Microsoft has recently rolled out a public preview of the Auto-Learn SNAT routes feature for its Firewall service. This feature aims to reduce the complexity and time spent manually configuring SNAT (Source Network Address Translation) private ranges. By enabling this feature, Azure Firewall can automatically learn both registered and private address ranges every 30 minutes, thereby eliminating the need for manual setup. This advancement requires Azure Route Server to be deployed in the same Virtual Network (VNet) as the Azure Firewall.
How Does Auto-Learn SNAT Work?
Once enabled, the Azure Firewall begins to learn address ranges considered internal to the network. As a result, traffic directed to these learned ranges will not undergo SNAT, simplifying the network configuration process.
Configuration Guide
Using an ARM Template
You can set up the Auto-Learn feature using an ARM template with the following JSON snippet. This snippet enables the autoLearnPrivateRanges option under the snat properties:
json
{ "type": "Microsoft.Network/firewallPolicies", "apiVersion": "2022-11-01", "properties": { "snat": { "autoLearnPrivateRanges": "Enabled" } } }
Using Azure PowerShell
Creating a new firewall with RouteServerId can be done with the following PowerShell commands:
powershell
# specify RouteServerId Uri $routeServerId="/subscriptions/your_sub/resourceGroups/testRG/providers/Microsoft.Network/virtualHubs/TestRS" # Create AzureFirewall New-AzFirewall -Name $azureFirewallName -ResourceGroupName $rgname -Location $location -RouteServerId $routeServerId
Using Azure Portal
The Azure portal can also be used to configure this feature. You’ll need to:
- Add a subnet named
RouteServerSubnetto your existing firewall VNet with a size of at least /27. - Deploy an Azure Route Server in the same VNet.
- Navigate to the firewall policy settings and enable the Auto-learn IP prefixes option in the Private IP ranges (SNAT) section.
By following these steps, you can take advantage of Azure Firewall’s Auto-Learn feature to automate and simplify your SNAT configuration process.