Share via

DNAT rules on Azure firewall Basic are unstable

Jan Claes 105 Reputation points
2026-06-16T10:14:21.7266667+00:00

When configured DNAT rules on Azure firewall I noticed that the connectivity is unstable.

FirewallSubnet: 10.20.0.0/26

Firewall public IP: 10.x.x.4

VM IP 10.20.2.252 in subnet address range: 10.20.2.248/29

peered to Hub

NSG:

User's image

UDR:

User's image

Source logs: User's image

FW log:

User's image

VM wireshark log:

User's image

Azure Firewall
Azure Firewall

An Azure network security service that is used to protect Azure Virtual Network resources.


Answer accepted by question author

Vallepu Venkateswarlu 10,180 Reputation points Microsoft External Staff Moderator
2026-06-17T08:41:49.65+00:00

Hi Jan Claes,

We're glad to hear that the issue has been identified and resolved.

As discussed, The User Defined Route (UDR) 10.20.0.0/26 → 10.20.0.4 was causing asymmetric routing.

The return traffic was expected to be sent back to the Azure Firewall backend instance IPs (10.20.0.6). However, due to the configured UDR, the traffic was instead routed to the Azure Firewall private IP (10.20.0.4). This resulted in asymmetric routing, causing the connection to fail.

After removing the UDR, the traffic followed the correct return path through the Azure Firewall backend instances, and connectivity was restored successfully.

Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, **this can be beneficial to other community members.

Was this answer helpful?

1 person found this answer helpful.
0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Jan Claes 105 Reputation points
    2026-06-17T07:20:24.0066667+00:00

    The problem was fixed by removing the route 10.20.0.0/26 --> 10.20.0.4. This one interfered with the statefull DNAT rule with traffic coming from 10.20.0.6

    Was this answer helpful?


  2. AI answer

    2026-06-16T10:14:35.49+00:00

    Azure Firewall Basic doesn't support DNAT to private IP addresses. DNAT to private IPs is only available in Azure Firewall Standard and Premium SKUs. With Basic, DNAT can only be used with public IP destinations, so DNAT rules targeting a private VM IP (such as 10.20.2.252) won't behave reliably and can appear unstable.

    To have stable DNAT connectivity to the VM's private IP, the firewall must be upgraded to at least Azure Firewall Standard and the DNAT rule recreated there. Alternatively, use another supported pattern (for example, exposing the VM through a public IP and NSG without using Firewall Basic DNAT), but DNAT to private IPs isn't a supported scenario on Basic.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.