Blog Post

Azure Network Security Blog
3 MIN READ

GeoLocation Filtering with Azure Firewall

Ashish_Kapila's avatar
Ashish_Kapila
Icon for Microsoft rankMicrosoft
Mar 11, 2022

 

 

Microsoft is committed to helping defend organizations and governments from cyberattacks. This guide provides steps Azure Firewall customers can take to secure their cloud infrastructure.

 

 

Overview of Azure Firewall

 

  • Azure Firewall is a cloud-native stateful Firewall as a service with built-in auto-scale (30 Gbps) and High availability.
  • Standard SKU provides DNAT, Network, and Application rule filtering. It also supports advanced filtering with threat intelligence and web categories. You can read more about standard Firewall features.
  • Premium SKU includes all functionalities of Standard SKU. In addition, it provides URL filtering, IDPS, and outbound TLS inspection. You can read more about Azure Firewall Premium features

 

 

Azure Firewall Best Practices

 

  1. Azure Firewall operates in a default-deny mode. This means that you will need to add an explicit rule to allow traffic. It’s best practice to review your rules regularly to ensure the IP addresses and FQDNs are relevant.
  2. Avoid wild cards in rules and use URLs instead of FQDNs! Provide explicit ports and protocols. This will reduce the attack surface drastically.  Note: URL filtering is only supported on Premium SKU!
  3. Enable Threat Intelligence in alert and Deny mode! The feed is provided by the Microsoft cyber-security team and is updated continuously based on changing threat landscape.
  4. Customer deployments who want to route VNET traffic through Azure Firewall to another 3rd Party or On-Prem Firewall for internet egress can deploy Azure Firewall in Forced Tunnelling mode without a Public IP. Please follow the instructions in this blog for more information.
  5. Azure Firewall provides support for IP Group which provides a facility to block large IP ranges. Azure Firewall supports 100 IP Groups with each containing 5000 IP addresses! You can follow the guidance provided here to automate company-wide IP blocking via Azure Firewall. Alternatively, you can use the community-provided script to create IP Group reading IP addresses from any input file (containing list of IP addresses that you would like to block e.g. here). This approach can be used to block traffic to or from specific regions or geographies.  Post-creating IP Group, customers can create DENY rules to block traffic to the IP addresses in the IP Group. It’s sufficient to mention the IP Address in Src or Dest. The azure firewall will automatically create rules in both directions.

Rule Action

Rule

DENY

{Src:IPGroup1, Dest:*, Port:*, Protocol:*}

 

  1. Premium SKU customers can additionally configure IDPS in DENY mode. We support more than 57000+ CVEs that are updated continuously and provide protection against the latest ransomware/malware attacks. For inbound HTTPS security, you can additionally deploy Application Gateway in front of Premium Firewall.

 

 

Recent CVEs

 

Customers using Azure Firewall Premium have enhanced protection from the latest exploits including Nobelium, Log4j, WhisperGate, PurpleFox, Cobalt Strike, Gamaredon. Azure Firewall premium IDPS (Intrusion Detection and Prevention System) provides IDPS inspection for all east-west traffic and outbound traffic to the internet. The vulnerability rulesets are continuously updated. Below screenshot shows all the scenarios which are actively mitigated by Azure Firewall Premium.

 

Customers are recommended to configure Azure Firewall Premium with both IDPS Alert & Deny mode and TLS inspection enabled for proactive protection against Log4j (CVE-2021-44228) exploit.  

 

 

 

 

 

 

Sentinel Threat Hunting and workbook

 

Azure Firewall Solution for Azure Sentinel provides Azure Firewall specific net new detections and hunting queries.  The solution also contains a new firewall workbook and automation components, which can now be deployed in a single, streamlined method. You can read more about this from the link below.

 

Related Links

 

Destructive malware targeting Ukrainian organizations - Microsoft Security Blog

Digital technology and the war in Ukraine - Microsoft On the Issues

Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability - Microsoft Security Blog

 

 

 

Updated Mar 11, 2022
Version 2.0
  • guidovbrakel's avatar
    guidovbrakel
    Brass Contributor

    his could be risky, if threat actors get aware of a blocked geo then it could encourage them, even more, I also doubt if this is useful because if you look at attack maps you see botnets coming from all over the world.

    Ashish_Kapila 

  • Bernd Eckenfels's avatar
    Bernd Eckenfels
    Copper Contributor

    It helps to filter out internet. ACL ground noise (bots) from un-serviced regions. It might aLao be a compliance thing (export control) - for that specific usecase some Azure. Aintained ipsets would be great! (Especially if based on ASes announcing the netblocks),

  • MaysAdmin's avatar
    MaysAdmin
    Copper Contributor

    I would like to see this enhanced with an option to block all known VPN IPS by country. For example, I can block New Zealand if I wish, but someone in New Zealand with Express VPN can pick to build a VPN from Dallas. I would like for this enhanced to have the option to block VPNs form a country. So if I block all countries except the US and then also pick to block all US VPN services, this keeps a larger majority of people outside the US from reaching my servers. Until then I will just keep my DENY all in place for anything we deploy and let AWS and some third party web hosts handle my security for internet facing sites.