Allow outbound requests to certain FQDNs

Senthilkumaran Kulasekaran 20 Reputation points
2023-02-05T15:20:44.87+00:00

How to set up Azure Firewall so for the new Cashless VMs in Azure, can only allow outbound requests to certain FQDNs - the underlying IPs may be dynamic,

Need this for Azure since outbound cashless requests will leave Azure

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
578 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,389 questions
Accepted answer
  1. KapilAnanth-MSFT 35,986 Reputation points Microsoft Employee
    2023-02-17T09:24:40.7233333+00:00

    @Senthilkumaran Kulasekaran

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    I understand that you would like to allow requests only to certain FQDNs using Azure Firewall.

    Please note that FQDNs are not supported in NSG.

    Only Azure Firewall can support FQDNs.

    Also, I am not sure what do you mean by "cashless VMs". Would appreciate if you could elaborate on this.

    You can follow the steps mentioned here to achieve your requirement.

    Deploy and configure Azure Firewall using the Azure portal

    • Create a Azure Firewall and a Firewall Policy (depending upon your SKU)
    • Make sure the VNet in which you are deploying the firewall and the VNet where the VMs are deployed are peered to each other and can communicate with each other
    • On the subnet of the VM, attach a route table
    • In the route table, make sure you have a path so every traffic goes to the Azure Firewall as Next Hop
    • For blocking FQDNs, you must use an Application rule with Allow action to the desired FQDNs
    • Please note that Az FW is Deny by default and you will be required to add the FQDNs for which you would like to provide access.

    I hope this helps. Please let me know if you require further information

    Thanks,

    Kapil

    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. msrini-MSFT 9,261 Reputation points Microsoft Employee
    2023-02-19T04:32:13.66+00:00

    Hi, You will need to create Azure Firewall and start configuring the Network rules first. Network rule is something that hits first when a traffic hits Firewall. So you will need to allow ports here and then block FQDNs in Application rules. Create Application rules where you can deny all with lower priority and start allowing FQDNs which you want to allow. Once network and application rules are configured, go ahead and create a routing table to force all traffic from the VM subnet to flow via Azure Firewall

    0 comments