: Integrate NAT Gateway with subnets

If you assign multiple public IPs to the NAT Gateway, Azure will automatically use any of these IPs for outbound connections. The selection is random per flow and cannot be manually controlled. You can attach up to 16 public IP addresses or a /28 public IP prefix to a single NAT Gateway.

Reference: Public IP address limits for NAT Gateway

Since you mentioned this is a live environment, it’s worth noting a few important considerations before deployment.

If any external systems or APIs rely on IP-based allowlists, make sure to add the NAT Gateway’s public IPs, as outbound connections will now use those addresses instead of the Firewall’s.

Also, logs for outbound connections will now reflect the NAT Gateway IPs rather than the Firewall IPs, so you may want to adjust monitoring accordingly.

As a best practice, it’s recommended to test during a maintenance window to ensure everything behaves as expected. Reference: High availability of NAT Gateway

So, attaching a NAT Gateway to the Azure Firewall subnet will seamlessly handle outbound traffic using the NAT public IPs, while your inbound services through Azure Firewall remain completely unaffected. Once configured, the NAT Gateway automatically manages outbound connectivity, providing a scalable and highly available solution for your AVD outbound traffic.

Could you please share your email ID and below details via "Private message" option so we can connect privately over a call to resolve the issue? Also, could you please share your available times for scheduling the Teams call?

Email ID:

Time zone:

Subscription ID:

Tenand ID:

Kindly let us know if the above helps or you need further assistance on this issue.
Zuuber 35 Reputation points

2025-10-09T08:41:41.4166667+00:00

thank you for your reponses so far, we need to go away and digest this information, thank you again.
Thanmayi Godithi 1,885 Reputation points Microsoft External Staff Moderator

2025-10-10T08:03:53.6233333+00:00

Hi @Zuuber,

Let me know if you need any help in understanding the information that I have shared or if you need any further assistance.

Answer accepted by question author

0 additional answers

Your answer

Zuuber 35 Reputation points

2025-10-08T12:54:25.5033333+00:00

thank you for your response.

I think we're going to investigate this option > '1.Use Azure NAT Gateway for outbound SNAT'.

Could you also clarify, once we add the NAT gateway to the Azure firewall subnet this only affects outgoing traffic, do we need to make any changes to incoming traffic via the firewall as we have services relying on the incoming traffic. I presume not but would like to check.

Anything else we should be aware of as this is a live environment we're working with.
I presume we just create NAT gateway, assign to 'AzureFirewallSubnet', select an outbound public IP, and then create, and it just works from there on? Then i presume we can assign multiple outbound IPs to the NAT gateway and the NAT gateway will use a randon outbound IP correct?
Zuuber 35 Reputation points

2025-10-09T08:41:41.4166667+00:00

thank you for your reponses so far, we need to go away and digest this information, thank you again.
Thanmayi Godithi 1,885 Reputation points Microsoft External Staff Moderator

2025-10-10T08:03:53.6233333+00:00

Hi @Zuuber,

Let me know if you need any help in understanding the information that I have shared or if you need any further assistance.

Answer 1

Hi @Zuuber,

Thank you for reaching out on Microsoft Q&A forum.

I understand you’d like your Azure Virtual Desktop (AVD) outbound traffic to use multiple public IP addresses assigned to your Azure Firewall, rather than seeing all traffic go through the same IP. Let me clarify how Azure Firewall handles multiple IPs and what options you have.

Azure Firewall supports attaching multiple public IPs (up to 250). However, for outbound traffic, the firewall performs Source Network Address Translation (SNAT).

The SNAT behaviour is as follows:

Azure Firewall will preferentially use the first public IP address for all outbound connections until its SNAT ports are exhausted.
Only when that happens will the firewall start using additional public IPs.
This design is intended to increase SNAT port capacity, not to balance outbound flows across multiple IPs.
Because AVD typically establishes a moderate number of outbound sessions, you’ll usually see one consistent public IP for all traffic, and this is expected behaviour.

Reference:

If you want your outbound traffic to appear from multiple IPs, there are a few approaches:

1.Use Azure NAT Gateway for outbound SNAT

You can associate a NAT Gateway (with multiple public IPs or prefixes) to your firewall subnet.
NAT Gateway randomly selects a public IP for each outbound flow.
This setup is recommended for scenarios needing scalable outbound connections or IP diversity-Integrate Azure Firewall with NAT Gateway

2.Separate workloads across multiple firewalls or NAT gateways

For deterministic egress IP mapping, use separate subnets or distinct NAT Gateways per workload.
Each subnet/firewall combination will have its own unique outbound IP(s).

Kindly let us know if the above helps or you need further assistance on this issue. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Share via

AVD outbound web access, different outbound public IPs.

0 additional answers

Your answer