It turns out that warning on the Microsoft Docs site about Azure Firewall blocking port 25 for certain subscription types – yes, that’s important!
I recently faced a scenario where there was a need to support in the migration from Azure EA to Azure CSP billing models – a fairly simple and seamless experience if the CSP you’re moving to is an Azure Expert partner, if not, the ride is a little more bumpy. To migrate from the EA to CSP subscriptions its a migration of resources (note though that not all resources can be migrated – some will require a rebuild).
The migration of resources went really well (it’s a fairly basic hub-and-spoke landing zone setup at the moment with minimal resources) but then came the problem. The environment has a VM acting as an Exchange SMTP server to Office 365, this had been working well via the Azure firewall while in an EA subscription but when moving this to the CSP subscription mail was just backing up with a connection timeout error seen on the Exchange logging. There was a firewall rule in place on the Azure Firewall and Azure Network Watcher showed green pass for connectivity checks but mail would just not flow.
As you’ll see here – https://docs.microsoft.com/en-us/azure/virtual-network/troubleshoot-outbound-smtp-connectivity Microsoft clearly state that for CSP subscriptions port25 is blocked. It would be highly recommended to use an SMTP relay service (SendGrid for example) but if you need to send over port 25 you MUST log a support ticket with Microsoft to get this enabled – not there are certain subscription types Microsoft will refuse to open this for.
Azure Firewall is a fantastic option for many scenarios with Microsoft adding capability often to support more complex architecture requirements, however third party vendors do still have a place for some the more complex requirements. Just make sure you understand the limitations!