Can we create a firewall rule in azure to allow connections from azure data centre ONLY?
Strictly speaking, this can't be done.
Fundamentally, Azure doesn't reside within a singe IP address range, nor does each Azure region. In fact, each region is broken into multiple address ranges which aren't necessarily concurrent. The ability to define a single firewall rule (which covers the entirety of Azure's infrastructure) would require some work in Azure to define, and maintain, a variable which holds all of these values.
It may be worth pointing out that Azure does already offer similar solutions for Internet and VirtualNetwork, which are applied in the default NSG rules. As the majority of infrastructure within Azure, but outside of your virtual network, is essentially the Internet, setting such a variable for all Azure IPs would give a user the option to, potentially unknowingly, open up their resources to any kind of malicious activity.
Depending upon what exactly it is you are attempting to achieve, Azure does offer workarounds in the form of Service Endpoints. This functionality has recently left the preview phase, and allows a user to create a security rule between certain PaaS resources and your virtual network. Currently, this functionality is restricted to Azure Storage, Azure SQL Database and Azure SQL Data Warehouse.
An extremely sloppy way of implementing firewall rules for all Azure IP ranges would be to manually enter the address ranges from the region(s) you require, which can be downloaded here. However, doing this would be highly discouraged due to security flaws previously mentioned, plus these IP ranges are not entirely static, therefore it would be easy to get caught out if Microsoft was to edit certain address ranges.
Related
Our software uses Azure.Core, Azure.Storage.Blobs and Azure.Storage.Common to interact with Azure Blob Storage Accounts held in North Europe (i.e. Ireland)
We store files in various containers in such Storage Accounts
Some of our clients have very strict policies regarding access to "the internet" and we are asked to provide some information about this, and I have to admit I'm not sure.
I can do something like ping someblobaccounthere.blob.core.windows.net and that will give me an IP address, but will it always be the same IP address? How do Azure.Storage.Blobs and associated DLLs interact with such an account?
Are the requests made through HTTPS or are these DLLs interacting through other protocols, do I need to tell them to open certain ports or will default ports such as 443 and (80 for http) work? Will this play nice with proxies?
I did have a bit of a google around but my Google Fu is failing me and I'm not finding clear answers.
Our apps are built for .NET Framework 4.8 - in case that is significant.
You can view/download the ip ranges from this link:
This file contains the IP address ranges for Public Azure as a whole, each Azure region within Public, and ranges for several Azure Services (Service Tags) such as Storage, SQL and AzureTrafficManager in Public. This file currently includes only IPv4 address ranges but a schema extension in the near future will enable us to support IPv6 address ranges as well. Service Tags are each expressed as one set of cloud-wide ranges and broken out by region within that cloud. This file is updated weekly. New ranges appearing in the file will not be used in Azure for at least one week. Please download the new json file every week and perform the necessary changes at your site to correctly identify services running in Azure.
IMHO Azure storage should be configured to use https only so the https port should be open.
I'm trying to get the company to use Azure Firewall as we start to move production workloads to Azure, however the network team have stated there are limitations when using Azure firewall. For example they have saod the Firewall reboots or drops all connections when you update a rule on it?
Is this true? Would anyone know of any limitations of using Azure Firewall. The network team prefer to use Checkpoint firewalls in Azure which are fine, but I would rather use Azure firewall, if its not going to fall down eveytime we do an update to teh rules.
That just doesn't sound like its right, as Azure Firewall is prouction ready resource.
• Please find the link below for detailed known documented limitations of Azure Firewall: -
https://learn.microsoft.com/en-us/azure/firewall/overview#known-issues
It clearly states all the issues regarding configuration of rules, NAT of UDR and other features of Azure that are used in integration with it. There, it clearly states that for configuration updates regarding the Azure Firewall, it takes three (3) to five (5) minutes on average to take effect independently, i.e., if multiple configuration updates are done to the Azure Firewall, each configuration update takes separate time to take effect and reciprocate it in its functioning. Thus, please check this, and as for updating of rules is concerned, I don’t think the existing rules defined on Azure Firewall are dysfunctional or the Azure Firewall as an appliance goes down for few periods of time when the rules are getting updated.
I'm running an azure function which gets data from an API and stores it in a blob. Everything worked fine and stopped working out of nowhere. We then got in contact with our provider and they told us they made some changes in their API. After we made the necessary changes in our code,started getting an IP denied error from their part. I then searched and found the possible outbound IP addresses for the Azure Function. They whitelisted the whole list and still
They aren't getting any requests from those IP's,
We are not able to access that data for the same reason our IP is denied.
