Azure Firewall
21 TopicsProduct Manager question - Azure Firewall
I would like to knowif Azure Firewall team has plans to integrate geoblocking based on country codes into Azure Firewall policies? Today, we have to enlist a third party country code list and rebuild IPGroups into our AzFw policies daily. Other products such as WAF and Conditional Access allow for selecting a country code instead of IPv4 addresses.122Views0likes1CommentAz-firewall-mon(itor) - near real time Azure Firewall flow log analyser
Hello, networking expert! I’m excited to share with you an update on my personal open source project: az-Firewall-mon:Az-firewall-monitor is an open-source tool that helps you answer to the following question: what is happening in my azure Firewall right now? It provides an alternative and opinionable way to access and inspect Azure Firewall logs, without using Log Analytics or Kusto queries. It provides a simple and intuitive interface that shows you what is happening on your firewall right now (or almost). to filter your data you can use both a full text search or natural language thanks to his integration with chatGPT4. Here a sample full text search interaction: here a sample natural language interaction Try out az-firewall-monitor athttps://az-firewall-mon.duckiesfarm.comor have a look at the source code on GitHub athttps://github.com/nicolgit/azure-firewall-mon Thank you!116Views0likes0CommentsAzure Firewall behind public load balancer configuration
Hi, I have a requirement to replace Sophos firewall with Azure Firewall Premium. The existing Sophos firewall is behind a public Azure load balancer (backend pool comprises the Sophos Firewall IPs). To set up a parallel configuration for Azure Firewall, I have configured a new public IP on the load balancer's frontend IP configuration. However, I do not see the Azure Firewall's public IP whentrying to configure a backend pool. All the listed IPs belong to the same subnet as the load balancer's internal IP. As per the below article, one can configure firewalls behind an external load balancer. https://learn.microsoft.com/en-us/azure/architecture/example-scenario/firewalls/ I am trying to understand how to chain the public load balancer and Azure firewall such that I can access internal resources as is currently being done with the same public load balancer and Sophos firewall (NIC of Sophos is in the same subnet as internal NIC of this load balancer). Can someone please guide me? Thanks James2.6KViews0likes3CommentsInternal API : Virtual Network support for Power Platform
Hello Everyone, We are using Custom Connectors from Power Automate Flows to initiate a call to the Internal API that is hosted in Azure through the MuleSoft Data Gateway. Since we are unable to activate the private endpoint for this internal API, we are seeking guidance on how to securely connect to the API via V-Net integration. Please advise. As per the Microsoft Documentation : Use custom connectors (preview) to securely connect to your services that are protected by private endpoints in Azure or services that are hosted within your private network. https://learn.microsoft.com/en-us/power-platform/admin/vnet-support-overview Thanks, -Sri261Views0likes1CommentIssue with Azure VM Conditional Access for Office 365 and Dynamic Public IP Detection
Hi all, I have a VM in Azure where I need to allow an account with MFA to bypass the requirement on this specific server when using Office 365. I've tried to achieve this using Conditional Access by excluding locations, specifically the IP range of my Azure environment. Although I’ve disconnected any public IPs from this server, the Conditional Access policy still isn’t working as intended. The issue seems to be that it continues to detect a public IP, which changes frequently, making it impossible to exclude. What am I doing wrong?1.3KViews0likes5CommentsPublic IPs on Azure
Hi, I have been trying to read documentation, but most likely I have used wrong search terms. But does anybody knows if the following kind of setup is possible on Azure? The main idea behind this question is, if I have servers and willing to have centralized FW control for the traffic coming in or out to/from these VMs, is this an option? Or if I assign the public IP to the VM, that can go out directly and skipping the centralized FW? All documents what I have see are speak about assigning the Public IP to the VMs, or having NATing, but with that we hit to the problem when port ranges extends widely.1.1KViews0likes5CommentsAzure SD-WAN
Hi, I'm looking for good SD-WAN options for connecting our branches to our Azure vWAN with secured hubs (Azure Firewall). The plan is to ditch our current on-prem network circuit + express route and move to Azure vWan as the central hub with branch offices connecting over SD-WAN. I've had a look atAzure Virtual WAN partners, regions, and available locations | Microsoft Learn. We currently do have Fortigate NGFW on-prem but doesn't belong to us as its managed by a vendor. Besides, deploying dual role Fortigate NGFW into the vWan hub seems like an over-kill since we already have Azure Firewall Premium? Would be grateful for your experience \ suggestions. Thanks620Views0likes1CommentWordPress App how to restrict access to specific pages on the site
Hello all, I have a WordPress App hosted on Azure and I am struggling with how I can secure specific pages from public access. For example: www.mysite.com/wp-admin www.mysite.com/info.php I'd like it so that only specific IP addresses or Microsoft user accounts can access some, such as admin pages and for some pages I'd like no access at all, to where it just blocks any sort of visit. I've viewed the documentation for Front Door and some networking restrictions but that seems to be just IP addresses and I'm confused about how I can set those rule for specific pages within the App. I know WordPress offer plugins which have this sort of functionality but I'd like to take advantage of Azure's security features rather than plugins from WordPress. Any help is very appreciated. Thank you439Views0likes0CommentsAzure Firewall Traffic Cost
Hello, I'm calculating the azure firewall cost, but does the data processing cost mean the inbound/outbound traffic cost of azure firewall? Or mean the cost of data that azure fireall handles? And do I have to include the bandwidth price separately when calculating the price of azure firewall inbound/outbound traffic cost? Please reply. Thank you.1.2KViews0likes2CommentsIssue with VirtualNetwork service tag when using UDR for routing via Azure Firewall
Hi Experts, When I add a UDR on my Spoke Subnets to use Azure Firewall for default outbound (0.0.0.0/0 -> Azure Firewall IP), the Virtual Network service tag on the NSG attached to the Spoke Subnets gets 0.0.0.0/0 value. When I remove the UDR default outbound route, the Virtual Network service tag gets the vNet and Peered vNet address space etc. Due to this, limiting network access at the NSG level on the Spoke Subnets is getting complex. For example, let's consider that I do not want to direct traffic to Azure Firewall for my S2S/P2S VPN traffic, and want to control which S2S IP Addresses can access my Spoke Subnet using NSG rule attached to my Spoke Subnet. This is getting complex as the DefaultDenyAllInboundis no longer applicable due toAllowVnetInboundallowing everything. In such scenarios, the network control at the NSG level gets auto-updates and gets allowed for all (0.0.0.0/0 - 0.0.0.0/0 - All Protocols), and the concept of having default DenyAllInbound as the last rule fails. This could be a security risk where the engineer has added a UDR for 0.0.0.0/0 to Subnets and all the NSGs would turn to Allow All (Everything). Related GitHub Discussion: https://github.com/MicrosoftDocs/azure-docs/issues/22178 FYI, I just found out a blog also reporting a similar challenge that I am facing:https://www.torivar.com/2019/01/16/azure-nsg-virtualnetwork-tag/1.3KViews0likes1Comment