Merge pull request #306711 from aktsmm/patch-3

prmerger-automator[bot] · web-flow · commit 390581bb247b · 2026-03-06T09:19:14.000Z
Update firewall-faq with ESP packet support details
diff --git a/articles/firewall/firewall-faq.yml b/articles/firewall/firewall-faq.yml
@@ -112,6 +112,32 @@ sections:
         answer: |
           No, Azure Firewall doesn't natively support BGP peering. However, the [Autolearn SNAT routes feature](../firewall/snat-private-range.md#auto-learn-snat-routes-preview) indirectly uses BGP through Azure Route Server.
 
+
+
+      - question: Can Azure Firewall pass ESP packets (IPSec VPN)?
+        answer: |
+          Azure Firewall does not natively support ESP (Encapsulating Security Payload), but you can allow ESP traffic by configuring a network rule as follows:
+
+          **Azure Firewall configuration (Network Rule):**
+          - Protocol: Any
+          - Source port: * (Any)
+          - Destination port: * (Any)
+          - Source/Destination: Specify IP addresses as needed
+
+          This configuration allows ESP packets (IP protocol number 50) and other non-TCP/UDP traffic to match the rule. However, note that Azure Firewall does not inspect ESP payloads.
+
+          **Reference : If using NSG (Network Security Group) instead of Azure Firewall:**
+          NSG does not provide a direct option to specify ESP (IP protocol number 50), but ESP packets can be allowed by using the following settings:
+          - Protocol: Any
+          - Port: * (Any)
+          - Source/Destination: Specify IP addresses as needed
+
+          **Recommendations:**
+          - For IPsec VPN configurations, using Azure VPN Gateway is recommended.
+          - Consider using an NVA (Network Virtual Appliance) pattern depending on your requirements.
+
+
+
   - name: Management and configuration
     questions: 
       - question: How can I stop and start Azure Firewall?
