question

mij2020-6135 avatar image
mij2020-6135 asked ·

Basic Azure Firewall question

I'm confusing myself with incoming and outgoing traffic on the Azure FW.
I realise that NAT rule are inbound only.
However Network and Application rule collections could be incoming or outgoing.

My question is how does the system know which direction to apply the rule? We dont specify which way the traffic is going.
For example: If I want to allow all traffic on my Vnet out to the internet - I could create a network rule which gives the source IP as " all* " and the destination as " all* ".
Does this mean I allow all my devices access to the internet (NSG permitting) or I allow all external traffic into my Vnet (NSG permitting), or both. For obvious reasons I only want the former. What does the system use as the source if I cant tell it?

Thanks

azure-firewall
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Sumarigo-MSFT avatar image
Sumarigo-MSFT answered ·

@mij2020-6135 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.


Its based on Source and Destination IP which you specify.


Network and application rules would be outgoing for Public internet..
The rules would be stateful. So, if we traffic from vnet to internet would be going out for network rule, the return traffic would be coming from the same rule..


NAT rules: Configure DNAT rules to allow incoming Internet connections.
Application rules: Configure fully qualified domain names (FQDNs) that can be accessed from a subnet.
Network rules: Configure rules that contain source addresses, protocols, destination ports, and destination addresses.


Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols. For example RDP, SSH, and FTP protocols. For best inbound HTTP/S protection, use a web application firewall such as Azure Web Application Firewall (WAF).


Additional information: The Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level protection across different subscriptions and virtual networks.


Hope this helps!


Kindly let us know if the above helps or you need further assistance on this issue.




Please don’t forget to "Accept the answer" wherever the information provided helps you, this can be beneficial to other community members.


1 comment Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If I want to allow all traffic on my Vnet out to the internet - I could create a network rule which gives the source IP as " all* " and the destination as " all* ".

All VM's from Vnet would have access to internet (if NSG and firewall permitting)
Source would be the private ip of the Azure VM..

0 Votes 0 · ·