Shulou(Shulou.com)06/03 Report--

Introduction of Azure Firewall

Azure Firewall is a hosted cloud-based network security service that protects Azure virtual network resources. It is a fully stateful firewall in the form of services with built-in high availability and unlimited cloud scalability. You can create, implement, and document application and network connection policies across subscriptions and virtual networks. Azure firewalls use static public IP addresses for virtual network resources to enable external firewalls to identify traffic from your virtual network. This service is fully integrated with Azure Monitor for logging and analysis.

Introduction of endpoint

Virtual network (VNet) service endpoints extend the virtual network private address space and identity of VNet to Azure services through direct connections. Using endpoints protects critical Azure service resources by allowing access to them only in the customer's own virtual network. Traffic from the VNet to the Azure service always remains in the Azure backbone.

Service endpoints provide the following advantages:

Improve the security of Azure service resources: VNet private address spaces may overlap and cannot be used to uniquely identify traffic originating from VNet. By extending the VNet identity to services, service endpoints can limit access to Azure service resources to your virtual network. After you enable a service endpoint in a virtual network, you can protect Azure service resources in the virtual network by adding virtual network rules to the resource. This completely eliminates the possibility of accessing resources through the public Internet and allows only traffic from your own virtual network, thereby improving security.

Best routing of Azure service traffic from a virtual network: currently, any route in a virtual network that forces Internet traffic to local and / or virtual devices (called a forced tunnel) also forces Azure service traffic to take the same route as Internet traffic. The service endpoint provides the best route for Azure traffic.

Endpoints always forward service traffic directly from the virtual network to services on the Azure backbone. Keeping traffic on the Azure backbone allows continuous auditing and monitoring of outbound Internet traffic from the virtual network by forcing the tunnel to continuously audit and monitor outbound Internet traffic without affecting service traffic.

Simple setup and less administrative overhead: it is no longer necessary to use reserved public IP addresses in the virtual network to protect Azure resources through the IP firewall. Service endpoints can be set up without using NAT or gateway devices. You can configure the service endpoint with a single click on the subnet. There is no additional overhead associated with endpoint maintenance.

It sounds great, but endpoint is actually a regional service. For example, if you have vnet in Bei Yi and paas Service in Dongyi, even if endpoint is enabled, it won't work.

At this time, it can be solved with Azure firewall, as long as azure firewall is deployed in Dongyi.

First of all, let's take a look at the access scenario where there is no endpoint suitable, because the default route points to FW. If there is no FW network rule to allow access to Azure SQL, access will be denied, even if the Azure SQL whitelist is added.

Next, first add rules to FW to allow outbound access to azure sql. You can see here that, similar to nsg, rules can also be added with service tag in firewall, which is very convenient.

As you can see this time, it reminds us that we didn't add it to the whitelist, but at least the network must be connected.

The IP of FW is added here to connect normally.

You can see that the source IP is the IP of FW

Next, add the endpoint of sql to the subnet of firewall

After that, add to the azure sql to allow subnet access where the firewall is located

Try again this time, and you can already see that the IP visited is firewall's intranet IP!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.