Share via

Controlling outbound URLs through NSG

  • Article

Question

Wednesday, October 26, 2016 4:30 PM

I need to achieve a scenario where an Azure VM could make outbound connection only to specific URLs.

I see a couple of ways to do it

1. configuring host based firewall

2. Installing n/w security device and using UDRs to route traffic through it (force tunnel is out of question as we have single vNet cloud only scenario)

What I was wondering is if we can use NSGs or any other Azure provided construct to block traffic at n/w or subnet level. NSGs seem to support IP address only (and not URLs unless something is configurable through poweshell).

Can someone confirm if NSG can be configured with URLs too? Or suggest any other Azure construct if NSG is not the answer?

https://www.linkedin.com/in/gangwar

All replies (3)

Thursday, October 27, 2016 7:20 AM ✅Answered

Hi 

You cant configure URL base fire firewall in NSG.

Refer the Link

https://blogs.msdn.microsoft.com/igorpag/2016/05/14/azure-network-security-groups-nsg-best-practices-and-lessons-learned/

Thanks

If this answer help Please mark it as a answer

Thursday, October 27, 2016 8:21 AM ✅Answered

Hi,

Based on my knowledge, Azure NSG could not be configured with URL.

You could use Azure NSG, but you need use nslookup.exe which is a network administration command-line tool available for many computer operating systems for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record.

You could configure the NSG rules as the below screenshot:

If it does not meet your demand, maybe you can use firewall software, but your firewall could have URL/Web filtering feature, you can configure a local filter with the URL you mentioned, but you still need to define traditional a firewall policy first and attach you URL/Web filtering configuration to the policy.

If possible, you could create a site-to-site VPN between your Azure VM and URL servers, it maybe meet your demand.

If you still have questions, welcome to post back here. Thanks.

Regards,

Walter

Please remember to mark the replies as answers if they help and unmark them if they provide no help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Thursday, October 27, 2016 4:15 PM

Thanks Kasun and Walter.

This answers my question about NSG and URLs

I think I'll go with nslookup route combined with other necessary IPs needed for healthyu functioning as mentioned below:

https://blogs.technet.microsoft.com/keithmayer/2016/01/12/step-by-step-automate-building-outbound-network-security-groups-rules-via-azure-resource-manager-arm-and-powershell/ 

https://www.linkedin.com/in/gangwar