Best Methods for Diagnosing Azure Hosted Web App Communication Issues by Adjusting or Disabling Firewall Settings

Question

Hi community,

For a web app on Azure constructed using various Azure services, the design typically blocks a lot of communication for security reasons. However, to diagnose issues, it's necessary to allow inbound and outbound communication. I am wondering which method is best to enforce the firewall to allow all communication in and out. An issue has occurred, and the hypothesis is that it may be due to the firewall.

Should we create a network rule and an application rule with wildcard (*) for the source, port, and destination, or should we disable the firewall completely? If so, could you please suggest a method to disable the firewall, as there is no disable button on the Azure portal for the firewall?

Answer 1

@KindCompute ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I see you have an Azure Firewall acting as a Virtual Appliance.

If you want to know if a traffic is blocked or allowed

• You have to check the Azure Firewall logs
  • See : Enable diagnostic logging through the Azure portal
• You can filter based on the source IP, source Port(if you are aware of it), destination IP/Hostname and destination port.
• This will tell you if the packet reached the Firewall in first place, and if it did whether or not Azure Firewall allowed or blocked the traffic.

Wrt, "Should we create a network rule and an application rule with wildcard (*) for the source, port, and destination"

• This can be done if you are in a development environment
• Make sure that you also consider other environments that might be using this Firewall for filtering and they may allow all traffic because of this rule.
• Even in this case, you can filter traffic for actual issue as mentioned above.

You may run the below query for complete Azure Firewall logs (Network + Application logs)

AzureDiagnostics
| where ResourceType == "AZUREFIREWALLS"

Cheers,

Kapil