For firewall settings on systems receiving communications from Azure, how to restrict IP source

Nichols, Alan 0 Reputation points
2024-03-07T11:38:41.4366667+00:00

I have a cloud based server application that is being accessed by Azure based cloud applications.

I need to protect my application from misuse by Firewall and really only want to permit access at the Networking level for particular customers.

For the sending systems, Azure Firewall does SNAT when destination address is a non RFC IP address (it is not private IP address).  According to this page: https://learn.microsoft.com/en-us/azure/firewall/snat-private-range

Azure Firewall provides SNAT capability for all outbound traffic to public IP addresses. By default, Azure Firewall doesn't SNAT with Network rules when the destination IP address is in a private IP address range per IANA RFC 1918 or shared address space per IANA RFC 6598. Application rules are always SNATed using a transparent proxy whatever the destination IP address.

All fine and good, but its important for us to protect the target application (that may or may not run on Azure) from misuse, so I need to firewall that connection on my cloud application.

Is the observed source IP address in my application from a particular Azure tenant going to be constant ? Is there a subnet I can use?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
565 questions
{count} votes

1 answer

Sort by: Most helpful
  1. KapilAnanth-MSFT 34,766 Reputation points Microsoft Employee
    2024-03-13T13:38:18.96+00:00

    @Nichols, Alan ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    Your observations are spot on.

    Azure Firewall provides SNAT for any resource that is deployed in a Virtual Network and requires OutBound connection.

    And the SNATed IP will be one of the IPs you have configured. (so you know what the IPs are).

    Now, in your target application, you can use the Firewall solutions it has to offer to filter the SNATed IPs from the Azure Firewall.

    Is the observed source IP address in my application from a particular Azure tenant going to be constant ? Is there a subnet I can use?

    • Tenant has nothing to do with this
    • It completely depends on the Application
    • If this is a VM with Static Public IP - The IP won't change
    • Or any resource in a VNET that uses Azure Firewall for SNAT - The IP(s) won't change
    • Or if this is an App Service - there is a specific list of IP Addresses for your app service that it uses to make outbound calls. See : Inbound and outbound IP addresses in Azure App Service

    In summary, if you could specify what exactly is this application that is making outbound calls, we can specify if it would have a fixed range of IPs are not.

    Cheers,

    Kapil

    1 person found this answer helpful.