When I send traffic to the firewall, my host cannot reach any powerapps

JohnSebastian-3934 421

I have a Firewall Policy that has several Network and Application Rulesets.

The host2 I'm having problems from are 10.0.3.6 , 10.0.3.8 and 10.0.5.4 on different subnets.

I have IP Groups setup for the 10.0.3.* and the 10.0.5.* hosts.

In my Network rules, I have a rule assigned to both IP Groups that allows access to several destination service tags including: Azure Cloud, AzureCloud.WestUS2 and PowerPlatformInfra. I really don't know exactly what these tags allow access to but they seemed right.

I then have an Application Rule for the same IP Groups that allows access to the FQDN of *.apps.gov.powerapps.us.

Currently, all machines in the 10.0.3.* subnet are connected to a Route Table with a rule that sends 0.0.0.0/0 to the internal IP address of the Firewall

There is NO route table rule associated with the 10.0.5.4 host so it's traffic goes directly to the internet.

When I try to access PowerApps which is found with this URL https://apps.gov.powerapps.us/play/e/6861e5c2..... from the 10.0.3.* hosts which route through the firewall, the PowerApps are unable to load.

When I try the same URLs on my 10.0.5.4, they load with no issue.

If I query the Azure Firewall Logs in Log Analytics, I see some denies in the AZFWNetworkRule table from my 10.0.3.6 IP addresses of 142.251.211.228 and some other addresses that appear to be owned by Google but nothing to Microsoft.

If I then query the AZFWApplicaionRule for the same 10.0.3.* hosts looking for Deny, I see no records returned.

Can someone help me figure out what I need to get https requests to https://apps.gov.powerapps.us/play/e.... working through the Azure Firewall Policy?

Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor

2024-09-20T09:44:13.4433333+00:00
Hi @JohnSebastian-3934,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

As you have mentioned above, you are trying to access the "https://apps.gov.powerapps.us/play/e/6861e5c2" from 10.0.3.* host and it is unable to load and there is no rule set is associated with 10.0.5.4, so it is redirecting to your website without any issues because of 2nd route (Vnet to Internet) of the default route table.

Please re-check below steps once:

Does your host (10.0.3.6) have the DNAT rule configured? If not, please configure a DNAT rule first.

Please cross verify once again the route which is associated with the host (10.0.3.*). verify the address prefix destination (IP address/ Service tag of your power apps URL), next hope type (Virtual appliance) and next hope address (Firewall Private IP). Also verify that there are no specific deny rules within the Azure Firewall affecting accessibility to PowerApps.

Have you configured FQDN tags or Target FQDNs in Application rule of Firewall with prioritized? If it is Target FQDN, please verify once on Source (Host IP), Protocol: Port (HTTP, HTTPs) and Target FQDNs (Power Apps URL).

Please turn of the "IE Enhanced Security Configuration" and Windows Firewall.

Please let us know what kind of an error you are getting while accessing the PowerApps from the host. If possible, provide a screenshot of the error.

Kindly let us know if the above helps or you need further assistance on this issue.

Thanks,

Sai Prasanna.
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor

2024-09-23T00:58:22.52+00:00

Hi @JohnSebastian-3934,

Hope you are having a great day.

Just checking in to see if you have got a chance to see my response to your question in resolving the issue.

If you are still facing any further issues, please don't hesitate to reach out to us. We are happy to assist you.

Looking forward to your response and appreciate your time on this.

Thanks,

Sai Prasanna.
JohnSebastian-3934 421 Reputation points

2024-09-23T15:29:27.7633333+00:00

Thank you for responding.

Answer to 1: I don't understand how a DNAT rule is going to allow me to access Powerapps. DNAT rules want destination IP addresses. I don't know what the destination IP Addresses are for all of Powerapps. The documentation from Microsoft appears to list URLS but not IP ranges. https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls

Answer to 2: I have a route table named Firewall-rt. This route table has a route for 0.0.0.0/0 and sends all traffic to the internal IP address of my Azure Firewall. I also have the sub-net 10.0.3.0/24 assigned to this route table. So I have verified that any host in the 10.0.3.0/24 range are sending traffic through the firewall. When I remove sub-net 10.0.3.0/24 from that route table, all of my PowerApps work on hosts in the 10.0.3.0/24 range but when I associate the sub-net back with the route table, I receive "We could not retrieve your app" errors trying to run the PowerApps applications.

Answer to 3: The first thing I tried was configuring a Network rule because those are processed before Application Rules. I have an IP Group named WVD_IP_Group which includes 10.0.3.0/24. This IP Group is used in the Network rule. The Network rule assigns as a source type an IP Group and I have the WVD_IP_Group assigned to the rule. On the destination side of this rule, I selected Service Tags and right now I have three Service Tags selected: Azure Cloud, AzureCloud.westus2 and PowerAppsInfra. For the protocol I have UDP and TCP selected and for the Port I have * selected. I don’t know exactly what PowerAppsInfra service tag gives me access to. Should this be sufficient to access Power Apps in the GCC environment?

So far this does not work.

Assuming that no rules matched in the Network Rules section, I assume that the Policy will then go on to the Application Rules section looking for a rule that allows the traffic. I believe this is how it works but the docs are not clear.

So in my Application Rules section I have two Rule Collection Groups, one with priority 950 and the second with priority 1300. As I understand it, priority 950 will be reviewed first and then the priority 1300.

I have two rules in the Rule Collection Group with priority 950.

The first rule is used to turn off TLS Inspection to a list of Microsoft FQDNs .microsoft.com,.office.com,.azure.com,windowsupdate.com,.windows.net,.qualys.com,*.dev.azure.com

This rule is required because of an issue because of the hosting environment for many Microsoft sites is seeing TLS inspection as an attack and denying traffic. This was confirmed via a ticket with Microsoft and the recommendation was to turn off TLS inspection to many Microsoft sites. The protocol included in this rule is http:80 and https:443 and I have an IP Group that includes ALL IP Addresses in my Azure V-NET. The TLS inspection setting is turned off for this rule.

The second application rule in priority 950 is for allowing access to Powerapps. I have my WVD_IP_Group assigned to this rule. The destination type for this rule is FQDN and I used the entire list of FQDNs that are published in the Powerapps documentation found here: https://learn.microsoft.com/en-us/power-platform/admin/powerapps-us-government#power-apps-us-government-service-urls

The FQDNs included in this rule are: .play.apps.appsplatform.us,.apps.powerapps.gov.us,.make.gov.powerapps.us,.gov.flow.microsoft.us,.gcc.admin.powerplatform.microsoft.us,.microsoft.us,.powerapps.us,.azure-apihub.us,.azure.net,.azure.us,.azureedge.net,.usgovcloudapi.net,.microsoftonline.com,.microsoft.com,.windows.net,.crm9.dynamics.com,*.dynamics365portals.us

TLS Inspection is turned on and the protocol is http:80 and https:443

Even with this rule , the PowerApps do not load.

Answer to 4: Can you elaborate what the IE Enhanced Security Configuration will do if I turn it on in the hosts that are affected? Is this supposed to generate more info into the system error logs? I'm not sure what the purpose of this suggestion is.

Answer 5: I am uploading a screen shotPowerAppsLoadProblem.jpg
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor

2024-09-25T04:21:55.6833333+00:00

Hi @JohnSebastian-3934,

Sorry for the delay.

We are reaching out to the internal team to get more information related to your query and will get back to you as soon as we have an update.

Your patience is highly appreciated.

Thanks.
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor

2024-10-04T02:28:56.59+00:00

Hi @JohnSebastian-3934,

Thank you for your patience.

Your issue is being addressed here: https://learn.microsoft.com/en-us/answers/questions/2076754/when-i-send-traffic-to-the-firewall-my-host-cannot?comment=question&source=docs

Thanks,

Sai Prasanna.
JohnSebastian-3934 421 Reputation points

2024-10-04T13:38:04.03+00:00

I have resolved this issue. I had two rules within the Rule Collection Group with a priority of 950. There were two rules in that collection with a priority of 900. I suspect that one of the rules was matching instead of the one I wanted to match.

Instead, I created a whole Rule Collection Group at priority of 850 and put the rule matching all of the power apps FQDNs into that thus forcing a match with the 850 priority before a match in the 900 priority.

I have to say that the way the Azure Firewall Policy rules processing was designed is way too over complicated and confusing. Priorities within priorities within automatic and overriding parent processing with automatic DNAT, NETWORK, APPLICATION processing to figure out what is allowed or denied is a total confusing mess. And as far as I understand, there is no debugger to allow me to provide a URL to the policy and have it report back to me the exact flow of processing it takes to make a decision along with what the decision is. This is a poorly designed product.

This ticket is resolved.
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor

2024-10-07T01:16:35.8633333+00:00

Hi @JohnSebastian-3934 ,

Hope you are having a great day!

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Please 'Upvote' and 'Accept answer' so that others experiencing the same thing can easily reference this.

Your contribution is highly appreciated.

Thanks,

Sai Prasanna.

Accepted answer

Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor

2024-10-04T13:51:09.5433333+00:00

Hi@JohnSebastian-3934,

Thank you for getting back.

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.

Issue:

When I send traffic to the firewall, my host cannot reach any PowerApps

Solution:

I have resolved this issue. I had two rules within the Rule Collection Group with a priority of 950. There were two rules in that collection with a priority of 900. I suspect that one of the rules was matching instead of the one I wanted to match.

Instead, I created a whole Rule Collection Group at priority of 850 and put the rule matching all of the power apps FQDNs into that thus forcing a match with the 850 priorities before a match in the 900 priorities.

I have to say that the way the Azure Firewall Policy rules processing was designed is way too over complicated and confusing. Priorities within priorities within automatic and overriding parent processing with automatic DNAT, NETWORK, APPLICATION processing to figure out what is allowed or denied is a total confusing mess. And as far as I understand, there is no debugger to allow me to provide a URL to the policy and have it report back to me the exact flow of processing it takes to make a decision along with what the decision is. This is a poorly designed product.

Please Don't forget to 'Upvote' and 'Accept answer' so that others experiencing the same thing can easily reference this.

Your contribution is highly appreciated.

Best Regards,

Sai Prasanna.
Please sign in to rate this answer.

1 person found this answer helpful.
Sai Prasanna Sinde (Quadrant Resource LLC) 680 Reputation points Microsoft Vendor

2024-10-08T03:29:23.2833333+00:00

Hi @JohnSebastian-3934 ,

Hope you are having a great day!

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!

Please 'Upvote' and 'Accept answer' so that others experiencing the same thing can easily reference this.

Your contribution is highly appreciated.

Thanks,

Sai Prasanna.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

When I send traffic to the firewall, my host cannot reach any powerapps

0 additional answers

Your answer