Skip to main content

Cloud

Writing Azure Firewall policy

Security teams can drive segmentation policies to control network traffic using Illumio labels, and services. They can also use IP/IP lists to define what can talk to applications, what data can be transferred from an organization's network, and more. Creating policies, including Azure Firewall policies, is critical to minimizing an attacker's lateral movement. Use your Azure firewalls as enforcement points in your cloud environment and minimize an attacker's lateral movement.

Note

Illumio Segmentation for the Cloud does not support Classic Azure Firewall.

Illumio allows or denies traffic between Azure Firewalls using policies that you write. In order to write policies, you must create rules for the policy. Illumio Segmentation for the Cloud has the following types of rules for Azure Firewall policies:

  • Override Deny Rules

    This rule type is typically used to deny communication between sources and destinations that might inadvertently be given allow rules by another administrator. Override Deny rules take precedence over all other types of rules.

  • Allow Rules

    You can write rules that allow communication between sources and destinations.

  • Deny Rules

    You can write rules that deny communication between sources and destinations.

Before you begin writing Azure Firewall policies

Review these topics to get an understanding of Illumio policies.

Understanding Azure Firewalls

An Azure Firewall functions as a central enforcement point for network security within your Azure environment. This allows you to define and apply network and application level security rules across multiple virtual networks and subscriptions. This also allows you to effectively manage all traffic filtering from a single point of control through its centralized policy management capabilities.

In the Azure console, firewall policies have rule collection groups that contain rule collections. When you create a policy in Illumio, it creates a rule collection group with the prefix "ICS." The rule collection group that it creates always attempts to get the highest priority available. Illumio maintains this rule collection group on its own. If you modify this rule collection group directly in the Azure console, Illumio will overrule the modification. See Tamper Protection.

Rule collections have the following default priorities, where Illumio Segmentation for the Cloud writes the rules inside each collection based on type:

  • Override Deny Rules: 100

  • Allow Rules: 200

  • Deny Rules: 300

In Illumio Segmentation for the Cloud, an Azure Firewall is a VNet-level enforcement point. If a VNet has a firewall, it is a hub. If a VNet has a peering relationship with a hub, it is a spoke.

At time of writing, Illumio Segmentation for the Cloud supports writing Azure Firewall policy only for network rules.

Write a policy to allow traffic between spokes on the same hub

Suppose that you want to write a policy to allow HTTP traffic between a pair of spokes peered to the same hub. Let's assume they're called AzSpoke1 and AzSpoke2.

  1. Select the Applications menu and click one of your applications with one of the two the associated Azure Firewall spokes. Let's choose AzSpoke1.

  2. Add an Allow rule.

  3. Select the AzSpoke2 application from the Source drop-down list.

  4. Select the AzSpoke1 application from the Destination drop-down list.

  5. Select HTTP as your destination service and save the rule.

    Your policy is now ready to be provisioned. Before you provision the policy, preview the impact after it is provisioned to gauge how the policy will map to destinations, security group rules, enforcement points, and so forth.

  6. To see these mappings on your Azure Firewall policy before you provision it, click Show Impact. Then choose a security control from the drop-down menu, like All security controls or Azure Firewall Policies.

    Show Impact shows the priority of Azure Firewall rule collection groups, rule collections, and rules.

  7. Provision your policy.

    The rule is Enabled. Illumio Segmentation for the Cloudcreates a rule collection group with the prefix "ICS." It also creates rules in the Azure console for that firewall's policy and its parent policy.

Note

To troubleshoot any Illumio system messages you see regarding Azure Firewall rules, see Troubleshoot system-generated Azure Firewall messages.