
close
close
There are three kinds of rules that you can configure in the Azure Firewall. We’ll delve in these in a few moments, but the first thing you should know is that the Azure Firewall blocks traffic by default. If you do not enable it, it is not allowed … almost entirely … but I’ll explain that later in the post.
The three kinds of rule sets are:
advertisment
Configuring rules in the Azure Firewall [Image Credit: Aidan Finn]
The Azure Firewall allows you to share network services with external networks, such as on-premises or the Internet through the inspection and logging of the firewall. This traffic routes through the external public IP address of the firewall. Scenarios that you might consider are publishing SSH, RDP, or non-HTTP/S applications to the Internet.
Microsoft refers to the form of NAT as being Destination Network Address Translation (DNAT). The rules work with the following parameters:
Quite often in traditional firewall management, a NAT rule that routes traffic must be accompanied by a matching network rule to allow the traffic. In the case of the Azure Firewall, once you create a NAT rule, the firewall implicitly creates a hidden network rule to reduce your management effort and complexity – I do like this!
Any non-HTTP/S traffic that will be allowed to flow through the firewall must have a network rule – note the above time-saving feature in NAT rules. For example, if I have one subnet with web servers that must talk to a SQL Server in another subnet, then I must have a network rule to allow TCP 1433 from the source subnet to the destination subnet.
The following parameters are used to configure a network rule:
The third and final set of rules deals with HTTP/HTTPS traffic at Layer-7 in the networking stack. Here you will specify what web application traffic you want to allow to flow through the firewall. We will start with Target FQDNs (fully qualified domain names) where you are dealing with non-Microsoft services:
advertisment
There is a second kind of application rule called FQDN Tags, referred to in Microsoft’s documentation as the Infrastructure Rule Collection. Remember that the Azure Firewall blocks everything by default. If you do not specify a domain name or a suitable wildcard, then that traffic is not allowed. As a result, things like Azure Backup or Diagnostics traffic from virtual machines will be blocked if your user-defined routing (UDR) directs that traffic through the Azure Firewall. Microsoft provides a number of FQDN tags that can be used in special application rules to allow this web traffic – this list will probably grow over time:
The three types of rules can be broken down into two sets:
So when a packet is being inspected to determine if it is allowed or not (not is the default) then only Network Rules and Application Rules are used for filtering. They are processed in this order:
In reality, the ordering is a bit more detailed because Application Rules have two types:
advertisment
The rules are terminating. Once a positive match is found, allowing the traffic through, no more rules are checked.
More from Aidan Finn
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Microsoft Azure
Microsoft's Azure AD Conditional Access Service Can Now Require Reauthentication
May 13, 2022 | Rabia Noureen
Microsoft Addresses Cross-Tenant Database Vulnerability in Azure PostgreSQL
Apr 29, 2022 | Rabia Noureen
Microsoft Simplifies IT Monitoring with New Azure Managed Grafana Service
Apr 19, 2022 | Rabia Noureen
System Center 2022 is Now Available with New Datacenter Management Capabilities
Apr 4, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group