azureazure-virtual-network
Azure Firewall: Most common Azure Firewall Policy Rule Collection Rules
I am asked to configure the Azure Firewall Policy Rule collection with most commonly used Network Rules and Application Rules.
I have gathered the following details where in I have captured the most commonly used Network Rules and Application Rules. However I am not sure if I am missing anything that is considered as the most common rule?
resource "azurerm_firewall_policy_rule_collection_group" "fwpolrcg" {
name = "fwpolicy-rcg"
firewall_policy_id = azurerm_firewall_policy.fwpol.id
priority = 100
network_rule_collection {
name = "network_rule_collection1"
priority = 100
action = "Allow"
rule {
name = "AllowHubToSpokeRDP"
protocols = ["TCP","UDP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["3389"]
}
rule {
name = "AllowSpokeToHubRDP"
protocols = ["TCP","UDP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["3389"]
}
rule {
name = "AllowHubToSpokeHTTPS"
protocols = ["TCP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["443"]
}
rule {
name = "AllowSpokeToHubHTTPS"
protocols = ["TCP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["443"]
}
rule {
name = "AllowHubToSpokeDNS"
protocols = ["TCP","UDP"]
source_addresses = var.hub_firewall_ip_range
destination_addresses = var.spoke_firewall_ip_range
destination_ports = ["53"]
}
rule {
name = "AllowSpokeToHubDNS"
protocols = ["TCP","UDP"]
source_addresses = var.spoke_firewall_ip_range
destination_addresses = var.hub_firewall_ip_range
destination_ports = ["53"]
}
}
application_rule_collection {
name = "application_rule_collection1"
priority = 100
action = "Allow"
rule {
name = "Windows Update"
source_addresses = ["*"]
fqdn_tags = [
"AppServiceEnvironment",
"AzureBackup",
"AzureKubernetesService",
"HDInsight",
"MicrosoftActiveProtectionService",
"WindowsDiagnostics",
"WindowsUpdate",
"WindowsVirtualDesktop"]
}
rule {
name = "AllowMicrosoftFqdns"
source_addresses = ["*"]
destination_fqdns = [
"*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowFqdnsForOsUpdates"
source_addresses = ["*"]
destination_fqdns = [
"download.opensuse.org",
"security.ubuntu.com",
"ntp.ubuntu.com",
"packages.microsoft.com",
"snapcraft.io"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowImagesFqdns"
source_addresses = ["*"]
destination_fqdns = [
"auth.docker.io",
"registry-1.docker.io",
"production.cloudflare.docker.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowAzure"
source_addresses = ["*"]
destination_fqdns = [
"*.azure.*"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
}
rule {
name = "AllowBing"
source_addresses = ["*"]
destination_fqdns = [
"*.bing.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
rule {
name = "AllowGoogle"
source_addresses = ["*"]
destination_fqdns = [
"*.google.com"
]
protocols {
port = "80"
type = "Http"
}
protocols {
port = "443"
type = "Https"
}
}
depends_on = [azurerm_firewall_policy.fwpol]
}
Solution
I tried to reproduce the same in my environment to create Azure Firewall Policy Rule Collection Rules using Terraform:
Note: Make sure that define all rules in collection section inorder to block or deny the action.
See the document to create Azure Firewall Collection Group using Terraform.
Terraform code:
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "Thejesh" {
name = "Thejesh-resources"
location = "West Europe"
}
resource "azurerm_firewall_policy" "example" {
name = "example-fwpolicy"
resource_group_name = azurerm_resource_group.Thejesh.name
location = azurerm_resource_group.Thejesh.location
}
resource "azurerm_firewall_policy_rule_collection_group" "example" {
name = "example-fwpolicy-rcg"
firewall_policy_id = azurerm_firewall_policy.example.id
priority = 500
application_rule_collection {
name = "app_rule_collection1"
priority = 500
action = "Deny"
rule {
name = "app_rule_collection1_rule1"
protocols {
type = "Http"
port = 80
}
protocols {
type = "Https"
port = 443
}
source_addresses = ["10.0.0.1"]
destination_fqdns = ["*.microsoft.com","*.cdn.mscr.io",
"mcr.microsoft.com",
"*.data.mcr.microsoft.com",
"management.azure.com",
"login.microsoftonline.com",
"acs-mirror.azureedge.net",
"dc.services.visualstudio.com",
"*.opinsights.azure.com",
"*.oms.opinsights.azure.com",
"*.microsoftonline.com",
"*.monitoring.azure.com",]
}
}
network_rule_collection {
name = "network_rule_collection1"
priority = 400
action = "Deny"
rule {
name = "network_rule_collection1_rule1"
protocols = ["TCP", "UDP"]
source_addresses = ["10.0.0.1"]
destination_addresses = ["192.168.1.1", "192.168.1.2"]
destination_ports = ["80", "1000-2000"]
}
}
nat_rule_collection {
name = "nat_rule_collection1"
priority = 300
action = "Dnat"
rule {
name = "nat_rule_collection1_rule1"
protocols = ["TCP", "UDP"]
source_addresses = ["10.0.0.1", "10.0.0.2"]
destination_address = "192.168.1.1"
destination_ports = ["80"]
translated_address = "192.168.0.1"
translated_port = "8080"
}
}
}
Terraform plan:
Terraform Apply
Once ran the code resources created with Azure Firewall Policy.
Rule collection inside Azure Firewall.
Application Rules in Azure Firewall:
