Azure Firewall – App Service Environment UDR requirements

If you are looking to secure your App Service Environment and integrate with an Azure Firewall, Microsoft have guidance for integrating the Azure Firewall with your App Service Environment. I’ve provided links below:

 

This basically consists of:

  1. Create a UDR that routes ASE Management IPs direct to Internet
  2. Add Route to IP Address Dependencies listed by Microsoft
  3. Add a Default Route 0.0.0.0/0 within the UDR to your Azure FW
  4. Add any other internal routes between on-premises or separate VNets that you want to route through the Azure FW
  5. Define HTTP/HTTPS dependencies in the Azure FW

 

As you may notice there are quite a lot of IP ranges that are required to be added to the UDR with next hop type Internet. This post will help streamline the process of creating the base UDR for your ASE subnet. After the base UDR rules are created, you will need to consider any other specific UDR requirements to ensure that on-premises or inter-VNet connectivity passes through the Azure FW to your ASE.

The documentation page lists the IPs for the management addresses, however they are just plain IP addresses and do not have the CIDR notation required, which for all of these are direct IPs so /32. The same goes for the IP address dependencies listed. To be able to add them to a UDR you must specify the CIDR notation range in the prefix value.

I wanted to create a script that could easily create the UDR rules for the ASE that required to go to Internet for requirements 1 and 2 above.

Microsoft have a nice API call example in their documentation that can be used, you can follow those instructions on how to install the armclient https://docs.microsoft.com/en-us/azure/app-service/environment/management-addresses

This will list the management IPs that are documented but will include the CIDR notation that can be used to script into the UDR creation. This query will also give up to date IP addresses, in case the documentation lags so it would always be advisable to check using the query.

Now that we have a list of Management IPs that the ASE needs to communicate with Azure with, we can add the list of Ip Address Dependencies that Microsoft provide at https://docs.microsoft.com/en-us/azure/app-service/environment/firewall-integration

Create the UDR with base ASE Management Plane IPs and IP dependencies

Now that we have all the IP prefixes required we can create the UDR, simply paste in the values for the Management IPs, and IP Dependencies into variables $aseManagementIps and $aseIpDepedencies. I have the values pre-populated with the information that was taken at the time this blog was written. It is recommended to get the latest IPs using the previous query and checking the Microsoft documentation.

Next check your UDR and you will see all the base routes required for your ASE. As mentioned at the start, these are just the base platform routes for ASE management and basic health and operation. You will need to still define your UDR that provides the Default Route to your Azure FW, and any other additional routes to on-premises or inter VNet connectivity, as required.