Remove requirement for public IP on Azure Firewall.
Our organization requires access to Azure cloud only via VPN for internal users. We would prefer to use the Azure firewall however currently a public IP is required. The requirement for a public IP should be eliminated as from a security perspective, this is unacceptable if the firewall is used for internal traffic only.
Carlos Mendible commented
A public IP is still needed and as the initial post suggested there are internal traffic scenarios where a public IP should not be required.
Many of my clients are using other NVA because of this hard requirement.
We ran into the same problem at a customer project as well. The initial design of the network infrastructure put the Azure Firewall as a security component to monitor, route and filter internal traffic. Protecting traffic from the public end internet, PaaS etc was on the roadmap for a much later time. Now we'll try to circumvent this limitation by establishing a Public/Mirosoft peering on the Express Route Gateway.
But I agree with the initial author that the limitation that DNAT rules can only bound to the Public IP was quite surprinsing and in the end massively limit the possible uses of Azure Firewall.