Jan 03 2024 08:56 AM
Having trouble with something I thought would be simple... Need to block web traffic on specific Azure VM's to all but a select few sites.
We have (2) groups of Azure VM's...
With_Internet, basically unfiltered outbound traffic
NO_Internet, blocking all web traffic (HTTP/HTTPS) to all but a select few sites... and my understanding on how to accomplish this is using the Azure firewall and application rules based on FQDN.
We have created (4) Vnet's...
10.0.0.0/27 Default With_Internet (contains Azure VM)
10.0.0.32/27 Default NO_Internet (contains Azure VM)
10.0.1.0/26 Azure Bastion AzureBastionSubnet
10.0.2.0/26 Azure Firewall AzureFirewallSubnet
We have a single NSG with default rules associated with both Azure VM /27 subnets
We have a single Azure firewall in the same region with a public IP and private IP contained within the AzureFirewallSubnet
We have a single Azure firewall Policy in the same region with multiple rule collections.
At this point connectivity works, via web interface and Bastion access to VM's in both /27 subnets,
When I create a default route and associate that route with a VM subnet I lose all connectivity to the VM's on that subnet.
The default route has propagate route enabled and is configured as...
Destination IP addresses: 0.0.0.0/0
Next hop type: VirtualAppliance
Next hop address: 10.0.2.4 (Azure firewall private IP)
Our connectivity is strictly from login via https://windows365.microsoft.com/ent#/devices, and use the web interface to connect to the VM or Bastion.
When we associate the default route, we lose both web and Bastion connectivity...
Any pointers/guidance/suggestions...
Jan 04 2024 08:13 AM
Howe about NSG, any logs and hints from there?
Jan 04 2024 10:50 AM
Thanks for the response, so I enabled the NSG Flow Logs and ran some tests, which included connectivity tests from Network watcher... and while Network watcher says connections from port 22 fail and port 3389 are good.. (from bastion to vm)... bastion is still unable to connect...
And I must be outta touch, as these logs in Json are DUMB... unable to decipher the majority of the values...
Jan 04 2024 04:39 PM - edited Jan 04 2024 04:39 PM
Here are the commands I am using to create the objects, all complete successfully... and again, adding the default route... lose connection, delete the route and connection restored.
I am sure, it's just me missing something.
####################################################################
### Define Variables###
####################################################################
$rgname = "rg-Dev04-vDI"
$rglocation = "West US 3"
$rgtag = @{Dev="AzureVM-Dev"}
$rgvnetname = "vNet-Dev04-vDI"
$bastionpipname = "Bastion-vNet-Dev04-vDI-IP"
$bastionname = "Bastion-vNet-Dev04-vDI"
$firewallpipname = "$firewallpipname"
$firewallname = "Firewall-Dev04-vDI"
$firewallpolicyname = "Firewall-Dev04-vDI-Policy"
$Routetablename = "Firewall-rt-table-Dev04-vDI"
$routeconfigname = "DG-Route-Dev04-vDI"
$nsgname = "NSG-Dev04-vDI"
####################################################################
###Create resource group###
New-AzResourceGroup -Name $rgname -Location "$rglocation" -Tag $rgtag
####################################################################
###Create virtual network###
$ServerSubnet1 = New-AzVirtualNetworkSubnetConfig -Name Internet -AddressPrefix 10.0.1.0/24
$ServerSubnet2 = New-AzVirtualNetworkSubnetConfig -Name No_Internet -AddressPrefix 10.0.2.0/24
$ServerSubnet3 = New-AzVirtualNetworkSubnetConfig -Name AzureBastionSubnet -AddressPrefix "10.0.3.0/26"
$ServerSubnet4 = New-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -AddressPrefix "10.0.4.0/26"
$deployVnet = New-AzVirtualNetwork -Name $rgvnetname -ResourceGroupName $rgname -Location "$rglocation" -AddressPrefix 10.0.0.0/16 -Subnet $ServerSubnet1,$ServerSubnet2,$ServerSubnet3,$ServerSubnet4 -Tag $rgtag
####################################################################
###Create bastion and Public IP address###
###Create Public IP###
$Bastionip = New-AzPublicIpAddress -ResourceGroupName "$rgname" `
-name "$bastionpipname" `
-location "$rglocation" `
-AllocationMethod Static `
-Tag $rgtag
###Create Bastion###
New-AzBastion -ResourceGroupName "$rgname" `
-Name "$bastionname" `
-PublicIpAddressRgName "$rgname" `
-PublicIpAddressName "$bastionpipname" `
-VirtualNetworkRgName "$rgname" `
-VirtualNetworkName "$rgvnetname" `
-Tag $rgtag
####################################################################
###Create firewall public IP address###
###Create Public IP###
$FWpip = New-AzPublicIpAddress -Name "Firewall-Net-Dev04-vDI-IP" `
-ResourceGroupName $rgname `
-Location "$rglocation" `
-AllocationMethod Static `
-Tag $rgtag `
-Sku Standard
###Create Firewall###
$Azfw = New-AzFirewall -Name "$firewallname" `
-ResourceGroupName "$rgname" `
-Location "$rglocation" `
-VirtualNetwork $deployVnet `
-Tag $rgtag `
-PublicIpAddress $FWpip
###Save the firewall private IP address###
$AzfwPrivateIP = $Azfw.IpConfigurations.privateipaddress
$AzfwPrivateIP
####################################################################
###Create default route###
###Create route table###
$routeTableDG = New-AzRouteTable `
-Name $Routetablename `
-ResourceGroupName $rgname `
-location "$rglocation" `
-DisableBgpRoutePropagation `
-Tag $rgtag
###Create default route###
Add-AzRouteConfig `
-Name $routeconfigname `
-RouteTable $routeTableDG `
-AddressPrefix 0.0.0.0/0 `
-NextHopType "VirtualAppliance" `
-NextHopIpAddress $Azfw.IpConfigurations.privateipaddress `
| Set-AzRouteTable
###Associate the route table to the subnet###
Set-AzVirtualNetworkSubnetConfig `
-VirtualNetwork $deployVnet `
-Name Internet `
-AddressPrefix 10.0.1.0/24 `
-RouteTable $routeTableDG | Set-AzVirtualNetwork
Set-AzVirtualNetworkSubnetConfig `
-VirtualNetwork $deployVnet `
-Name No_Internet `
-AddressPrefix 10.0.2.0/24 `
-RouteTable $routeTableDG | Set-AzVirtualNetwork
####################################################################
Jan 08 2024 05:57 AM
So apparently the issue was related to the Virtual Network not being associated with the firewall policy as a security provider... go figure.
Anyone know how to script this?