Azure Firewall Tips: Target FQDN Wildcard
If I want to allow this URL of Azure Cognitive Service to access the Internet rhtough Azure Firewall, how many rules can I achieve this?
duongau
Actually, based on Azure Firewall FAQ, this Q&A is specifically explained. However, to ensure everyone has the same understanding of the explanation, I specifically used the nedpoint provided by Azure AI Foundry to conduct an experiment
https://pichuang.services.ai.azure.com
Azure Firewall Policy Capabilities
In Azure Firewall, the only place where wildcards can be used in the Application Rules within Azure Firewall. Network Rules do not support using wildcards to specify URLs.
Depending on the selected Azure Firewall SKU, we offer different capabilities, as shown in the figure below:
| Azure Firewall SKU | Support Target FQDN | Support Target URL |
|---|---|---|
| Basic | 🚫 | 🚫 |
| Standard | ✅ | 🚫 |
| Premium | ✅ | ✅ |
Due to the most common use of the Target FQDN mehod, the following explanation will focus solely on this as the primary example for reference.
Failed Output
Before rewriting the firewall policy, you need to first understand how common error messages are presented. Below are examples of encoutering as SSL_ERROR_SYSCALL and Azure Friewall denying access due to the absence of matching rules.
$ curl https://pichuang.services.ai.azure.com
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.azure.com:443
$ curl http://pichuang.services.ai.azure.com
Action: Deny. Reason: No rule matched. Proceeding with default actionfailed-output
Undestand of Wildcard in Application Rules
- Asterisks work when placed on the left-most side.
- Asterisks on the left-most side mean literally anything to the left matches, meaning multiple subdomains and/or potentially unwanted domain name variations are matched.
- Traffic processed by application rules are always SNAT-ed. If you want to see the original source IP address in your logs for FQDN traffic, you can use network rules with the destination FQDN
TargetFQDN Rule Design
Let's count how many rules can allow the following URL to pas through the firewall
https://pichuang.services.ai.azure.com
| TargetFQDN Rule in Azure Firewall | Support or not? | ✅ Positive FQDN | 🚫 Negative FQDN | Note | |
|---|---|---|---|---|---|
| 1* | pichuang.services.ai.azure.com | ✅ | pichuang.services.ai.azure.com | 123.pichuang.services.ai.azure.com | Without wildcards |
| 2* | *.services.ai.azure.com | ✅ | pichuang.services.ai.azure.com blackair.services.ai.azure.com any.services.ai.azure.com |
services.ai.azure.com | |
| 3* | *services.ai.azure.com | ✅ | pichuang.services.ai.azure.com services.ai.azure.com anyopenservices.ai.azure.com any.123services.ai.azure.com |
||
| 4 | *ai.azure.com | ✅ | testai.azure.com | ||
| 5 | *azure.com | ✅ | pichuang.openai.azure.com ms.portal.azure.com blackair.dev-azure.com |
All azure.com 3rd level domain | |
| 6 | *com | ✅ | microsoft.com | aliez.tw | All com 2nd level domain |
| 7 | *m | ✅ | outlook.com stream.com 123.mm |
blog.blackair.io blog.pichuang.com.tw |
|
| 8* | * | ✅ | Wildcard matching, targeting any FQDN | ||
| 9 | *.com | 🚫 | |||
| 10 | ..azure.com | 🚫 | ..azure.com is invalid target FQDN | ||
| 11 | pichuan*.openai.azure.com | 🚫 | Asterisks work when placed on the left-most side | ||
| 12 | pichuang.openai.azure.com | 🚫 | Asterisks work when placed on the left-most side | ||
| 13 | pichuang.openai.azure.* | 🚫 | Asterisks work when placed on the left-most side | ||
| 14 | pichuang.*.azure.com | 🚫 | Asterisks work when placed on the left-most side |