Controlling public URLs Domain Controllers in Azure can access

Question

Controlling public URLs Domain Controllers in Azure can access

Bojan Zivkovic 606

Hi, if company agrees to pay, my plan is to replace aging physical DCs on-prem with DCs in Azure. On-prem, we use Squid Proxy to control public URLs Domain Controllers can access (URLs for Defender for Identity, Defender for Endpoint, Rapid7 ...) - what would be the best way of doing so on DCs in Azure using some Azure solution (maybe Azure Firewall is a good candidate) or it is better to treat DCs in Azure as if they are on-prem and point them to use internal Squid Proxy thereby saving money. I guess by using Squid Proxy in Azure I would not get anything new compared to using Squid Proxy already on-prem.

Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-05-28T03:01:48.3733333+00:00
Hi Bojan Zivkovic,
Here are few options for your problem: -
Use Azure Firewall:

Allow traffic only to approved FQDNs (Fully Qualified Domain Names) using FQDN filtering.

Log all denied/allowed traffic.

Apply network and application rules.

Use "Azure Firewall Basic" which is cheaper than Premium/Standard.

Deploy Squid Proxy in Azure:

Same features you’re used to.

Avoid latency and VPN dependencies.

You need to manage it (patching, availability, logging).

Low cost compared to Azure Firewall.

And for "Should you turn OS firewall off?" - don't turn off OS firewall unless there's a specific reason as unlike NSGs or Azure Firewall, OS firewalls handle traffic that reaches the VM. They are your last line of defense. While using Azure firewalls adjusting Windows Firewall rules to avoid conflicts would be sufficient in this case.

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Bojan Zivkovic 606 Reputation points

2025-05-28T07:10:21.07+00:00

Hm, I do not have experience with Azure Firewall but having deployed Azure VM in test env where NSG was allowing ICMP for instance, I could not ping on-premises servers from Azure VM (S2S VPN connection in place) until I turned off OS level FW on Azure VM (I could have allowed ICMP in OS level FW but not fan of having same FW rules in multiple places - NSG and OS level FW). Since Azure Firewall by default does not allow anything, having same rule for some communication defined in multiple places (Azure FW, NSG and OS FW) looks very awkward in my opinion.
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-05-28T09:56:02.3366667+00:00

Hi Bojan Zivkovic,
It is awkward to define the same rule in multiple places — but that’s the trade-off for layered security.

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Bojan Zivkovic 606 Reputation points

2025-05-28T10:08:46.2566667+00:00

Well, I really like what Azure Firewall Premium SKU can do but honestly, it is very expensive.
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-05-28T11:59:30.8966667+00:00

Hi Bojan Zivkovic,
Choose the right Azure Firewall version to meet your needs by looking into the below links and compare the costs also
https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku
https://azure.microsoft.com/en-in/pricing/details/azure-firewall/
It is suggested to choose based on both cost and requirements and by following the above links you can try to justify the cost to you company.

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-05-29T04:03:07.42+00:00

Hi Bojan Zivkovic,
Just checking in to see if you need any further assistance.

Feel free to reach out if you have any further queries.

If you found the information useful in my previous comment, please click "Upvote" on the post to let us know.

Thank You.

1 answer

Your answer

Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-05-28T03:01:48.3733333+00:00

Hi Bojan Zivkovic,
Here are few options for your problem: -
Use Azure Firewall:

Allow traffic only to approved FQDNs (Fully Qualified Domain Names) using FQDN filtering.

Log all denied/allowed traffic.

Apply network and application rules.

Use "Azure Firewall Basic" which is cheaper than Premium/Standard.

Deploy Squid Proxy in Azure:

Same features you’re used to.

Avoid latency and VPN dependencies.

You need to manage it (patching, availability, logging).

Low cost compared to Azure Firewall.

