Forum Discussion
Valon_Kolica
Microsoft
MicrosoftSEP 26, 2023 | Ask-Me-Anything | Azure Firewall, Azure WAF and Azure DDoS
UPDATED, post-AMA: Here is the AMA recording in case you
missed the live session.
*************************************************************
Valon_Kolica how does Microsoft position the WAF? As a centrally managed device by a network team? Or decentral managed by an application team? We are building an Azure Landing zone as per CAF. The network edge devices like Azure Firewall etc, are managed by a central team. We see the WAF as a centrally managed device.
- Is there a way to show replies under the post the reply is to?
Is it possible to use the Azure WAF to create an allow list of IP ranges and block traffic from all other sources?
- gusmodena
joshuabales, yes you can create a custom rule on Azure Web Application Firewall using RemoteAddr (IP address) as your match variable as described here. Custom rules allow you to create your own rules that are evaluated for each request that passes through the WAF and hold a higher priority than the rest of the rules in the managed rule sets. The custom rules contain a rule name, rule priority, and an array of matching conditions. If these conditions are met, an action is taken (to allow, block, or log). If a custom rule is triggered, and an allow or block action is taken, no further custom or managed rules are evaluated. Custom rules can be enabled/disabled on demand.
- Will we be having RBAC based ACLs for Firewall or VPNs?
Scenario - I have 5 VNets in my environment, VNet1......VNet5. All in hub and spoke architecture. with HUB having Azure VPN and possibility of Azure firewall is also there.
I have 3 users, User1.......User3.
All these users are using P2S VPN to connect to Azure.
Conditions -
User1 should only be allowed to access Vnet1 and VNet3.
user2 should be allowed to access VNet2,Vnet3 and VNet5
user3 should be allowed to access only VNet5.
This is one of the major requirements which currently isn't fulfilled by either Azure VPN or Azure Firewall, and I have customers switching to a different NVA provider like Barracuda just for this.
Do we have this feature anywhere in the roadmap?
Thanks!- SaleemBseeuFor best insights into our roadmap and an opportunity to actively contribute your valuable feedback to our product team, we invite you to join our private community. You can access the community by visiting: https://aka.ms/PrSecCom
To effectively handle scenarios like these, I would recommend utilizing IP groups. With IP groups, you can categorize users based on their source IPs, such as administrators, sales teams, and accounting departments, and then configure your firewall rules accordingly. - 1.how we can backup our rules in firewall?
2.whats best practice for north-south and east west traffic?
3.do we need to have ELB in front of firewall ?- gusmodena
Rahulggupta25, please find my comments below:
1.how we can backup our rules in firewall? Answer: Take a look at the following blog post describing the steps to backup your Azure Firewall.
2.whats best practice for north-south and east west traffic? Answer: Could you elaborate more? You can use the same Azure Firewall deployment to protect both north-south and east-west traffic. Check the recommendations at this Well-Architected Framework document for Azure Firewall.
3.do we need to have ELB in front of firewall? Answer: No, you don't need to create an ELB in front of Azure Firewall. Azure Firewall is high available by design.
- Can you make custom body inspection rules with WAF? For instance if the request body contains some value allow or block connection.
- Will Azure Firewall support application rules on ports other than 80 and 443.
- Valon_KolicaPlease submit your questions/feedback here.
- Hi, my enterprise lacks the following capabilities in Azure:
* Firewall doesn't support ASG
* NSG doesn't support IP Groups
* neither Firewall nor NSG support targeting cloud resources (subnets, VMs) by their Resource ID
* ASG doesn't work behind Vnet peering
This makes ASG a useless segmentation construct for my enterprise.
I raised this question on the call, you expressed interest in learning more about these use-cases which I would be more than happy to demonstrate. Let me know how to proceed. 🙂- gusmodena
TBohunek, please submit your feedback via https://aka.ms/azurenetsecfeedback. I would also recommend you joining the Private Community where you can make a difference in helping us shape our products together by reviewing our product roadmaps, co-design participation, feature previews and stay up to date on announcements.
I would like to know how Azure Firewall IDPS can be configured in following sceanrio. That is Website traffic/incoming request for site from Internet->ApplicationGateway (Sku1)->Azure Firewall Premium->Azure App service
In above scenario How do we configure IDPS (Firewall) Certificate. can we use website's third part certificate (intermediate) while configuring TLS/IDPS or do we need to generate Firewall certificate. Also in Application Gateway do i need to Configure Azure Firewall as backend also upload firewall certificate on Azure Application Gateway.
- andrewmathuHello @htakur03,
Thanks for your question.
To begin with, we would recommend that you use Application Gateway (SKU version 2) as Application Gateway (SKU version 1) will be retired - Deprecation Announcement - April 23, 2023 - https://learn.microsoft.com/en-us/azure/application-gateway/v1-retirement.
For the Azure Firewall Premium, the intermediate certificate is used. You can view the certificate requirements from this page - https://learn.microsoft.com/en-us/azure/firewall/premium-certificates. For production deployments, you should use an Enterprise PKI to generate the certificates that you use with Azure Firewall Premium. This is outlined in this document - https://learn.microsoft.com/en-us/azure/firewall/premium-deploy-certificates-enterprise-ca.
For the Application Gateway backend settings, you will use the root certificate of the Azure Firewall. You can check out this link for the end-to-end setup of Application Gateway with Firewall - https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/application-gateway-before-azure-firewall. You can also check out this blog on Zero Trust with Azure Network Security, which shows the steps when deploying Application Gateway with WAF, Azure Firewall and Azure DDoS - https://techcommunity.microsoft.com/t5/azure-network-security-blog/zero-trust-with-azure-network-security/ba-p/3668280
It might seem obvious but I have not got a consensus (or even a strong trend) on whether it is recommended to have a Firewall in front of the WAF, since we know that this has disadvantages like the visibility and tuning of WAF policies. I would like to hear the architecture recommendation for WAF and FW in a typical hub and spoke customer scenario. If I use WAF in the Hub I could have limitations on distributing Billing per subscription. If I put the WAF with PIP on the spokes I think it goes against the practice of not allowing connectivity from the Internet to an application in an internal zone. I would like to hear clear recommendations on this.
- I think the answer on the call proved the point: We have to choose either Client IPs or IDPS&TI. There is demand for solution that does both. 🙂
Looks to me that these features could be integrated into WAF/AppGW if Microsoft wanted to.
