Basic Azure Firewall question

mij2020 366 Reputation points
2020-07-08T14:42:39.6+00:00

I'm confusing myself with incoming and outgoing traffic on the Azure FW.
I realise that NAT rule are inbound only.
However Network and Application rule collections could be incoming or outgoing.

My question is how does the system know which direction to apply the rule? We dont specify which way the traffic is going.
For example: If I want to allow all traffic on my Vnet out to the internet - I could create a network rule which gives the source IP as " all* " and the destination as " all* ".
Does this mean I allow all my devices access to the internet (NSG permitting) or I allow all external traffic into my Vnet (NSG permitting), or both. For obvious reasons I only want the former. What does the system use as the source if I cant tell it?

Thanks

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
567 questions
0 comments
Accepted answer
  1. Sumarigo-MSFT 43,641 Reputation points Microsoft Employee
    2020-07-13T07:49:32.723+00:00

    @mij2020-6135 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    Its based on Source and Destination IP which you specify.

    Network and application rules would be outgoing for Public internet..
    The rules would be stateful. So, if we traffic from vnet to internet would be going out for network rule, the return traffic would be coming from the same rule..

    NAT rules: Configure DNAT rules to allow incoming Internet connections.
    Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
    Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.

    Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols. For best inbound HTTP/S protection, use a web application firewall such as Azure Web Application Firewall (WAF).

    Additional information: The Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level protection across different subscriptions and virtual networks.

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest