Azure VMware Solution (AVS) is a VMwarevalidated private cloud solution, managed and maintained by Azure. It runs on dedicated, bare-metal Azure infrastructure. AVS allows customers to manage and secure applications across both VMware environments and Microsoft Azure resources with a consistent operating framework. It supports workload migration, VM deployment, and Azure service consumption.  

 As AVS private cloud runs on an isolated Azure environmentby default it is not accessible from Azure or the Internet. Users can use either ExpressRoute Global Reach (i.e., from on-prem) or a jump box (i.e., on an Azure VNet) to access AVS private cloud. This means AVS workload VMs are confined within AVS private cloud and not accessible from the Internet. If customers want to make AVS Private Cloud resources, such as web servers, accessible from the Internet, Public IP needs to be deployed. There are couple of ways to do this: (1) Destination NAT or DNAT via Azure Virtual WAN/Azure Firewall; and (2) Azure Application Gateway. This article focuses on DNAT with Azure Virtual WAN/Azure Firewall. 

Azure Firewall is required to configure DNAT. Azure Firewall with public IP as well as Virtual WAN, Virtual WAN Hub, and Public IPs are automatically deployed once public IP functionality is enabled in AVS private cloudEnabling Public IP functionality also enables connectivity between Virtual WAN Hub AVS private cloud via ExpressRoute.  

The following picture shows reference architecture of DNAT with Azure Virtual WAN. Reference Architecture of DNAT with Azure Virtual WAN

The architecture diagram illustrates a web server hosted in the Azure VMware Solution environment and configured with RFC1918 private IP addresses. The web server is accessible from the internet via Virtual WAN public IP functionality by using DNAT in Azure Firewall. DNAT is a firewall rule which translates public IP address requests to a private address. When the firewall receives user requests on public IP, it translates those requests to private IP using DNAT rules. The firewall looks up the NAT table, and if the request matches an entry, it forwards the traffic to the translated address and port in the AVS private cloud. The web server receives the request, processes it, and then replies to the firewall. Finally, the firewall forwards the information to the user on the public IP address.

How to Deploy Azure Virtual WAN in AVS Private Cloud

  1. Sign into the Azure portal and select Azure VMware Solution.
  2. Select Azure VMware Solution private cloud.Sign into the Azure portal and select Azure VMware Solution
  1. Under Manage, select Connectivity.Under Manage, select Connectivity
  2. Select the Public IP tab and then click Configure.Select the Public IP tab and then click Configure
  3. Accept default values or change them if necessary. Then provide a virtual hub address block, the number of the public IP, and then select Create.
Provide Virtual Hub Address, the Public IP, and then Select Create


Note: It can take about an hour to complete the deployment. Once deployment is done, we can verify the Public IP, Virtual WAN, WAN Hub, Azure Firewall, and then create firewall police and DNAT on the Azure Firewall.

How to Configure DNAT in Azure Firewall

  1. In the Azure portal, search for Firewall.
  2. Select the deployed firewall and then select Visit Azure Firewall Manager to configure and manage this firewall.
Visit Azure Firewall Manager to Configure and Manage Firewall

Note: Document the Public IP address of the firewall which is required to configure DNAT.

  1. Select Azure Firewall Policies and then Create Azure Firewall Policy.
Select and Create Azure Firewall Policies
  1. Under the Basic tab, provide the necessary details and select Next: DNS Settings.
Under Basics, Set DNS Settings
  1. Under DNS Settings tab, accept default and then select the Rules
Under DNS Settings Tab, Accept Default and then Select the Rules
  1. Click Add a rule collection
Add a rule collection
  1. Provide the required info in the Add a rule collection pane and click Add.
Provide the required info and Click Add
  1. Click Review + create
Click Review and Create
  1. Click Create once Validation has been passed. It may take some time to complete the process.


Create once validation has been passed


Note: Final step is to associate firewall policy to the Azure Hub.

  1. From the Firewall manager, select Azure Firewall Policies.
Final step is to associate firewall policy to the Azure Hub



  1. Select the appropriate firewall policy, click Manage associations, and then select Associate hubs.
Click Manage associations, and then select Associate hubs
  1. Select the appropriate Hub and then click Add.
Select the appropriate Hub and then click Add

The DNAT policy is now associated with the Azure Virtual Hub and is ready to use.


  1. Go to the Firewall Manager and check the DNAT Rules to verify DNAT configuration.
Verify DNAT Configuration

With this DNAT policy, the AVS workload VM (i.e., the webserver with an IP address of is now accessible from the Internet via



Public IPs are limited to a maximum of 100 for an AVS Private cloud.