Azure Firewall Rules
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Understanding Firewall Rules
Azure Firewall uses rules to control network traffic. These rules are organized into rule collections, which can be of three types:
- Network Rule Collections: Control TCP, UDP, and ICMP traffic based on source and destination IP address, port, and protocol.
- Application Rule Collections: Control FQDN (Fully Qualified Domain Name) traffic for specific applications, allowing for more granular control.
- Network Groups (Preview): A collection of network rules that can be managed as a single unit, simplifying rule management for common scenarios.
Creating and Managing Rules
Rules are defined within rule collections. When you create a rule collection, you specify its name, priority, and the type of rules it will contain. Rule priority determines the order in which rules are evaluated.
Rule Priority
Rules are processed in order of priority, from lowest to highest (e.g., 100, 200, 300). The first rule that matches the traffic determines whether it is allowed or denied.
Rule Actions
Each rule has an action: Allow or Deny.
Example: Allowing HTTPS Traffic
To allow outbound HTTPS traffic from your virtual network to the internet:
{
"name": "AllowOutboundHTTPS",
"priority": 200,
"ruleType": "NetworkRule",
"properties": {
"sourceAddresses": [ "*" ],
"destinationAddresses": [ "*" ],
"destinationPorts": [ "443" ],
"protocols": [ "TCP" ],
"action": {
"type": "Allow"
}
}
}
Example: Denying SSH Access to Specific Servers
To deny inbound SSH traffic from any source to a specific server:
{
"name": "DenySSHToSpecificServer",
"priority": 150,
"ruleType": "NetworkRule",
"properties": {
"sourceAddresses": [ "*" ],
"destinationAddresses": [ "10.0.1.4" ], // IP of the specific server
"destinationPorts": [ "22" ],
"protocols": [ "TCP" ],
"action": {
"type": "Deny"
}
}
}
Application Rules
Application rules provide more sophisticated control by allowing you to permit or deny traffic to specific FQDNs. This is useful for allowing access to specific SaaS applications or cloud services.
Example: Allowing Access to a Specific FQDN
To allow outbound traffic to a specific FQDN:
{
"name": "AllowSpecificFQDN",
"priority": 300,
"ruleType": "ApplicationRule",
"properties": {
"sourceAddresses": [ "10.0.1.0/24" ],
"targetFqdns": [ "www.example.com" ],
"protocols": [ { "protocolType": "Https", "port": 443 } ],
"action": {
"type": "Allow"
}
}
}
Network Groups (Preview)
Network groups allow you to define a collection of network rules and apply them to multiple firewall policies. This is ideal for creating standardized security policies across your organization.
Network groups are managed separately and then referenced within firewall policies.
Best Practices
- Principle of Least Privilege: Only allow the traffic that is absolutely necessary.
- Order Matters: Carefully plan your rule priorities to ensure correct evaluation.
- Use FQDNs for Application Rules: When possible, use FQDNs instead of IP addresses for application rules for better manageability.
- Regularly Review Rules: Periodically audit your firewall rules to ensure they are still relevant and effective.
- Leverage Network Groups: For consistent policies, use network groups to manage common rule sets.