NetCollege

Add External IP and Web Access to a VM in the Datacentre (WatchGuard)

Cloud & Azure | Published 2026-04-13 | By NetCollege Team

Summary: Step-by-step process to add an external IP and publish web or app access to an internal VM using WatchGuard System Manager.

Scenario

This guide covers an Azure and cloud-connected datacentre workflow where internal VMs are published externally through a WatchGuard firewall.

Use this process when you need to:

  • Assign a new public/external IP.
  • Map that IP to an internal web or application server.
  • Allow HTTP/HTTPS or custom application ports.

Prerequisites

  • Access to WatchGuard System Manager and Policy Manager.
  • Internal VM IP address (or alias) confirmed.
  • An available external IP address on the IP Transit/Interface 1 network.
  • Change window and rollback notes prepared.

Step 1: Add the new external IP

  1. Open Policy Manager.
  2. Go to Network > Configuration.
  3. Confirm Configuration Interfaces is set to Mixed Routing Mode.
  4. Select IP Transit/Interface 1 and click Configure.
  5. Open the Secondary tab.
  6. Add the next available external IP address.
    • If the IP already exists, WatchGuard will show an error.
  7. Click OK, then close the Network Configuration window.

Step 2: Create Dynamic NAT mapping

  1. Go to Network > NAT.
  2. Open the Dynamic NAT tab and click Add.
  3. Configure:
    • From: Internal server IP (or alias if already created).
    • To: External Interface (IP Transit).
  4. Enable Set source IP to and choose the new external IP from Step 1.
  5. Move the new NAT entry up in the list to the correct section/order.
  6. Close the NAT window.

Step 3: Create the firewall policy

  1. Click Add Policy (+).
  2. Add one of the following:
    • HTTP/HTTPS policy, or
    • A custom policy for required application ports.
  3. Name the policy clearly (for example, include app name and external IP).
  4. Set:
    • From: IPtransit
    • To: Add SNAT and select the SNAT created above.
  5. If SNAT is not listed, add Static NAT manually:
    • IP Address or Interface: New external IP from Step 1.
    • Host: Internal server IP.
  6. Save the policy.
  7. Move the new firewall rule near similar published-service policies.

Validation checks

After creating the NAT and policy:

  • Confirm the policy is enabled.
  • Confirm NAT/SNAT targets the expected internal VM.
  • Test external access to:
    • http://<external-ip> or
    • https://<external-ip> (or app-specific ports).
  • Verify traffic logs in WatchGuard to confirm allowed sessions.

Notes and best practices

  • Keep a simple naming standard for NAT and policy objects.
  • Document external IP to internal server mappings.
  • Restrict source access where possible (do not leave broad any-any rules unless required).
  • For production systems, validate TLS certificates and application health checks after publishing.

Frequently asked questions

What information should I confirm before publishing a VM externally?

Confirm the internal VM IP, required ports, available external IP, firewall policy ownership, and rollback steps before applying changes.

How can I reduce risk when adding external access in WatchGuard?

Use a change window, allow only required ports and source ranges, and validate NAT plus policy order before committing.

What should I test after completing the configuration?

Test external connectivity on expected ports, verify application response, and review WatchGuard logs for allowed and denied traffic behavior.

← Back to category