Is there a limit of how many IP ranges can be in Source field in a single DNAT rule in Azure Firewall Standard?

Question

Hi

Is there a documented limit on the maximum number of IP address ranges that can be specified in the Source field in a single DNAT rule in Azure Firewall Standard SKU? I was looking at Policy Analytics for my Azure Firewall Policy, and 1 of the Recommended Action is "This rule has more IP addresses in the source than the chosen threshold. Convert multiple IP's to IP Groups". But this does not list what is the threshold or maximum number of IP addresses allowed in Source field. I cannot find any documentation on this either since the Azure firewall limits page does not list the threshold for max number of IP addresses in Source field of a DNAT rule - https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits#azure-firewall-limits

Currently in my DNAT rule, I have 42 IP address ranges in cidr format a.b.c.d/n in the Source field, and only 1 IP address in the Destination field. But there is no way to tell what is the limit that I am breaching for Source field.

Please advise

Thanks

Answer 1

Hi @Murali Kumar

Welcome to the Microsoft Q&A Platform.

Thank you for reaching out, & I hope you are doing well.

I tested this in my environment and was able to add more than 5,000 IP addresses in the source field without any issues, indicating that, as far as I know, there is no limit on the number of IP addresses that can be added.

The alternative approach is to convert multiple IPs to IP Groups, as there is no information about the source IP limit in DNAT rules. This allows you to manage them easily and improve performance by consolidating multiple IP addresses into IP groups.

Here is the response after adding multiple IP addresses.

I hope this helps to resolve your query.

If this helps to resolve your query, please click Accept Answer on this post to assist other community members facing similar issues in finding the correct solution.