Azure Firewall
22 TopicsNAT Gateway after firewall for outgoing network traffic
Hi guys, I have a bunch of VMs in a subnet. I would like them to have a static outbound IP from a NAT gateway, however I also want to filter the outbound traffic from these VMs through an Azure Firewall. Is it possible to route the traffic back to a NAT gateway, after the traffic has gone through the Firewall. I do not wish to put a NAT gateway on my AzureFirewallSubnet, as I want different public IP outbound addresses for different services. Is it possible to link a different outbound IP address for different subnets of VMs? Or do I need multiple Azure Firewalls for this purpose? So again. The traffic will go like this: (outbound) VM Subnet -> Firewall -> NAT Gateway -> Internet Thanks in advance. Stan3.5KViews0likes2CommentsAzure Firewall behind public load balancer configuration
Hi, I have a requirement to replace Sophos firewall with Azure Firewall Premium. The existing Sophos firewall is behind a public Azure load balancer (backend pool comprises the Sophos Firewall IPs). To set up a parallel configuration for Azure Firewall, I have configured a new public IP on the load balancer's frontend IP configuration. However, I do not see the Azure Firewall's public IP when trying to configure a backend pool. All the listed IPs belong to the same subnet as the load balancer's internal IP. As per the below article, one can configure firewalls behind an external load balancer. https://learn.microsoft.com/en-us/azure/architecture/example-scenario/firewalls/ I am trying to understand how to chain the public load balancer and Azure firewall such that I can access internal resources as is currently being done with the same public load balancer and Sophos firewall (NIC of Sophos is in the same subnet as internal NIC of this load balancer). Can someone please guide me? Thanks James2.6KViews0likes3CommentsRouting traffic via Azure Firewall
Hey everyone, Quick question... I'm testing a new proxy provider and need to route all internet traffic over a VPN. As it stands some server Internet-bound traffic is routed directly out via Azure Firewall. Is it possible to forward this traffic from Azure firewall to VPN Gateway etc? I don't really want to remove the Azure Firewall, id like to configure the connection like this if possible: - Server > Azure Firewall > VPN > Proxy provider Thanks for reading!1.6KViews0likes1CommentBest Practices for Remote Desktop Access of Windows 10 Virtual Machine
Dear Experts, I want to use a Win10 VM on Azure as virtual desktop. For RDP, I will have to open port 3389. I want to know what are best practices for securely using RDP? I saw on Azure that VPN is an option. If I connect from a regular laptop/desktop to VM via Azure VPN, will it be free or there will be charges? Finally, if I make an inbound rule and open all connections on 3389 for a brief time to RDP to VM and then immediately block all inbound connection to Azure, will it be a very secure practice? Looking for your insight. Much appreciate your help. Thanks1.6KViews0likes2CommentsAzure Firewall Premium Logging
Hi, The Azure Firewall (Premium) has been configured to perform TLS inspection of application rules. The user PC's web browser shows Azure Firewall Manager CA as the common name of the certificate issuer for all websites, which is good. However, this does not reflect in the Azure firewall application logs. 1. Can this requirement be achieved? 2. Where does IPS related logs feature? Thanks James1.4KViews0likes2CommentsIssue with VirtualNetwork service tag when using UDR for routing via Azure Firewall
Hi Experts, When I add a UDR on my Spoke Subnets to use Azure Firewall for default outbound (0.0.0.0/0 -> Azure Firewall IP), the Virtual Network service tag on the NSG attached to the Spoke Subnets gets 0.0.0.0/0 value. When I remove the UDR default outbound route, the Virtual Network service tag gets the vNet and Peered vNet address space etc. Due to this, limiting network access at the NSG level on the Spoke Subnets is getting complex. For example, let's consider that I do not want to direct traffic to Azure Firewall for my S2S/P2S VPN traffic, and want to control which S2S IP Addresses can access my Spoke Subnet using NSG rule attached to my Spoke Subnet. This is getting complex as the Default DenyAllInbound is no longer applicable due to AllowVnetInbound allowing everything. In such scenarios, the network control at the NSG level gets auto-updates and gets allowed for all (0.0.0.0/0 - 0.0.0.0/0 - All Protocols), and the concept of having default DenyAllInbound as the last rule fails. This could be a security risk where the engineer has added a UDR for 0.0.0.0/0 to Subnets and all the NSGs would turn to Allow All (Everything). Related GitHub Discussion: https://github.com/MicrosoftDocs/azure-docs/issues/22178 FYI, I just found out a blog also reporting a similar challenge that I am facing: https://www.torivar.com/2019/01/16/azure-nsg-virtualnetwork-tag/1.3KViews0likes1CommentIssue with Azure VM Conditional Access for Office 365 and Dynamic Public IP Detection
Hi all, I have a VM in Azure where I need to allow an account with MFA to bypass the requirement on this specific server when using Office 365. I've tried to achieve this using Conditional Access by excluding locations, specifically the IP range of my Azure environment. Although I’ve disconnected any public IPs from this server, the Conditional Access policy still isn’t working as intended. The issue seems to be that it continues to detect a public IP, which changes frequently, making it impossible to exclude. What am I doing wrong?1.2KViews0likes5CommentsAzure Firewall Traffic Cost
Hello, I'm calculating the azure firewall cost, but does the data processing cost mean the inbound/outbound traffic cost of azure firewall? Or mean the cost of data that azure fireall handles? And do I have to include the bandwidth price separately when calculating the price of azure firewall inbound/outbound traffic cost? Please reply. Thank you.1.2KViews0likes2CommentsPublic IPs on Azure
Hi, I have been trying to read documentation, but most likely I have used wrong search terms. But does anybody knows if the following kind of setup is possible on Azure? The main idea behind this question is, if I have servers and willing to have centralized FW control for the traffic coming in or out to/from these VMs, is this an option? Or if I assign the public IP to the VM, that can go out directly and skipping the centralized FW? All documents what I have see are speak about assigning the Public IP to the VMs, or having NATing, but with that we hit to the problem when port ranges extends widely.1.1KViews0likes5CommentsAzure VPN GW 3rd Party Secure
Good morning all, We currently have a requirement to move a current IPsec VPN we have terminating in our on-prem DC to Azure, this IPsec VPN carries traffic from a 3rd party provider SAAS solution so it can query our AD to import users objects and most importantly AD field data into their system and has been in place for a number of years. We already have DC's setup in Azure which is within a VNet and subnet and has an NSG in front of it. We can configure a new connection on an existing VPN GW which is in place in Azure and modify the NSG to allow the traffic. My query is around securing the VPN traffic so it can only reach the DC's aware the NSG will prevent anything from that VPN unless we add it in however it will be able to reach other items within the same VNET unless we can control it. Most of the subnets within the vNET have NSG's on them however my query is around things like APP GW, Firewall etc they dont have nsg's on their subnets so what stops the traffic from this 3rd party ipsec vpn being able to access these systems? I have not been able to find a way of securing traffic (like an ACL) on the VPN connection or vpn gateway itself however we need to be sure that the traffic coming from this gateway can only query the DC's on LDAPS and is not able to reach anything else within the vNET. Unfortunately I have inherited this environment as we always do and alot of things have been put inside the 1 vNET broken down into subnets. On prem the firewall is the VPN gateway and controller so we have a VPN GW aswell as ACL rules to prevent anything other than specific address ability to query our on prem DC's - this also has an overlap of IP ranges so we NAT this also however from an Azure perspective there is no cross over. Help is appreciated as reading up I have not been able to find this scenario anywhere.1KViews0likes1Comment