question

DifanZhao-5255 avatar image
0 Votes"
DifanZhao-5255 asked GitaraniSharmaMSFT-4262 answered

Azure firewall rule processing question

Hi experts,

I am playing with the Azure firewall and I have a confusion about the order of the rule processing. Based on my study, the DNAT rule will be processed first, then the Network rule, then the App rule. I have the priority value set accordingly too for these collections.. My scenario is pretty simple that I only have one RCG and there is no parent policy.

So at first, I tested with a Network rule to permit HTTP traffic and a App rule to deny the HTTP. The result is still "Permit". It makes sense.

However, now I have a DNAT rule to permit inbound SSH to a VM, and a Network rule to block the SSH, the result is "Deny". I took out the Network rule, the SSH works. Why is it happening? Shouldn't the DNAT rule prevail the Network rule?

Also, every time I make a rule change, it takes like 3 to 5 minutes to deploy. It is kind of frustrating especially when doing the studying... Is there anyway to speed up the deployment? Is the CLI faster?

Thanks,
Difan

azure-firewall
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered

Hello @DifanZhao-5255 ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

As per this article, the default behavior is - NAT rules are applied in priority before network rules. However, if a match is found, an implicit corresponding network rule to allow the translated traffic is added. For security reasons, the recommended approach is to add a specific internet source to allow DNAT access to the network and avoid using wildcards.
Azure firewall is a stateful firewall but we internally install rules in both directions. This is by design.

In your case, the configured denied Network rule is taking precedence before the implicit allowed Network rule due to the higher priority of the configured Network rule. Hence, the SSH is denied even though allowed in DNAT rule.

To avoid running into this situation, we recommend you to either not add any Network rule contradicting the DNAT rule or add the network rule with the lowest priority.

Regarding the rule deployment time, it is a known issue and a fix is being investigated.
Refer : https://docs.microsoft.com/en-us/azure/firewall/overview#known-issues
110048-image.png

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (8.3 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.