Migrate to Innovate Summit:
Learn how migrating and modernizing to Azure can boost your business's performance, resilience, and security, enabling you to fully embrace AI.Register now
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Access Azure services over Azure Firewall Explicit Proxy (Public Preview)
Article
The Azure Firewall Explicit proxy feature can route all Azure Arc traffic securely through your private connection (ExpressRoute or Site-to-Site VPN) to Azure. This feature allows you to use Azure Arc without exposing your on-premises environment to the public internet.
This article explains the steps to configure Azure Firewall with the Explicit Proxy feature as the forward proxy for your Arc-enabled servers or Kubernetes resources.
Important
Azure Firewall Explicit proxy is currently in PREVIEW.
See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
How the Azure Firewall Explicit proxy feature works
Azure Arc agents can use a forward proxy to connect to Azure services. The Azure Firewall Explicit proxy feature enables you to use an Azure Firewall within your virtual network (VNet) as the forward proxy for your Arc agents.
As the Azure Firewall Explicit proxy operates within your private VNet, and you have a secure connection to it via ExpressRoute or Site-to-Site VPN, all Azure Arc traffic can be routed to its intended destination within the Microsoft network, without requiring any public internet access.
Restrictions and current limitations
This solution uses Azure Firewall Explicit proxy as a forward proxy. The Explicit proxy feature doesn't support TLS Inspection.
TLS certificates can't be applied to the Azure Firewall Explicit proxy.
This solution isn't currently supported by Azure Local or Azure Arc VMs running in Azure Local.
Azure Firewall costs
Azure Firewall pricing is based on deployment hours and total data processed. Details on pricing for Azure Firewall can be found on the Azure Firewall Pricing page.
Prerequisites and network requirements
To use this solution, you must have:
An existing Azure VNet.
An existing ExpressRoute or site-to-site VPN connection from your on-premises environment to your Azure VNet.
Configure the Azure Firewall
Follow these steps to enable the Explicit proxy feature on your Azure Firewall.
Create the Azure Firewall resource
If you have an existing Azure Firewall in your VNet, you can skip this section. Otherwise, follow these steps to create a new Azure Firewall resource.
Navigate to your Azure Firewall resource, then go to the Firewall Policy.
In Settings, navigate to the Explicit Proxy (Preview) pane.
Select Enable Explicit Proxy.
Enter the desired values for the HTTP and HTTPS ports.
Note
It's common to use 8080 for the HTTP Port, and 8443 for the HTTPS port.
Select Apply to save the changes.
Create an application rule
If you want to create an allowlist for your Azure Firewall Explicit proxy, you can optionally create an application rule to allow communication to the required endpoints for your scenarios.
Navigate to the applicable firewall policy.
In Settings, navigate to the Application Rules pane.
Select Add a rule collection.
Provide a Name for the rule collection.
Set the rule Priority based on other rules you may have.
Provide a Name for the rule.
For the Source, enter “*”, or any source IPs you may have.
Set Protocol as http:80,https:443.
Set Destination as a comma-separated list of URLs required for your scenario. For details on required URLs, see Azure Arc network requirements.
Select Add to save the rule collection and rule.
Set your Azure Firewall as the forward proxy
Follow these steps to set your Azure Firewall as the forward proxy for your Arc resources.
Arc-enabled servers
To set your Azure Firewall as the forward proxy while onboarding new Arc servers:
To set your Azure Firewall as the forward proxy while onboarding new Kubernetes clusters, run the connect command with the proxy-https and proxy-http parameters specified:
To verify that traffic is successfully being proxied via your Azure Firewall Explicit Proxy, you should first ensure that the Explicit proxy is accessible and working as expected from your network. To do so, run the following command: curl -x <proxy IP> <target FQDN>
Additionally, you can view the Azure Firewall Application rule logs to verify traffic. Explicit proxy relies on Application rules, so all the logs are available in the AZFWApplicationRules table, as shown in this example:
Private Link integration
You can use Azure Firewall Explicit proxy in conjunction with Azure Private Link. To use these solutions together, configure your environment so that traffic to endpoints that don’t support Private Link route via the Explicit proxy, while allowing traffic to Azure Arc endpoints that do support Private Link to bypass the Explicit proxy and instead route traffic directly to the relevant private endpoint: