Azure Firewall’s Explicit Proxy feature (preview)

Hello Guys,

Azure Firewall is a cloud-native network security service that protects your Azure resources and applications. It operates in a transparent proxy mode by default, which means that traffic is sent to the firewall using a user defined route (UDR) configuration. The firewall intercepts that traffic inline and passes it to the destination.

However, there is another mode that you can use for your outbound traffic: Explicit proxy. This mode allows you to configure a proxy setting on the sending application, such as a web browser, with Azure Firewall acting as the designated proxy. This way, traffic from the sending application goes to the firewall’s private IP address and egresses directly from the firewall without the need for a UDR.

Explicit proxy is currently in public preview and it supports HTTP and HTTPS protocols. You can manually configure the IP address and port on the browser or application, or you can use a proxy auto config (PAC) file that the firewall can host for you.

To enable Explicit proxy, you need to follow these steps:

  • Go to your Azure Firewall resource in the Azure portal and select Enable explicit proxy under Settings.
  • Specify the HTTP and HTTPS ports that you want to use for the proxy. They can’t be the same.
  • If you want to use a PAC file, select Enable proxy auto-configuration and provide the shared access signature (SAS) URL of the PAC file that you have uploaded to a storage container. You also need to specify the port where the PAC file is served from.
  • Apply the changes and wait for them to take effect.

Next, you need to create an application rule in your Azure Firewall policy to allow the traffic to pass through the firewall. You must use an application rule, not a network rule, for this purpose. You can create the rule using the Azure portal, PowerShell, CLI, or ARM templates.

Finally, you need to configure your sending application to use the proxy settings that you have specified. You can either enter the IP address and port manually, or point to the PAC file URL that the firewall provides.

That’s it! You have successfully enabled and configured Explicit proxy for your Azure Firewall. This feature can enhance your security posture by providing granular control over your outbound traffic, as well as reducing your UDR configuration complexity.

To learn more about Explicit proxy, see Demystifying Explicit proxy: Enhancing Security with Azure Firewall. To learn how to deploy an Azure Firewall, see Deploy and configure Azure Firewall using Azure PowerShell.

Leave a Reply

Your email address will not be published. Required fields are marked *