Skip to content

Port Forwarding

Port Forwarding, also known as Destination NAT (DNAT), allows external traffic from the internet to reach specific services hosted on private IP addresses within your Virtual Network (VNET). Unlike 1:1 NAT, which maps all traffic from a public IP to a single private host, Port Forwarding allows you to direct traffic based on specific port numbers and protocols.

This feature is commonly used to expose internal services—such as web servers, database listeners, or application interfaces—while maintaining control over exactly which ports are accessible from the outside.

When to use Port Forwarding

  • Hosting Web Services: Directing traffic on ports 80 (HTTP) or 443 (HTTPS) to a specific internal web server.
  • Shared Public IP: Using a single public IP address to reach multiple different internal servers by mapping unique external ports to different internal private IPs.
  • Service Translation: Mapping a standard external port (e.g., 443) to a non-standard internal port (e.g., 8443) for added security or application requirements.

Prerequisites

Before configuring Port Forwarding, ensure you have:

  • An Internet Service attached to your VNET.
  • At least one Public IP Address allocated to your Internet Service.
  • The Private IP Address of the internal host (typically behind a Service Edge or DC Connect) that will receive the traffic.

Configuring Port Forwarding

Port forwarding rules are managed within the configuration of your Internet Service:

  1. Navigate to the Services page and select your Internet Service.
  2. In the left sidebar, expand General and select Policies.
  3. Click the Create new port-forwarding policy button.
  4. Complete the following fields in the configuration screen:
    • Source IP / Port: Define which external sources can access this rule. Enter a specific IP/Prefix or select Any to allow access from the entire internet.
    • Destination IP (Public): Select the public IP address from your Internet Service that will receive the incoming request.
      • Port: Enter the external port number that users will connect to.
      • Protocol: Select the transport protocol (TCP, UDP, or Both).
    • NAT IP (Private): Enter the internal private IP address of the destination host within your VNET.
      • NAT Port: Enter the internal port number the service is listening on.
  5. Click Add.

Important Security Considerations

Warning

Exposing internal services to the internet increases your security risk. Always ensure that the destination host is hardened and that you have configured Firewall Rules to restrict traffic to only the necessary sources and ports.

Note

Port Translation: You can use different port numbers for the external (Port) and internal (NAT Port) entries. This allows you to hide the actual port your service is running on.

Note

Applying Changes: Like all networking services in the portal, your Port Forwarding will not be active until you deploy the changes. See Workflows and Applying Changes.