Considerations while implementing NAT on Firewalls hosted on AWS, Azure, or GCP.

A VM-Series Firewall hosted on AWS, Azure, or GCP such that:

• It receives, processes, and transmits traffic across two different Zones (e.g. Trust and Untrust, Private and Public, Private and DMZ).
• A NAT Policy has been configured on the Firewall to facilitate said traffic.
• Other characteristics of the environment may include a newly created interface attached to the Firewall.

Azure:

• Enable IP Forwarding on concerned dataplane interfaces of the VM Firewall (Microsoft, 2023).
• IP Forwarding is disabled by default on new interfaces, and should be enabled if you wish to NAT using a new interface.
• Sidenote: if the (dataplane) interface has been created newly and after the Firewall has been deployed, chances are that Azure Accelerated Networking hasn’t been enabled; we recommend that it is enabled; reference: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000saeoCAA

AWS:

• Disable source / destination checks on concerned dataplane interfaces of the VM Firewall (Amazon Web Services, 2024).
• Source / Destination checks are enabled by default on new interfaces, and should be disabled if you wish to NAT using a new interface.

GCP:

• Enable IP Forwarding on concerned dataplane interfaces of the VM Firewall (Google Cloud, 2024)
• IP Forwarding is disabled by default on new interfaces, and should be enabled if you wish to NAT using a new interface.

References

Amazon Web Services. (2024). Elastic network interfaces. AWS Documentation. https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

Google Cloud. (2024, 03 27). Enable IP forwarding for instances. Google Cloud Documentation. https://cloud.google.com/vpc/docs/using-routes#canipforward

Microsoft. (2023, 03 23). Enable or disable IP forwarding. Microsoft Learn - Documentation. https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-network-interface?tabs=azure-portal#enable-or-disable-ip-forwarding