Hi We're in the implementing phase of Azure vWAN combined with Azure Firewall and Azure Firewall Policies. We've configured a network rule which allows the port 80 and 443 to the service tag "AzureCloud" which should include all IP ranges from all Azure Datacenters and Services. However, this rule does not seem to be working and we have to break down the rules in to multiple service tags to allow communication to certain Azure services. Is this a known limitation for this service tag? The tag overview can be found here: https://video2.skills-academy.com/en-us/azure/virtual-network/service-tags-overview#available-service-tags Best Regards Philipp

@Wieser Philipp , Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well. I understand that you would like to make use of the "AzureCloud" tag with Azure Firewall and you notice certain IPs/FQDNs are not covered by this tag. Can you provide an example? Of which particular service or IP is getting blocked by the Azure Firewall? A IP (along with port) would help me repo your environment. Cheers, Kapil

Azure Firewall Service Tag AzureCloud

Accepted answer

KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2024-04-12T11:08:17.4233333+00:00
@Wieser Philipp ,

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you would like to make use of the "AzureCloud" tag with Azure Firewall and you notice certain IPs/FQDNs are not covered by this tag.

Can you provide an example?

Of which particular service or IP is getting blocked by the Azure Firewall?

A IP (along with port) would help me repo your environment.

Cheers,

Kapil
Please sign in to rate this answer.

1 person found this answer helpful.
Wieser Philipp 20 Reputation points

2024-04-12T11:46:50.3166667+00:00

@KapilAnanth-MSFT

Hi Kapil

That's correct, I've created a Firewall Rule on a Azure Firewall Policy which has configured the AzureCloud as destination service tag for the ports 80 and 443.

I've connected this by using a peering for the vnet in which a test system resides to the virtual wan hub in which the Azure Firewall is assigned with the corresponding Azure Firewall Policy.

I then connect to the test system and am trying to connect to https://portal.azure.com in the browser but I'm receiving an error and the connection is discarded. The error I'm receiving in the browser is: "Action: Deny. Reason: No rule matched. Proceeding with default action."
When I configure the service tags AzureActiveDirectory, AzureResourceManager and AzureFrontDoor.Frontend in the network rule, the connection works. But according to the documentation, all these tags should be included in the "AzureCloud" service tag. I can reproduce this at any time in the browser of the test system.

Best Regards
Philipp

KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2024-04-12T12:15:10.1+00:00

@Wieser Philipp ,

Thanks for the info, so I take it that your primary concern is " https://portal.azure.com ".

I do believe this is an expected behavior.

Quite frankly, Azure portal is not exactly is an Azure Service.

It's an interface or UI to interact with Azure offers and services.

The IPs used by Azure portal would be anycast IPs (i.e., it makes use of Azure FrontDoor)

And from the docs, the tag "AzureCloud" is given a description of comprising "datacenter" public IP addresses.
And anycast IPs are not exactly datacenter public IP addresses

So, to work around this - you can use a combination of "AzureFrontDoor.Frontend" and "AzureCloud" in your rules.

You can cross verify these from your end as well from here.

For Portal,

However, every other service, would be a part of AzureCloud

I do understand we could improve the documentation on this part. I shall take that feedback internally.

Meanwhile, can you please use both the tags "AzureFrontDoor.Frontend" and "AzureCloud" for Portal and let us know how it goes? (I did a lab and I was able to get to the logins screen).

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil

Wieser Philipp 20 Reputation points

2024-04-12T12:45:35.7833333+00:00

Hi Kapil

I can confirm that it is working when using the service tags "AzureCloud" and "AzureFrontDoor.Frontend". While it could be mentioned better in the documentation, I'm glad you provided a solution to the problem very quickly.

Best Regards
Philipp

KapilAnanth-MSFT 39,446 Reputation points Microsoft Employee

2024-04-12T12:49:56.15+00:00

@Wieser Philipp ,

Glad we could be of service.

Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I have summarized our discussion and posted it as a new answer.

I would highly appreciate if you could Accept the answer and close this thread

Original posters help the community find answers faster by identifying the correct answer.

Thanks,

Kapil
Sign in to comment

Share via

Azure Firewall Service Tag AzureCloud

0 additional answers