Azure firewall rules with multiple IP or ranges issue

prasantc 901

I found the following information about IP separated with commas and Azure rule still accepts the rule without error.

Spaces Between IP Addresses or Ranges:

When specifying multiple IP addresses or ranges, separate them with a comma and no spaces. For example: 192.168.1.1,192.168.1.2.

Spaces Around Commas:

Ensure there are no spaces immediately before or after the commas used to separate IP addresses or ranges. Incorrect: 192.168.1.1, 192.168.1.2.

Apparently, entire rule does not work when there is a comma in between

Luke Murray 10,896 Reputation points MVP

2023-10-02T08:05:29.0566667+00:00
So, to clarify, you are having problems with the rule like this:

192.168.1.1,192.168.1.2 Its usually not the best practice to add spaces into a comma-separated entity, as some systems interpret the space as a character itself, and try to parse it.
prasantc 901 Reputation points

2023-10-02T13:57:34.77+00:00

If I do not add spaces. After it is applied AZ firewall will display with spaces in between which makes it more confusing
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-03T11:51:57.65+00:00
@prasantc

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are using multiple IPs in a network rule, as a comma separated values and in this case, the entire Rule is not validated.

Please let me know if my understanding is incorrect.

You should not add spaces, only commas to separate the IPs.

You can see the example here : Configure a network rule

When you say "rule does not work",

Can you please provide more info?

Did you create an Allow Rule or Deny Rule?

If Allow Rule,

Are you stating that the traffic is denied for both the IPs

If Deny Rule,

Are you stating that the traffic is allowed for both the IPs (via some higher priority rule)

Is it being logged in the Firewall logs?

Can you please share a screenshot of the Rule and as well the contradicting behavior?

Using ping/tcpPing/telnet.

Cheers,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-04T11:38:47.5733333+00:00

@prasantc

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
prasantc 901 Reputation points

2023-10-04T17:00:47.1433333+00:00

It is allowed rule. Even if I do not add space Az firewall automatically add on space after it is applied, which makes it difficult to identify the IPs that were actually added with space
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-04T17:14:05.2+00:00
@prasantc

I see.

I would like to know what exactly is the issue you are highlighting here.

Is it that the Portal displays the IPs/IP Ranges added as a space separated entity - like a cosmetic bug?

or

The rule does not work if you give a comma separated list?

In this case, can you please share a screenshot of Rule and the Firewall log blocking the traffic?

Cheers,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-05T13:26:29.5033333+00:00

@prasantc

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
prasantc 901 Reputation points

2023-10-08T06:21:32.3066667+00:00

I copied to notepad. removed spaces and pasted back to azure fules but AZ firewall add spaces back. you should be able to replicate in current az firewall
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-11T14:35:09.7+00:00

@prasantc

Could you please provide an update on this post?

Kindly let us know if this helps or you need further assistance on this issue.

Thanks,

Kapil
KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-12T03:58:32.5833333+00:00

@prasantc

I have converted my comment and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Should there be any follow up questions or queries, please do let us know and we shall be more than happy to address them.

Thanks,

Kapil

1 answer

KapilAnanth-MSFT 41,491 Reputation points Microsoft Employee

2023-10-10T09:39:59.3266667+00:00
@prasantc

I did a lab and I was able to reproduce the behavior of Azure firewall adding implicit spaces.

I was able to add a list of IPs with both

Just comma separated

Comma separated plus space

However,

Spaces only separated list did not work.

Is this the issue you are looking at?

Are you interested in knowing what is the recommended way to do this?

In any case, the rule I created worked perfectly.

It does not matter if you use a "comma separated" or "comma separated plus space".

I created a rule that allowed 8.8.8.8 and 1.1.1.1

8.8.8.8 (dns.google)

one.one.one.one (1.1.1.1)

while accessing www.google.com

Cheers,

Kapil
Please sign in to rate this answer.

0 comments No comments
Sign in to comment

Share via

Azure firewall rules with multiple IP or ranges issue

1 answer