Cloud NGFW for Azure

rpegada · ‎06-16-2026

Cloud NGFW automatically provides source NAT (SNAT) for all outbound traffic to public IP addresses you associate with it. Cloud NGFW doesn’t SNAT when the destination IP address is a private IP address range per IANA RFC 1918.

cloud ngfw.png

By default, outbound internet traffic will be handled by Cloud NGFW, as mentioned below

The host machine in the Spoke VNet initiates traffic.
To route the traffic through Cloud NGFW, create a route table associated with the host subnet part of Spoke VNET. Add a route with the next-hop set to the Cloud NGFW's Private IP address.
After the inspection, the cloud NGFW forwards the traffic through the Public Subnet. Cloud NGFW also performs SNAT using its Public IP address before sending out the traffic onto the internet.
Response traffic will follow the same reverse path.

Forced Tunneling

You can configure Forced Tunneling on Cloud NGFW to route all Internet-bound traffic to a designated next hop instead of sending it directly to the Internet.

Forced tunneling enables your Cloud NGFW to inspect and then redirect (a.k.a force-tunnel) all internet-bound traffic from Cloud NGFW to your on-premises firewall or to chain it to a nearby network virtual appliance (NVA) for additional inspection. . This is typically done to enforce additional security policies on your on-premises firewall or to use the on-premises public IP address for Source Network Address Translation (SNAT), thereby avoiding exposure of the Cloud NGFW's public IP address.

There are two primary architectures for forced tunneling:

Forced Tunneling through the Public Subnet (with SNAT performed by Cloud NGFW)
Forced Tunneling through the Private Subnet (no SNAT performed by Cloud NGFW)
Forced Tunneling through Azure Virtual WAN

1. Forced Tunneling Through the Public Subnet (Cloud NGFW SNAT)

This architecture is for customers who want to control traffic based on trust (Private) and untrust (Public) zones on the Cloud NGFW. In this deployment, the Cloud NGFW will perform SNAT on the traffic before forwarding it.

public subnet.png

⚙️ Configuration Summary

Component

Action

Details

Spoke VNet Route Table

Add Route

Destination: 0.0.0.0/0 (Internet)

Next Hop: Cloud NGFW Private IP address

Cloud NGFW Public Subnet Route Table

Create and Associate

Add Route: Destination: 0.0.0.0/0 (Internet)

Next Hop: VNET Gateway

🌐 Traffic Flow Sequence

Traffic is initiated by the host machine part of the Spoke VNet.
The traffic is routed to the Cloud NGFW Private IP address for inspection (via the Spoke VNet's route table).
Post inspection, Cloud NGFW attempts to forward the internet traffic through the Public Subnet.
Cloud NGFW performs SNAT on the internet traffic using an IP address from its Public Subnet.
The Public Subnet's associated route table forces this traffic to the VNET Gateway.
The VNET Gateway sends the traffic over the Site-to-Site VPN to the on-premises Firewall.
The on-premises firewall enforces security policies and forwards the traffic to the internet.
Response traffic follows the same reverse path.

2. Forced Tunneling Through the Private Subnet (No Cloud NGFW SNAT)

This architecture is intended for customers who require visibility of the actual source IP address from which the traffic was initiated at the On-Premise Firewall. In this deployment, the Cloud NGFW will not perform NAT.

private subnet.png

⚙️ Configuration Summary

Component	Action	Details
Spoke VNet Route Table	Add Route	Destination: 0.0.0.0/0 (Internet) Next Hop: Cloud NGFW Private IP address
Cloud NGFW Private Subnet Route Table	Create and Associate	Add Route: Destination: 0.0.0.0/0 (Internet) Next Hop: VNET Gateway
Cloud NGFW Networking & NAT Settings	Configure	Set Additional Prefixes to Private Traffic Range to 0.0.0.0/1,128.0.0.0/1

Note: The "Additional Prefixes" configuration is crucial. It causes the Cloud NGFW to consider internet traffic as Private Traffic. This prevents the traffic from being forwarded towards the Public Subnet and ensures it is sent out using the Private Subnet itself without performing any NAT.

