Best Methods for Diagnosing Azure Hosted Web App Communication Issues by Adjusting or Disabling Firewall Settings

KindCompute-6524 95 Reputation points
2024-07-21T13:16:22.1833333+00:00

Hi community,

For a web app on Azure constructed using various Azure services, the design typically blocks a lot of communication for security reasons. However, to diagnose issues, it's necessary to allow inbound and outbound communication. I am wondering which method is best to enforce the firewall to allow all communication in and out. An issue has occurred, and the hypothesis is that it may be due to the firewall.

Should we create a network rule and an application rule with wildcard (*) for the source, port, and destination, or should we disable the firewall completely? If so, could you please suggest a method to disable the firewall, as there is no disable button on the Azure portal for the firewall?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
685 questions
Azure Web Application Firewall
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
95 questions
{count} votes

2 answers

Sort by: Most helpful
  1. KapilAnanth-MSFT 47,206 Reputation points Microsoft Employee
    2024-07-22T03:43:24.0733333+00:00

    @KindCompute ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I see you have an Azure Firewall acting as a Virtual Appliance.

    If you want to know if a traffic is blocked or allowed

    • You have to check the Azure Firewall logs
    • You can filter based on the source IP, source Port(if you are aware of it), destination IP/Hostname and destination port.
    • This will tell you if the packet reached the Firewall in first place, and if it did whether or not Azure Firewall allowed or blocked the traffic.

    Wrt, "Should we create a network rule and an application rule with wildcard (*) for the source, port, and destination"

    • This can be done if you are in a development environment
    • Make sure that you also consider other environments that might be using this Firewall for filtering and they may allow all traffic because of this rule.
    • Even in this case, you can filter traffic for actual issue as mentioned above.

    You may run the below query for complete Azure Firewall logs (Network + Application logs)

    AzureDiagnostics
    | where ResourceType == "AZUREFIREWALLS"
    

    Cheers,

    Kapil

    1 person found this answer helpful.

  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.