I've become stuck on an issue getting inbound traffic working to a resource in a subscriber VNET behind a transit VNET where firewalls are configured. I think I'm missing something obvious, and thought I would bounce ideas off of the community here. Here's a summary of the configurations relevant. Public Load Balancer listens on public IP 1.2.3.4. Health probes use tcp 22 to the firewall's untrusted private IP 10.10.101.4/10.10.101.5. The untrusted private IPs also have a separate public IP bound to them in the firewall VM configuration (for outbound traffic). Health probes are happy, and see both firewalls as up. Web request comes in to the public load balancer on example.fqdn.com:443 which resolves via public DNS to 1.2.3.4. Several NAT configurations have been attempted, all failing. Firewall does source and destination NAT, using the public IP 1.2.3.4, the fqdn example.fqdn.com, and the firewall's untrusted IP address 10.10.101.4/5 as the original destination (each in separate configuration attempts), public as the source zone, service as service-https. Source NAT to the firewall's private ip 10.10.0.4/5, destination to the actual resource in the subscriber VNET (no internal load balancer for the resource) 10.50.0.20. No port translation was used in these attempts. Firewall does destination NAT only, using the same three destinations listed above (public IP, fqdn, firewall's public-private IP) directly to the internal resource. I see hits coming in in packet captures from my test source, but never a translation or any return traffic. On the way back out - and here's where I may be missing something - the resource has a route in a UDR to point to the internal load balancer that has the firewall's private IPs as a backend. Frontend IP for examples sake is 10.10.0.21. I'm not sure if I should be using the 'floating ip' option or leave that disabled, and I'm wondering if the Azure public IPs should be associated with the untrusted interfaces of the firewalls in the VM configuration, or if they should not have public IPs attached. I'd be fine with using the public load balancer for all inbound/outbound traffic if that would correct the problem, or if I need to make any additional configuration changes anywhere to get the floating IP option working. It looked easier to do NAT with a floating IP, as you could skip source NAT, but I'm not sure where to assign the public IP in the firewall's configuration. Do I assign the public IPs directly to the firewall's untrusted interface? A loopback? What should NAT look like with the floating IP option? Thanks in advance for any input.
... View more