Azure Firewall DNAT rule to securely connect to a VM with a Private IP address

In this article I’ll walk you through on how to securely connect to a VM with a Private IP address using Azure Firewall DNAT rule.

For security purposes, we might want to disable public access (Disable Public IP address) to our VM. In such cases if we want to access VM with a Private IP address we can either use Azure Firewall DNAT rules or Azure Bastion service.

Refer to this article on how to securely connect a VM with a Private IP address using Azure Bastion Service https://medium.com/@prasad.reddy0708/azure-bastion-service-to-connect-to-a-vm-with-a-private-ip-address-5a51ff3c2483

In this article we will look into on how to connect to a VM with a Private IP address using Azure Firewall DNAT rule.

Create a VM with Private IP address

1. Got to Azure Portal and login with your credentials https://portal.azure.com/#home
2. Search for Virtual Machines in Search box and configure VM by following below screenshots.

Enter Username & Password for your VM.

Make sure to select Public IP as None as shown in the image below.

Once the VM is created, note down its Private IP address. We need this in the later steps of the configuration.

Create Subnets for Azure Firewall Configuration

1. We need to setup two Subnets with name AzureFirewallManagementSubnet and AzureFirewallSubnet in order to create a Firewall.
2. Open VM and click on the VNet associated with the VM as shown in the image below.

Steps to create AzureFirewallManagementSubnet

Steps to create AzureFirewallSubnet

Create Firewall

1. Search for firewalls keyword in the search box in Azure Portal and select Firewalls option.

2. Click on Create button.

3. Configure firewall as shown in the screenshots below.

Here, I selected Firewall VNet same as my VM Vnet.

After the Firewall is created, click on Public IP link of the Firewall to get it’s Public IP address. Note it down as we need in later steps.

Firewall Public IP address.

Configure DNAT rule in Firewall policy

1. After the Firewall is created, click on the Firewall policy.

2. Add a rule collection

3. Enter name of the rule collection and Priority as shown in the image below.

Configure Rules as below

Name: name as per your requirements

Source Type: IP Address

Source: * (to allow from internet or all sources)

Protocol: TCP

Destination Ports: 9999 (The port to be used to connect to VM with Firewall IP address)

Destination (Firewall IP): 172.173.187.7 (The Public IP address of Firewall that we configured in previous steps)

Translated type: IP Address

Translated address: 10.1.0.4 (The Private IP of our VM that we configured in previous steps)

Translated port: 3389 (The Port Number through which we want to access our VM. If it is a Windows VM, the RDP port number is 3389)

Connect to VM

1. Get the Public IP address of the Firewall.

2. Type mstsc in Run command to open RDP (Remote Desktop)

3. Enter Firewall Public IP address along with Destination Port that we configured in DNAT rules in the following format. Note the IP address and Port number are separated by a colon(:).

<firewall_public_ip_address>:<destination_port_in_DNAT_rule>

4. Enter your VM credentails.

5. You are now successfully logged into VM with Private IP address using Azure Firewall DNAT rules.

I hope you enjoyed reading this article. Please give a clap and follow me for more such interesting and useful articles.