And for "Should you turn OS firewall off?" - don't turn off OS firewall unless there's a specific reason as unlike NSGs or Azure Firewall, OS firewalls handle traffic that reaches the VM. They are your last line of defense. While using Azure firewalls adjusting Windows Firewall rules to avoid conflicts would be sufficient in this case.

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Bojan Zivkovic 606 Reputation points

2025-05-28T07:10:21.07+00:00

Hm, I do not have experience with Azure Firewall but having deployed Azure VM in test env where NSG was allowing ICMP for instance, I could not ping on-premises servers from Azure VM (S2S VPN connection in place) until I turned off OS level FW on Azure VM (I could have allowed ICMP in OS level FW but not fan of having same FW rules in multiple places - NSG and OS level FW). Since Azure Firewall by default does not allow anything, having same rule for some communication defined in multiple places (Azure FW, NSG and OS FW) looks very awkward in my opinion.
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-05-28T09:56:02.3366667+00:00

Hi Bojan Zivkovic,
It is awkward to define the same rule in multiple places — but that’s the trade-off for layered security.

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Bojan Zivkovic 606 Reputation points

2025-05-28T10:08:46.2566667+00:00

Well, I really like what Azure Firewall Premium SKU can do but honestly, it is very expensive.
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-05-28T11:59:30.8966667+00:00

Hi Bojan Zivkovic,
Choose the right Azure Firewall version to meet your needs by looking into the below links and compare the costs also
https://learn.microsoft.com/en-us/azure/firewall/choose-firewall-sku
https://azure.microsoft.com/en-in/pricing/details/azure-firewall/
It is suggested to choose based on both cost and requirements and by following the above links you can try to justify the cost to you company.

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.
Vamsi Ram Annepu 915 Reputation points Microsoft External Staff Moderator

2025-05-29T04:03:07.42+00:00

Hi Bojan Zivkovic,
Just checking in to see if you need any further assistance.

Feel free to reach out if you have any further queries.

If you found the information useful in my previous comment, please click "Upvote" on the post to let us know.

Thank You.

Answer 1

Hi Bojan Zivkovic,
As you want to replace on-prem DCs with Azure-based DCs with controlling public URL access crucial for security you can either Squid Proxy in Azure or explore alternatives like Azure Firewall.

Here’s a breakdown
"Using Azure Firewall" could be a strong candidate for controlling access to public URLs. Azure Firewall allows you to create rules based on fully qualified domain names (FQDNs) and supports application-level filtering, which might be beneficial for your specific use case regarding Defender for Identity and other services. It can also simplify management by integrating with Azure Defender and Azure Monitor. It may cost more but gives you Scalability for future expansion.

If you already have a working configuration with "Squid Proxy on-prem", you might find it cost-effective to set up a Squid Proxy in Azure as well. However, as you mentioned, this approach might not offer any significant new features compared to what you already have. You would still need to maintain the infrastructure and ensure it’s secured and scalable.

You might also consider a "hybrid approach", where you use both Azure Firewall for managing access to critical services and Squid Proxy for other less sensitive traffic.

We can suggest you better if you could provide us with more information such as
What specific URLs or services do your DCs need access to?
Are there any performance considerations or constraints we should be aware of regarding the use of Squid Proxy in Azure vs. Azure Firewall?

Feel free to reach out if you have any further queries.

If you found the information useful, please click "Upvote" on the post to let us know.

Thank You.

Bojan Zivkovic 606 Reputation points

2025-05-27T09:34:45.8233333+00:00

Hi, some of these URLs/services are Defender for Identity, Defender for Endpoint, Entra Connect Health Agent, Rapid7 ... I would like these URLs whitelisted so all other URLs would be blocked. Azure Firewall looks tempting but is not cheap and I need to justify every single $ (speaking of Azure Firewall, would firewall on the OS level have any impact/should it be turned off altogether as I had to with NSG).

Share via

Controlling public URLs Domain Controllers in Azure can access

1 answer

Your answer