Azure NAT Gateway
NAT Gateway is a fully managed service that securely routes internet traffic from a private virtual network with enterprise-grade performance and low latency.
46 questions
Advice on FortiGate NAT configuration for Azure Virtual Desktop
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Joshua Musiyarira
0
Reputation points
Overview/Scenario
- I have a use case for configuring NAT where in which an isolated Azure virtual desktop session host will traverse a NEW public ip address assigned to my Fortigate Azure NGFW virtual machine's WAN interface.
- Any IPs requiring egress traffic outbound will use cenrtal SNAT in a one-to-one mapping for all ip addresses within my AVD subnet range:
192.168.235.0/24
Questions:
- Could you please critique my implementation logic below? Relativley new to FortiGate, so please excuse the basic questions. I sourced FGT docs on central SNAT
- As the new Azure public ip is assigned to the WAN interface of my FGT device, would DNAT be required? Not sure how FGT would route traffic from the new public IP inbound to my AVD subnet. However, there is currently no requirement to translate destination addresses to specific services within the isolated AVD subnet
Proposed Azure deployment steps
- Within VNet:
zct-NE-Prod-AVD-Vnet01, create a new subnetAVD-Isolated_Synapse
Subnet CIDR: 192.168.235.0/24
Subnet NSG association: zct-NE-Prod-AVD-Vnet01-nsg
Subnet RT association: zct-NE-Prod-AVD-Vnet01-rt
- New FGT isolated subnet public ip (PIP)
Create a public Standard SKU, zone-redundant IP, labelled:
AVD-Isolated-synapse-nat-pip
- Assign new PIP to ip configuration of FGT primary NIC interface:
zct-NE-NVA-FGT-A-Nic1
Navigation:
zct-NE-NVA-FGT-A-Nic1> ip configurations > add
Name = AVD-Isolated-synapse-nat-pip
Private IP address settings = Static ( 192.168.3.8)
Associate public IP address = `AVD-Isolated-synapse-nat-pip`
Log the private ip associated to the public ip address linked to the public interface ( 192.168.3.8)
Proposed FortiGate deployment steps
- Create an address group and assign the private ip address associated to public ip:
AVD-Isolated-Snet-NAT-pip
Address group name = zct-AVD-Isolated_Synapse-SNET
Member = zct-avd-isolated-nat-ip ( 192.168.3.8/32 )
Member = zct-avd-isolated-snet ( 192.168.235.0/24 )
- Create an IP pool.
Navigate to: policy & objects > ip pools > create
Enter details:
Name =AvdIsolatedSynapsePool
Comment = AVD Isolated Synapse subnet NAT IP pool - CHG820241
Type = One-to-one
External IP address/range = 192.168.3.8-192.168.3.8
ARP Reply = enabled
This will ensure all AVD traffic from the isolated subnet traverses the newly created public ip in Azure:
AVD-Isolated-synapse-nat-pip, associated to the WAN interface
- Create an Central SNAT (for outbound traffic from the AVD session host subnet)
Navigation: Policy & Object > Central SNAT > New
Enter details
Incoming interface = Azure (port 2)
Outgoing interface = WAN (port 1)
Source Address = zct-AVD-Isolated_Synapse-SNET
Destination address = all
NAT = enabled
Ip pool configuration == Use Dynamic IP Pool
IP pool = AvdIsolatedSynapsePool
Protocol = any
Comments = AVD Isolated Synapse subnet central SNAT - CHG820241
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 15%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPB%3C/text%3E%3C/svg%3E)
Praveen Bandaru 260 Reputation points Microsoft Vendor2025-01-20T02:38:22.3766667+00:00 Hi Joshua Musiyarira
Greetings!Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.
From the looks of it, this seems to be related to configuration of the third party NVA and not azure firewall.
Please note that community member in Q&A good have expertise over azure products, but the same cannot be sad for third party appliances. I suggest you reach out to the third-party community or support to get detailed instructions on how configure the NVA.
Regards,
Praveen
-
Praveen Bandaru 260 Reputation points Microsoft Vendor
2025-01-22T09:24:27.6133333+00:00 Hello Joshua Musiyarira
Greetings!It appears that everything on the Azure side is functioning correctly. If you require any further assistance related to Azure, please let me know, and we will address your issue.
I suggest you reach out to the third-party community or support to get detailed instructions on how configure the NVA.
Regards,
Praveen
Sign in to comment
Sign in to answer