DNAT rules on Azure firewall Basic are unstable

Question

DNAT rules on Azure firewall Basic are unstable

Jan Claes 105

When configured DNAT rules on Azure firewall I noticed that the connectivity is unstable.

FirewallSubnet: 10.20.0.0/26

Firewall public IP: 10.x.x.4

VM IP 10.20.2.252 in subnet address range: 10.20.2.248/29

peered to Hub

NSG:

User's image

UDR:

User's image

Source logs: User's image

FW log:

User's image

VM wireshark log:

User's image

Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator

2026-06-16T11:09:38.5533333+00:00

Hi Jan Claes,

Welcome to Microsoft Q&A Platform.

Based on the provided configuration, the DNAT rule appears to be using the Azure Firewall private IP address (10.20.0.4). DNAT using private IP addresses is supported only on Azure Firewall Standard and Premium SKUs. If Azure Firewall Basic is being used, this scenario is not supported and may lead to unexpected behavior.

Refer Azure Firewall Standard known issues for more details.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Jan Claes 105 Reputation points

2026-06-16T11:47:08.1866667+00:00

None of these rules are supported in Basic SKU?
Jan Claes 105 Reputation points

2026-06-16T11:56:45.87+00:00

https://learn.microsoft.com/en-us/azure/firewall/tutorial-private-ip-dnat#prerequisites

Azure Firewall private IP DNAT, we are using its public IP
Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator

2026-06-16T12:16:30.09+00:00

I can see that the firewall IP you are using is 10.20.0.4, which is a private IP address and not a public IP address. If you are using Azure Firewall Basic SKU, private IP DNAT is not supported. To use a private IP address for this scenario, please upgrade the Azure Firewall SKU to either Standard or Premium

Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-private-ip-dnat#prerequisites

Please "upvote" if the information helped you. This will help us and others in the community as well.

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.
Jan Claes 105 Reputation points

2026-06-16T12:20:08.67+00:00

We use the public IP of the FW to do DNAT.

But is seems that also SNAT is being performed although:

On the VM in Wireshark, traffic comes from AzureFirewallSubnet, not the public source:
Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator

2026-06-16T12:27:25.93+00:00

Please feel free to share the details in a private message so we can proceed with further troubleshooting over a Teams call. I am happy to connect with you on Teams to investigate and resolve the issue.

Answer accepted by question author

Vallepu Venkateswarlu 10,180 Microsoft External Staff Moderator

Hi Jan Claes,

We're glad to hear that the issue has been identified and resolved.

As discussed, The User Defined Route (UDR) 10.20.0.0/26 → 10.20.0.4 was causing asymmetric routing.

The return traffic was expected to be sent back to the Azure Firewall backend instance IPs (10.20.0.6). However, due to the configured UDR, the traffic was instead routed to the Azure Firewall private IP (10.20.0.4). This resulted in asymmetric routing, causing the connection to fail.

After removing the UDR, the traffic followed the correct return path through the Azure Firewall backend instances, and connectivity was restored successfully.

Pleaseand “up-vote” wherever the information provided helps you, **this can be beneficial to other community members.

0 comments

2 additional answers

Your answer

Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator

2026-06-16T11:09:38.5533333+00:00

Hi Jan Claes,

Welcome to Microsoft Q&A Platform.

Based on the provided configuration, the DNAT rule appears to be using the Azure Firewall private IP address (10.20.0.4). DNAT using private IP addresses is supported only on Azure Firewall Standard and Premium SKUs. If Azure Firewall Basic is being used, this scenario is not supported and may lead to unexpected behavior.

Refer Azure Firewall Standard known issues for more details.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Jan Claes 105 Reputation points

2026-06-16T11:47:08.1866667+00:00

None of these rules are supported in Basic SKU?
Jan Claes 105 Reputation points

2026-06-16T11:56:45.87+00:00

https://learn.microsoft.com/en-us/azure/firewall/tutorial-private-ip-dnat#prerequisites

Azure Firewall private IP DNAT, we are using its public IP
Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator

2026-06-16T12:16:30.09+00:00

I can see that the firewall IP you are using is 10.20.0.4, which is a private IP address and not a public IP address. If you are using Azure Firewall Basic SKU, private IP DNAT is not supported. To use a private IP address for this scenario, please upgrade the Azure Firewall SKU to either Standard or Premium

Refer: https://learn.microsoft.com/en-us/azure/firewall/tutorial-private-ip-dnat#prerequisites

Please "upvote" if the information helped you. This will help us and others in the community as well.

I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.
Jan Claes 105 Reputation points

2026-06-16T12:20:08.67+00:00

We use the public IP of the FW to do DNAT.

But is seems that also SNAT is being performed although:

On the VM in Wireshark, traffic comes from AzureFirewallSubnet, not the public source:
Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator

2026-06-16T12:27:25.93+00:00

Please feel free to share the details in a private message so we can proceed with further troubleshooting over a Teams call. I am happy to connect with you on Teams to investigate and resolve the issue.

Answer 1

Jan Claes 105

The problem was fixed by removing the route 10.20.0.0/26 --> 10.20.0.4. This one interfered with the statefull DNAT rule with traffic coming from 10.20.0.6

Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator

2026-06-17T08:15:25.12+00:00

Hi Jan Claes,
We're glad to hear that the issue has been identified and resolved. Based on our investigation, the route 10.20.0.0/26 → 10.20.0.4 was identified as the root cause. After removing this route, connectivity was restored and is now working as expected.

Please feel free to reach out if you require any further assistance in the future.

Answer 2

Azure Firewall Basic doesn't support DNAT to private IP addresses. DNAT to private IPs is only available in Azure Firewall Standard and Premium SKUs. With Basic, DNAT can only be used with public IP destinations, so DNAT rules targeting a private VM IP (such as 10.20.2.252) won't behave reliably and can appear unstable.

To have stable DNAT connectivity to the VM's private IP, the firewall must be upgraded to at least Azure Firewall Standard and the DNAT rule recreated there. Alternatively, use another supported pattern (for example, exposing the VM through a public IP and NSG without using Firewall Basic DNAT), but DNAT to private IPs isn't a supported scenario on Basic.

References:

Azure Firewall known issues and limitations

Share via

DNAT rules on Azure firewall Basic are unstable

2 additional answers

Your answer