Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
Azure Firewall DNAT issues
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 56.00000000000001%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Andrea Longhitano
180
Reputation points
Hello everyone,
We have a firewall on our environment. We need to expose an SFTP server to some specific public IP addresses.
We have created a DNAT rule to expose port 22 and translate to port 22 to the SFTP server.
If we try to do a test connection from the allowed IP addresses, we can see the allow rule in the AZFWDnatRule table. Using tcpdump in the server we can also see traffic coming from the natted ip addresses of the firewall
However, we receive a connection refused because it seems that some we do not receive return traffic on the client.
If we expose the server directly using a public IP address the SFTP connection works fine without no issue .
How to solve this big issue?
Thanks,
Andrea
Azure Firewall
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator2025-10-15T22:35:28.8633333+00:00 Hello @Andrea,
Thanks for reaching out to Microsoft Q&A.
Could you please check the private message and share us the requested deatis?
-
Ravi Varma Mudduluru 3,625 Reputation points Microsoft External Staff Moderator
2025-10-15T23:05:57.9433333+00:00 Hello @Andrea
Could you share an update on the following follow-up questions so we can gather more information?
- What specific Azure Firewall SKU are you using (Basic, Standard, or Premium)?
- Can you provide the exact configuration of your DNAT rule?
- Is SNAT enabled on the firewall to ensure symmetric routing for return traffic?
- Are there any additional configurations (like NSGs or UDRs) in place that could affect your traffic?
- Have you monitored the Azure Firewall logs for any indications of blocked traffic or misconfigurations?
Sign in to comment
Sign in to answer