Azure Firewall Application Rules
Azure Firewall provides Layer 7 filtering capabilities for your network traffic. Application rules allow you to control access to specific web applications and services based on FQDNs (Fully Qualified Domain Names) or FQDN tags.
What are Application Rules?
Application rules operate at Layer 7 (the application layer) of the OSI model. Unlike network rules, which filter based on IP addresses, ports, and protocols, application rules can inspect the content of traffic to make more granular decisions. This is particularly useful for managing access to HTTP and HTTPS traffic.
Key Components of an Application Rule
Each application rule consists of the following components:
- Name: A unique identifier for the rule.
- Priority: An integer between 100 and 65500, where lower numbers indicate higher priority.
- Rule Type: Set to 'Application' for application rules.
- Source Type: Can be 'IP Address', 'IP Group', or 'Service Tag'.
- Source: Specifies the source IP addresses, IP groups, or service tags that the rule applies to.
- Protocol: Specifies the protocol, typically
httporhttps. - Target FQDNs: A list of fully qualified domain names (e.g.,
www.example.com) that the rule applies to. - FQDN Tags: Predefined sets of FQDNs representing common Microsoft services (e.g.,
WindowsUpdate,AzureCloud). These simplify rule creation for allowed or denied Microsoft services. - Action: The action to take when the rule matches:
AlloworDeny.
Scenario: Allowing Access to Specific Websites
Example: Allow Access to Microsoft 365
You can create a rule to allow access to essential Microsoft 365 services by using FQDN tags.
{
"ruleCollectionType": "FirewallPolicyApplicationRuleCollection",
"name": "AllowM365",
"priority": 100,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "Allow_M365_Services",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [],
"fqdnTags": [
"Office365"
]
}
]
}
Scenario: Denying Access to Specific Websites
Example: Deny Access to Social Media
To prevent employees from accessing social media sites during work hours, you can create a rule to deny specific FQDNs.
{
"ruleCollectionType": "FirewallPolicyApplicationRuleCollection",
"name": "DenySocialMedia",
"priority": 200,
"action": {
"type": "Deny"
},
"rules": [
{
"name": "Deny_Facebook",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.facebook.com",
"facebook.com",
"m.facebook.com"
],
"fqdnTags": []
},
{
"name": "Deny_Twitter",
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"www.twitter.com",
"twitter.com",
"mobile.twitter.com"
],
"fqdnTags": []
}
]
}
FQDN Tags for Simplified Management
FQDN tags are dynamic collections of FQDNs that Microsoft manages. Using these tags in your rules ensures that your firewall policy automatically stays up-to-date with changes to Microsoft services. Some common FQDN tags include:
WindowsUpdateAzureCloudMicrosoftActiveProtectionServiceWindowsServerUpdateServicesMicrosoftDevTools
You can find a comprehensive list of available FQDN tags in the Azure Firewall documentation.
Best Practices
- Use FQDN tags whenever possible for managing access to Microsoft services.
- Define specific FQDNs for custom applications.
- Use the 'Deny' action as a default for unrecognized or unauthorized traffic, and then create specific 'Allow' rules for legitimate traffic.
- Regularly review and update your application rules to reflect changes in your network and application landscape.