Edit

Share via


Access Azure services over Azure Firewall Explicit Proxy (Public Preview)

The Azure Firewall Explicit proxy feature can route all Azure Arc traffic securely through your private connection (ExpressRoute or Site-to-Site VPN) to Azure. This feature allows you to use Azure Arc without exposing your on-premises environment to the public internet.

This article explains the steps to configure Azure Firewall with the Explicit Proxy feature as the forward proxy for your Arc-enabled servers or Kubernetes resources.

Important

Azure Firewall Explicit proxy is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

How the Azure Firewall Explicit proxy feature works

Azure Arc agents can use a forward proxy to connect to Azure services. The Azure Firewall Explicit proxy feature enables you to use an Azure Firewall within your virtual network (VNet) as the forward proxy for your Arc agents.

As the Azure Firewall Explicit proxy operates within your private VNet, and you have a secure connection to it via ExpressRoute or Site-to-Site VPN, all Azure Arc traffic can be routed to its intended destination within the Microsoft network, without requiring any public internet access.

Restrictions and current limitations

  • This solution uses Azure Firewall Explicit proxy as a forward proxy. The Explicit proxy feature doesn't support TLS Inspection.
  • TLS certificates can't be applied to the Azure Firewall Explicit proxy.
  • This solution can't currently be used with Arc gateway for Azure Arc-enabled servers or Arc gateway for Arc-enabled Kubernetes.
  • This solution isn't currently supported by Azure Local or Azure Arc VMs running in Azure Local.

Azure Firewall costs

Azure Firewall pricing is based on deployment hours and total data processed. Details on pricing for Azure Firewall can be found on the Azure Firewall Pricing page.

Prerequisites and network requirements

To use this solution, you must have:

  • An existing Azure VNet.
  • An existing ExpressRoute or site-to-site VPN connection from your on-premises environment to your Azure VNet.

Configure the Azure Firewall

Follow these steps to enable the Explicit proxy feature on your Azure Firewall.

Create the Azure Firewall resource

If you have an existing Azure Firewall in your VNet, you can skip this section. Otherwise, follow these steps to create a new Azure Firewall resource.

  1. From your browser, sign in to the Azure portal and navigate to the Azure Firewalls page.
  2. Select Create to create a new firewall.
  3. Enter your Subscription, Resource group, Name, and Region.
  4. For the Firewall SKU, select Standard or Premium .
  5. Complete the rest of the Basics tab as needed for your configuration.
  6. Select Review + create, then select Create to create the firewall.

For more information, see Deploy and configure Azure Firewall.

Enable the Explicit proxy (preview) feature

  1. Navigate to your Azure Firewall resource, then go to the Firewall Policy.

  2. In Settings, navigate to the Explicit Proxy (Preview) pane.

  3. Select Enable Explicit Proxy.

  4. Enter the desired values for the HTTP and HTTPS ports.

    Note

    It's common to use 8080 for the HTTP Port, and 8443 for the HTTPS port.

  5. Select Apply to save the changes. 

Create an application rule

If you want to create an allowlist for your Azure Firewall Explicit proxy, you can optionally create an application rule to allow communication to the required endpoints for your scenarios.

  1. Navigate to the applicable firewall policy. 
  2. In Settings, navigate to the Application Rules pane. 
  3. Select Add a rule collection. 
  4. Provide a Name for the rule collection.
  5. Set the rule Priority based on other rules you may have.
  6. Provide a Name for the rule.
  7. For the Source, enter “*”, or any source IPs you may have.
  8. Set Protocol as http:80,https:443. 
  9. Set Destination as a comma-separated list of URLs required for your scenario. For details on required URLs, see Azure Arc network requirements.
  10. Select Add to save the rule collection and rule. 

Set your Azure Firewall as the forward proxy

Follow these steps to set your Azure Firewall as the forward proxy for your Arc resources.

Arc-enabled servers

To set your Azure Firewall as the forward proxy while onboarding new Arc servers:

  1. Generate the onboarding script.
  2. Set Connectivity Method as Proxy Server, and set the Proxy Server URL as http://<Your Azure Firewall’s Private IP>:<Explicit Proxy HTTPS Port>.
  3. Onboard your servers using the script.

To set the forward proxy for existing Arc-enabled servers, run the following command using the local Azure Connected Machine agent CLI:

Azure CLI
azcmagent config set proxy.url http://<Your Azure Firewall's Private IP>:<Explicit Proxy HTTPS Port>`

Arc-enabled Kubernetes

To set your Azure Firewall as the forward proxy while onboarding new Kubernetes clusters, run the connect command with the proxy-https and proxy-http parameters specified:

Azure CLI
az connectedk8s connect --name <cluster-name> --resource-group <resource-group> --proxy-https http://<Your Azure Firewall's Private IP>:<Explicit Proxy HTTPS Port>--proxy-http http://<Your Azure Firewall’s Private IP>:<Explicit Proxy HTTPS Port>

To set the forward proxy for existing Arc-enabled Kubernetes clusters, run the following command:

Azure CLI
az connectedk8s update --proxy-https http://<Your Azure Firewall’s Private IP>:<Explicit Proxy HTTPS Port>  

Troubleshooting

To verify that traffic is successfully being proxied via your Azure Firewall Explicit Proxy, you should first ensure that the Explicit proxy is accessible and working as expected from your network. To do so, run the following command: curl -x <proxy IP> <target FQDN>

Additionally, you can view the Azure Firewall Application rule logs to verify traffic. Explicit proxy relies on Application rules, so all the logs are available in the AZFWApplicationRules table, as shown in this example:

Screenshot showing the AZFWApplicationRule information.

You can use Azure Firewall Explicit proxy in conjunction with Azure Private Link. To use these solutions together, configure your environment so that traffic to endpoints that don’t support Private Link route via the Explicit proxy, while allowing traffic to Azure Arc endpoints that do support Private Link to bypass the Explicit proxy and instead route traffic directly to the relevant private endpoint:

Next steps