Sorted it. So the Azure public load balancer needs to point to the backend using NIC configuration and probes on whatever service the interface management profile will allow that is convenient for you. Example uses TCP 22. I'm not sure if it's needed, but I have loopback addresses configured with the public IP of the load balancer frontend. The NAT rule needs to be source zone public, destination zone public, destination service <frontend listening port>, destination address public IP of the frontend, source translation dynamic-ip-and-port interface private, destination translation <private ip of secured resource>. The security policy is source zone public destination zone private destination address <ip of the public load balancer frontend>, application/service depending on what you're allowing inbound. Then you also need to allow the private interface to talk to the secured resource in the subscriber VNET, and make sure all the routes are good. You don't need to configure any outbound rules on the load balancer, you can keep the public IP addresses that are associated with the public interfaces of the firewalls associated for outbound traffic and return traffic will work because of the source NAT. I was not able to get things working with FQDNs. It may be because the FQDN associated with the public load balancer IP is not the same as the URL that's being used to resolve it. There's a question - do you have to associate the FQDN that you'd use in NAT policy with the load balancer frontend public IP azure object? Would it work with external (not in Azure) DNS resolving names to the IP?
... View more