🌐 Traffic Flow Sequence

Traffic is initiated by the host machine part of the Spoke VNet.
The traffic is routed to the Cloud NGFW Private IP address for inspection (via the Spoke VNet's route table).
The Cloud NGFW attempts to forward the internet traffic through the Public Subnet.
Due to the route table associated with the Private Subnet and the "Additional Prefixes" configuration, the traffic is sent out using the Private Subnet and is forced to the VNET Gateway.
This traffic is sent without performing any NAT.
The VNET Gateway sends the traffic over the Site-to-Site VPN to the on-premises Firewall.
The on-premises firewall enforces security policies and forwards the traffic to the internet.
Response traffic will follow the same reverse path.

3. Forced Tunneling through Azure Virtual WAN

Virtual WAN routing intent allows you to send both private and Internet traffic to Cloud NGFW deployed in the Virtual WAN hub.

While you can break out internet traffic directly through Cloud NGFW, Force Tunneling feature in Azure Virtual WAN enables a new routing capability that allows customers

to inspect internet traffic first via a security solution deployed directly in the hub(Cloud NGFW), then forward it to an on-premises or NVA deployed in a spoke VNET connected to Virtual

WAN for another layer of inspection and breakout.

Architecture below demonstrates Force Tunneling via NVA deployed in a Spoke VNET connected to Virtual WAN

azure virtual wan.png

⚙️ Configuration Summary

Component	Action	Details
Routing Intent and Routing Policies	Private Traffic > SaaS Solution	Next Hop: Cloud NGFW
		Additional Prefixes : 0.0.0.0/0 (Internet) - This is to Force Tunnel Internet traffic
	Internet Traffic > None
Virtual Network Connections	Configure	Add Static route to internet(0.0.0.0/0) with next hop as Spoke NVA Firewall. Disable Propagate Default Route
Cloud NGFW Networking & NAT Settings	Configure	Set Additional Prefixes to Private Traffic Range to 0.0.0.0/1,128.0.0.0/1

🌐 Traffic Flow Sequence

Traffic is initiated by the host machine part of the App VNet.
The traffic is routed to Virtual WAN and Routing Intent within VWAN Hub will forward the traffic to Cloud NGFW for inspection.
The Cloud NGFW after inspection will route the traffic towards Spoke Virtual Network Connection.
Because of the Static Default route within Virtual Network Connection, this traffic will be routed towards NVA Firewall with in the Spoke VNET
The Spoke NVA Firewall after additional inspection will send the traffic onto the internet using its Public IP address and NAT.
Response traffic will follow the reverse path.

Architecture below demonstrates Force Tunneling through On-Prem Firewall connected to Virtual WAN over Site to Site VPN

site to site vpn.png

⚙️ Configuration Summary

Component	Action	Details
Routing Intent and Routing Policies	Private Traffic > SaaS Solution	Next Hop: Cloud NGFW
		Additional Prefixes : 0.0.0.0/0 (Internet) - This is to Force Tunnel Internet traffic
	Internet Traffic > None
Site-to-Site VPN	Configure	Add Site-to-Site VPN with VWAN Hub VPN Gateway from On-Prem Firewall. On-Prem Advertises Default route Over VPN
Cloud NGFW Networking & NAT Settings	Configure	Set Additional Prefixes to Private Traffic Range to 0.0.0.0/1,128.0.0.0/1

🌐 Traffic Flow Sequence

Traffic is initiated by the host machine part of the App VNet.
The traffic is routed to Virtual WAN and Routing Intent within VWAN Hub will forward the traffic to Cloud NGFW for inspection.
The Cloud NGFW after inspection will route the traffic towards VPN Gateway as there is a default route learnt over the VPN Tunnel from On-Prem Firewall.
Internet traffic from the VPN Gateway will sent over the VPN tunnel towards on-prem Firewall
On-Prem Firewall after additional inspection will send the traffic onto the internet using its Public IP address and NAT.
Response traffic will follow the reverse path.

Unlock your full community experience!

Cloud NGFW for Azure - Forced Tunneling