Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
573 questions
AzureFW Deny rule is not output during connection troubleshooting
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 11%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETY%3C/text%3E%3C/svg%3E)
Tsukuda Yusaku
0
Reputation points
After verifying the connectivity troubleshooting below, We were able to confirm that no errors were output due to Deny in the AzureFW application rules. Access to https://www.example.com from VM2 is recognized as denied by AzureFW. ・Network Internet | AzureFW | | VM1 VM2 ・Application rules |SourceType|Sorece|Protocol|DestinationType|Target|Action| | -------- | -------- | -------- | -------- | -------- | -------- | |IPAddress|VM1_IPAddress|Http,Https,Mssql|FQDN|www.example.com|Allow| |IPAddress|VM2_IPAddress|Http,Https,Mssql|FQDN|www.example.com|Deny|
・Connection Troubleshooting |SourceType|Source |Destination|Protocol|DestinationPort|Result| | -------- | -------- | -------- | -------- | -------- | -------- | |VM|VM1|https://www.example.com|TCP|443|Allow| |VM|VM2|https://www.example.com|TCP|443|Allow|
I checked if I could access https://www.example.com from the system console. We were able to confirm that the results were as expected. ・Confirmation using the system console |VM|Command |ApplicationRules|Result| | -------- | -------- | -------- | -------- | |VM1|curl https://www.example.com |above rules|Allow| |VM2|curl https://www.example.com|above rules|Deny|
Based on the above results, can't AzureFW Deny be detected by connection troubleshooting?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 0%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Silvia Wibowo 3,011 Reputation points Microsoft Employee2024-01-24T04:38:01.8666667+00:00 Hi @Tsukuda Yusaku , I understand that you use VM Connection Troubleshoot to test connectivity to a certain URL that should be blocked by Azure Firewall (FQDN rule).
Please note that VM Connection Troubleshoot can detect the following types of issues that can impact connectivity:
- High VM CPU utilization
- High VM memory utilization
- Virtual machine (guest) firewall rules blocking traffic
- DNS resolution failures
- Misconfigured or missing routes
- Network security group (NSG) rules that are blocking traffic
- Inability to open a socket at the specified source port
- Missing address resolution protocol entries for Azure ExpressRoute circuits
- Servers not listening on designated destination ports
Azure Firewall is not in that list.
Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
Sign in to comment