I just am working on these scenarios with a customer of mine implementing all their web presence into Azure. This is what we have working for multiple web servers.
We had to use an external load balancer to map additional ip addresses into the scenario. Essentially the external load balancer just takes care of the NAT converting https on the external ip addresses to custom ports on the firewall 9443,9444 etc for http on the firewall.
The firewall then has NAT rules (and access rules) allowing traffic into the firewall and NATing the traffic back to http on either the web server directly or an internal load balancer to balance the traffic among multiple web servers.
we currently have 5 https servers each on their own IP address. If you hit the limit for external ip addresses, you can just spin up another external load balancer.
this has the advantage of leaving the external looking like https, and the internal web server also receives https.
however this works for any TCP protocol and now possibly UDP with the improvements to the load balancer.
it did take me a long time to figure out what works and what wouldn’t work, but this was the working scenario that works here.
a lot of the problem here is getting the external ip traffic to the firewall so that NAT can happen. I was never able to route this to the firewall, Microsoft seems to always think that you’re going to put these ip addresses directly on your hosts rather than thru a security gateway.