![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 4%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 83%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Azure Firewall will not see the original client IP when Azure Front Door is in front of it. In your described architecture, Azure Front Door acts as the public entry point and forwards requests to Azure Firewall. As a result, Azure Firewall only receives connections from Azure Front Door’s Point of Presence (POP) IP addresses, and the logs will reflect these IPs as the source instead of the actual client IPs.
To preserve the original client IP when using Azure Front Door, you can utilize the X-Forwarded-For header. Azure Front Door supports this header, which includes the original client IP address in the request it forwards to your backend services. However, Azure Firewall itself does not extract this information from the X-Forwarded-For header for logging or filtering purposes. Therefore, while the original client IP can be passed to backend systems, Azure Firewall will still only log the Front Door IP as the source.
In summary, Azure Firewall cannot see the original client IP when Azure Front Door is in front of it, and there are no scenarios where it can do so unless the architecture is modified to allow the original IP to be captured and logged appropriately by the firewall.
References: