When I send traffic to the firewall, my host cannot reach any powerapps

JohnSebastian-3934 391 Reputation points
2024-09-19T21:28:53.8533333+00:00

I have a Firewall Policy that has several Network and Application Rulesets.

The host2 I'm having problems from are 10.0.3.6 , 10.0.3.8 and 10.0.5.4 on different subnets.

I have IP Groups setup for the 10.0.3.* and the 10.0.5.* hosts.

In my Network rules, I have a rule assigned to both IP Groups that allows access to several destination service tags including: Azure Cloud, AzureCloud.WestUS2 and PowerPlatformInfra. I really don't know exactly what these tags allow access to but they seemed right.

I then have an Application Rule for the same IP Groups that allows access to the FQDN of *.apps.gov.powerapps.us.

Currently, all machines in the 10.0.3.* subnet are connected to a Route Table with a rule that sends 0.0.0.0/0 to the internal IP address of the Firewall

There is NO route table rule associated with the 10.0.5.4 host so it's traffic goes directly to the internet.

When I try to access PowerApps which is found with this URL https://apps.gov.powerapps.us/play/e/6861e5c2..... from the 10.0.3.* hosts which route through the firewall, the PowerApps are unable to load.

When I try the same URLs on my 10.0.5.4, they load with no issue.

If I query the Azure Firewall Logs in Log Analytics, I see some denies in the AZFWNetworkRule table from my 10.0.3.6 IP addresses of 142.251.211.228 and some other addresses that appear to be owned by Google but nothing to Microsoft.

If I then query the AZFWApplicaionRule for the same 10.0.3.* hosts looking for Deny, I see no records returned.

Can someone help me figure out what I need to get https requests to https://apps.gov.powerapps.us/play/e.... working through the Azure Firewall Policy?

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
666 questions
{count} votes

Accepted answer
  1. Sai Prasanna Sinde (Quadrant Resource LLC) 425 Reputation points Microsoft Vendor
    2024-10-04T13:51:09.5433333+00:00

    Hi@JohnSebastian-3934,

    Thank you for getting back.

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to accept the answer.

    Issue:

    When I send traffic to the firewall, my host cannot reach any PowerApps

    Solution:

    I have resolved this issue. I had two rules within the Rule Collection Group with a priority of 950. There were two rules in that collection with a priority of 900. I suspect that one of the rules was matching instead of the one I wanted to match.

    Instead, I created a whole Rule Collection Group at priority of 850 and put the rule matching all of the power apps FQDNs into that thus forcing a match with the 850 priorities before a match in the 900 priorities.

    I have to say that the way the Azure Firewall Policy rules processing was designed is way too over complicated and confusing. Priorities within priorities within automatic and overriding parent processing with automatic DNAT, NETWORK, APPLICATION processing to figure out what is allowed or denied is a total confusing mess. And as far as I understand, there is no debugger to allow me to provide a URL to the policy and have it report back to me the exact flow of processing it takes to make a decision along with what the decision is. This is a poorly designed product.

    Please Don't forget to 'Upvote' and 'Accept answer' so that others experiencing the same thing can easily reference this.

    Your contribution is highly appreciated.

    Best Regards,

    Sai Prasanna.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.