We've been running the code in a local machine and it works completely fine, but this is just a temporary fix and we want to keep everything in the cloud.
I've been stuck with this for about 3 weeks. I've looked into different solutions and I found about Azure Logic Apps and Azure Service Fabric.
Is there something missing in my Azure Function that isn't allowing me to make requests to the API? Am I using the wrong outbound IP? Also, if I use any of the other two services, will I encounter with the same problem? I did some research on them and I think they both also use multiple outbound IP addresses, so I'm worried I'll get the same problem.
Using NAT gateway you can specify a static IP address for outbound traffic, your function app need to be attached on a subnet which is not available for consumption plan.
Here is where you should be getting the Azure IP address ranges from. Azure Functions originate from the App Service Plan ranges. Note that this is updated weekly, things change, but not too often. Your provider will need to open all the relevant ranges and keep up to date with any changes. If your solution is not mission critical with a high SLA, then having your service provider open the relevant ranges and deal with failures, updating the ranges on an ad-hoc basis should be fine.
Secondly, if you have a good relationship with the provider, ask them to check the firewall, they will be able to give you an indication of the IP's getting blocked by checking the firewall logs. This will help you find the right range.
The only guaranteed way to solve this in a mission critical solution is to run your Azure Functions from an dedicated app service plan with a dedicated IP address. This is an expensive option but will be the most robust.
Additional helpful information here on how App Services works with IPs can be found here.
The goal is to have single address (static.example.com) to access static resources from multiple storage accounts with dynamic access control (based on IP Range).
static.example.com/resource-1/... - accessible to all users and served via CDN
static.example.com/resource-2/... - accessible to all users and served via CDN
static.example.com/resource-3/... - accessible only to internal users
static.example.com/resource-4/... - accessible only to internal users
static.example.com/resource-5/... - accessible only to internal users
static.example.com/resource-6/... - accessible only to internal users
Constraints:
resources available for users from internal network must be served
under same hostname static.example.com
resources available for users
from internal network must be stored in different storage account
Highlighted area in the diagram below marks the place for Azure Service(-es) to be used.
The question is what Azure Services (and how) could be used to achieve described requirements?
Any help or advice is appreciated.
You need Azure CDN :)
Azure CDN can do Path based routing:
https://learn.microsoft.com/en-us/previous-versions/azure/mt757336(v=azure.100)?redirectedfrom=MSDN#url
Azure CDN can do IP filtering:
https://learn.microsoft.com/en-us/previous-versions/azure/mt757336(v=azure.100)?redirectedfrom=MSDN#match-conditions
You can easily achieve the desired scenario using the Azure Application Gateway (AAGW).
I have done a similar scenario, which is a little more complex than this one. That also had an Azure Traffic Manager sitting in front. You can use the URL Routing and Redirection in AAGW to achieve the outcome.
https://learn.microsoft.com/en-us/azure/application-gateway/url-route-overview
https://learn.microsoft.com/en-us/azure/application-gateway/redirect-overview
Azure classic Cloud Services come with a built-in load balancer that allows a fast VIP swap from production to staging, and vice versa. What equivalent is provided by Azure Resource Manager? I can use DNS, but then I have the TTL delay.
I want the fast swap because my back-end servers are stateful and cannot process the same data in both staging and production without overwriting each other. In my current system, out-of-date connections (e.g. because of HTTP keep-alive) are rejected and a reload is forced, forcing fresh connections.
I guess I might be able to do it using Azure Application Gateway, but it is not listed as one of its features.
You can do VIP swap in ARM with 2 Azure load balancers by disassociating the public IPs, then reassigning them. It's not a fast deployment slot swap like you can do with cloud services however, as can take a minute to disassociate both IP addresses (you could speed this up by doing it in parallel), and based on your question you've already looked at this approach, but documenting it here as an option. There are some notes on this approach here: https://msftstack.wordpress.com/2017/02/24/vip-swap-blue-green-deployment-in-azure-resource-manager/
In Azure resource manager, there are three ways, Azure Load Balancer(layer 4), Application Gateway(layer 7) and Traffic Manager(DNS level). I think you can use Load Balancer in you scenario.
The following table helps understanding the difference between Load Balancer and Application Gateway: