Share via

Whitelist URL for Azure VM

marcos quiroga 21 Reputation points
2022-11-02T09:42:17.613+00:00

We have a very close environment with some Data Science resources and DSVM with some software and no Internet, for each of our group of users we create everything new on a new Resource Group.
What we need is to allow traffic only to specifics URLs from the DSVM, to be able to connect or install things on the Software inside VM.
Taking in account that with a NSG we cannot whitelist URLs, only IP and there is no Application hosted, which solution is recommended? And could be applied for every Resource Group or should be duplicated for every existing one?
Any help would be appreciated, Thanks in advance!

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
9,013 questions
0 comments
Accepted answer
  1. vipullag-MSFT 26,487 Reputation points Moderator
    2022-11-29T11:21:40.777+00:00

    @marcos quiroga

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    For any filtering of URL, the only option is Firewall.

    There is a cost-effective Firewall (Azure Firewall Basic) that is currently in preview. Please check this document Azure Firewall Basic.

    If Firewall is the only option, could be configured serving 1 Firewall to multiples Resource Groups/VNet/Subnet or should be one per RG.
    -It's one per VNet
    -It can serve multiple VNets, as long as these VNets are peered to the VNet where the Firewall is deployed

    Hope this helps.
    If you need further help on this, tag me in a comment.
    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Joe Carlyle 661 Reputation points MVP
    2022-11-02T11:30:46.643+00:00

    If you configure your network to route all traffic via Azure Firewall, and enable DNS Proxy, you can allow only specific FQDNs as required.

    This will require route tables on all subnets, and a comprehensive set of Network rules on Azure Firewall.

    1 person found this answer helpful.
    0 comments
  2. marcos quiroga 21 Reputation points
    2022-11-04T08:28:57.12+00:00

    Hi @Joe Carlyle thank you for your quick reply. Question, I do consider that Firewall is probably the robust solution for this, but also taking in account that what we need is only whitelist URL and we will not use most of the features of the Firewall:
    -Is there any other option/configuration (like NATGateway) that could suits for the solution? Taking in account the price of the Firewall and that we need to replicate in big amount of Resource Groups
    -If Firewall is the only option, could be configured serving 1 Firewall to multiples Resource Groups/VNet/Subnet or should be one per RG.

    Thanks in advance!

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.