azureazure-virtual-network
Azure Firewall: Most common Azure Firewall Policy Rule Collection Rules
I am asked to configure the Azure Firewall Policy Rule collection with most commonly used Network Rules and Application Rules.
I have gathered the following details where in I have captured the most commonly used Network Rules and Application Rules. However I am not sure if I am missing anything that is considered as the most common rule?
resource "azurerm_firewall_policy_rule_collection_group" "fwpolrcg" {
name = "fwpolicy-rcg"
firewall_policy_id = azurerm_firewall_policy.fwpol.id
priority = 100
network_rule_collection {
name = "network_rule_collection1"
priority = 100
action = "Allow"
rule {
name = "AllowHubToSpokeRDP"
protocols = ["TCP","UDP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["3389"]
}
rule {
name = "AllowSpokeToHubRDP"
protocols = ["TCP","UDP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["3389"]
}
rule {
name = "AllowHubToSpokeHTTPS"
protocols = ["TCP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["443"]
}
rule {
name = "AllowSpokeToHubHTTPS"
protocols = ["TCP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["443"]
}
rule {
name = "AllowHubToSpokeDNS"
protocols = ["TCP","UDP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["53"]
}
rule {
name = "AllowSpokeToHubDNS"
protocols = ["TCP","UDP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["53"]
}
}
application_rule_collection {
name = "application_rule_collection1"
priority = 100
action = "Allow"
rule {
name = "Windows Update"
source_addresses = ["*"]
fqdn_tags = [
"AppServiceEnvironment",
"AzureBackup",
"AzureKubernetesService",
"HDInsight",
"MicrosoftActiveProtectionService",
"WindowsDiagnostics",
"WindowsUpdate",
"WindowsVirtualDesktop"]
}
rule {
name = "AllowMicrosoftFqdns"
source_addresses = ["*"]
destination_fqdns = [
"*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowFqdnsForOsUpdates"
source_addresses = ["*"]
destination_fqdns = [
"download.opensuse.org",
"security.ubuntu.com",
"ntp.ubuntu.com",
"packages.microsoft.com",
"snapcraft.io"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowImagesFqdns"
source_addresses = ["*"]
destination_fqdns = [
"auth.docker.io",
"registry-1.docker.io",
"production.cloudflare.docker.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowAzure"
source_addresses = ["*"]
destination_fqdns = [
"*.azure.*"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
}
rule {
name = "AllowBing"
source_addresses = ["*"]
destination_fqdns = [
"*.bing.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowGoogle"
source_addresses = ["*"]
destination_fqdns = [
"*.google.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
depends_on = [azurerm_firewall_policy.fwpol]
}
Solution
I tried to reproduce the same in my environment to create Azure Firewall Policy Rule Collection Rules using Terraform:
Note: Make sure that define all rules in collection section inorder to block or deny the action.
See the document to create Azure Firewall Collection Group using Terraform.
Terraform code:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "Thejesh" {
name = "Thejesh-resources"
location = "West Europe"
}
resource "azurerm_firewall_policy" "example" {
name = "example-fwpolicy"
resource_group_name = azurerm_resource_group.Thejesh.name
location = azurerm_resource_group.Thejesh.location
}
resource "azurerm_firewall_policy_rule_collection_group" "example" {
name = "example-fwpolicy-rcg"
firewall_policy_id = azurerm_firewall_policy.example.id
priority = 500
application_rule_collection {
name = "app_rule_collection1"
priority = 500
action = "Deny"
rule {
name = "app_rule_collection1_rule1"
protocols {
type = "Http"
port = 80
}
protocols {
type = "Https"
port = 443
}
source_addresses = ["10.0.0.1"]
destination_fqdns = ["*.microsoft.com","*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",]
}
}
network_rule_collection {
name = "network_rule_collection1"
priority = 400
action = "Deny"
rule {
name = "network_rule_collection1_rule1"
protocols = ["TCP", "UDP"]
source_addresses = ["10.0.0.1"]
destination_addresses = ["192.168.1.1", "192.168.1.2"]
destination_ports = ["80", "1000-2000"]
}
}
nat_rule_collection {
name = "nat_rule_collection1"
priority = 300
action = "Dnat"
rule {
name = "nat_rule_collection1_rule1"
protocols = ["TCP", "UDP"]
source_addresses = ["10.0.0.1", "10.0.0.2"]
destination_address = "192.168.1.1"
destination_ports = ["80"]
translated_address = "192.168.0.1"
translated_port = "8080"
}
}
}
Terraform plan:
Terraform Apply
Once ran the code resources created with Azure Firewall Policy.
Rule collection inside Azure Firewall.
Application Rules in Azure Firewall:
- WebJob is stopping due to website shutting down
- Is it possible to change the day returned from startofweek() and endofweek()?
- Handling Audio blobs sent through mediarecorder in JS through python server script for azure service
- Export app registrations with expiring secrets and certificates and send alert in teams
- SQL Azure import slow, hangs, but local import takes 3 minutes
- Issue with Group email address domain when create a new Microsoft 365 Group
- What is the URL for New Page in Azure DevOps Wiki? / How to bookmark New Page?
- Is there a dynamic way to get variables from Variable Group? Even secret ones? and insert in Azure Key Vault
- How do I configure my Bicep scripts to allow a container app to pull an image from an ACR using managed identity across subscriptions
- Azure DevOps. Can't trigger a pipeline in Repo A when a commit is done in repo B
- How to change the default Azure AI Search scoring to be increased when the whole search term is found exactly?
- List and download files in a folder in a blob with blob level SAS token
- How to change the Lease state of Azure Blob to Available
- unable to delete or move first step from logic app?
- Azure Terraform - Encrypt VM OS Disk
- How to temporary stop Azure API Management Service
- Unable to retrieve key vault certificates in azure runbook
- C#: 'A change set cannot include changes to more than '1' source resources' when adding a user To Group using Azure Graph API 2.0
- Set size limt to direct upload to azure blob storage via SAS URL
- Using AddAzureKeyVault makes my application 10 seconds slower
- PostGreSQL pg_dump psql and pg_restore errors with Azure Flexible SQL Server
- How to check signature of a token coming from Azure SSO
- How can I get error details from an if condition activity in Azure Data Factory?
- Getting a 404 for GET /robots933456.txt
- Given an Applications Insight Instrumentation key, get the name of the service in Azure
- How to specify rewrite url for query string parameters in Azure API Management
- Can a normal Azure Function and a Durable Azure Function coexist in the same Function App?
- TenantGuidNotFound when trying to send email using Microsfot GraphAPI
- Can't signin into microsoft account
- Azure Function App Kudu Functions API with empty response