While working with Azure Firewall, I wanted to take advantage of its FQDN filtering capabilities in order to control traffic to Office 365. As the list of FQDNs required to allow traffic can be quite large, especially in the “Common” service area’s list of endpoints, I wrote a little PowerShell function to generate the appropriate ARM template code for the application rule. Here’s what the function looks like:

Function Get-Office365AzureFirewallApplicationRule($serviceArea,$ruleName) { #Get the latest endpoints information from Microsoft $office365IPs=Invoke-webrequest -Uri https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a7 | ConvertFrom-Json #Capture required Fqdns and ports for the service area $serviceAreaUrls=($office365IPs | Where-Object {$_.ServiceArea -eq $serviceArea -and ($_.tcpPorts -ilike "*80*" -or $_.tcpPorts -ilike "*443*") }).urls | sort | select -Unique #Generate Azure Firewall Application Rule $azFwRule='{ "name": "'+ $ruleName +'", "protocols": [ { "port": "80", "protocolType": "http" }, { "port": "443", "protocolType": "https" } ], "TargetFqdns": ' + ($serviceAreaUrls | ConvertTo-Json) $azFwRule+='}' #Output rule generated to json file $azFwRule | Set-Content -Path ".\ARM\Networking\$ruleName.json" -Force }

Here are a couple of examples to call this function and their outputs:

Exchange Online Rule

Get-Office365AzureFirewallApplicationRule -serviceArea Exchange -ruleName "net-azfw-rul-application-allow-http-ExchangeOnline"

Output

{ "name": "net-azfw-rul-application-allow-http-ExchangeOnline", "protocols": [ { "port": "80", "protocolType": "http" }, { "port": "443", "protocolType": "https" } ], "TargetFqdns": [ "*.outlook.com", "*.outlook.office.com", "*.protection.outlook.com", "*.store.core.windows.net", "asl.configure.office.com", "attachments.office.net", "domains.live.com", "mshrcstorageprod.blob.core.windows.net", "outlook.office.com", "outlook.office365.com", "r1.res.office365.com", "r3.res.office365.com", "r4.res.office365.com", "tds.configure.office.com" ] }

SharePoint Online Rule

Get-Office365AzureFirewallApplicationRule -serviceArea SharePoint -ruleName "net-azfw-rul-application-allow-http-SharePointOnline"

Output

{ "name": "net-azfw-rul-application-allow-http-SharePointOnline", "protocols": [ { "port": "80", "protocolType": "http" }, { "port": "443", "protocolType": "https" } ], "TargetFqdns": [ "*.log.optimizely.com", "*.search.production.apac.trafficmanager.net", "*.search.production.emea.trafficmanager.net", "*.search.production.us.trafficmanager.net", "*.sharepoint.com", "*.sharepointonline.com", "*.svc.ms", "*-files.sharepoint.com", "*-myfiles.sharepoint.com", "admin.onedrive.com", "cdn.sharepointonline.com", "click.email.microsoftonline.com", "g.live.com", "officeclient.microsoft.com", "oneclient.sfx.ms", "privatecdn.sharepointonline.com", "prod.msocdn.com", "publiccdn.sharepointonline.com", "skydrive.wns.windows.com", "spoprod-a.akamaihd.net", "ssw.live.com", "static.sharepointonline.com", "storage.live.com", "watson.telemetry.microsoft.com" ] }

Now that you have generated the desired rules, you can simply copy/paste those in your Azure Firewall ARM template/parameter file under the applicationRuleCollections property.

In the ARM template I’m using to deploy Azure Firewall, I’m using a technique similar to the one I described here to manage Network Security Group rules (Azure VNET Subnet Network Security Group Rules Management in ARM TemplateAzure VNET Subnet Network Security Group Rules Management in ARM TemplateAzure VNET Subnet Network Security Group Rules Management in ARM Template), where I can have core rules that apply to all my Azure Firewall deployments but also rules that would only apply to a specific deployment. At deployment time, I’m simply concatenating both the custom rules and the core rules together like this in the ARM template:

"applicationRuleCollections": "[concat(variables('net-azfw-rul-basic-application-rules'),parameters('net-azfw-rul-custom-application-rules'))]"

In the example above, the variable named net-azfw-rul-basic-application-rules are the rules that will be present in all deployments while the parameter named net-azfw-rul-custom-application-rules is for the rules that are specific to a particular deployment in an environment/region.

Once deployed, you would see something similar for your Azure Firewall deployment:

Should you have questions or comments regarding this post, feel free to leave a comment below!