Azure Firewall: lack of service tag: Internet / allow access to the Internet on the specific port

Bart Olejnik 125 Reputation points
2023-11-13T10:57:37.9633333+00:00

Hi all,

I tried to use service tag "Internet" on the Azure Firewall but I see that it's not available in this product (https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags)

Case

Environment

  • 2 Vnets / 2 subnets (example 10.1.0.0/8 and 10.2.0.0/2; but assume I would like to allow all internal traffic / private IPs )
  • 1 Azure Firewall
  • UDR on each subnets which streams all traffic to Azure Firewall

I would like to achieve somethinkg like that:

  • Allow traffic to the Internet on port tcp:80 from all subnets
  • Block all other traffic to the Internet from all subnets
  • Allow all traffic between Subnets

I tried to use Service tag: Internet in the following way but I don't have such of possibility on Azure Firewall

example rules (outgouing)

source / destination /Action

100 : * / tag: Internet; TCP_80 / Allow - to allow traffic from all subnets to the Internet on port 80

110: */ tag: Internet; * / Deny - to deny any other traffic to the Internet

120: * / * / allow - to allow all traffic between subnets (Deny will be on NSG)

Default Azure Firewall Rule at the end : deny Any / Any

I will be grateful for you support in this area.

ps. If tag "Internet" is not available on Azure Firewall, maybe it could be worth to add this information in the documentation

User's image

https://learn.microsoft.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
687 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee
    2023-11-16T09:40:42.2533333+00:00

    @Bart Olejnik

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Your observation is correct. "Internet" Service Tag is currently not available to use with Azure Firewall.

    There are quite a few service tags that are not supported in Azure Firewall.

    • Just mentioning the "Internet" tag would not add a value.
    • Hence, the document Azure Firewall service tags has the section "Supported service tags"

    As a Best practice,

    • It's better to have generic rules at last. (with IP ranges 0.0.0.0/0)
    • However, the implementation you mentioned should also work without any issue.
    • For Network Rules, yes, Source IP will always be a private IP. However, I would suggest you be always define specific IPs in rules wherever possible.
      • As address space increases, you can either edit the rule to include the additional address space or add new rule.

    Applying the above to your scenario,

    Outgoing

    Priority 100:

    • Source IP: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
    • Source Port : *
    • Destination: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
    • Destination Port: *

    Priority 110

    • Source IP: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
    • Source Port : *
    • Destination: 0.0.0.0/0
    • Destination Port: 80

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.