Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Firewall policies and Ip group #2929

Closed
chboudry opened this issue Nov 29, 2022 · 6 comments
Closed

Firewall policies and Ip group #2929

chboudry opened this issue Nov 29, 2022 · 6 comments
Labels

Comments

@chboudry
Copy link

To stick to Microsoft best practice, Azure Firewall classic rules should be updated to a Firewall Policy.
And source adressses should be defined in a IP group.

https://learn.microsoft.com/en-us/azure/firewall-manager/policy-overview
https://learn.microsoft.com/en-us/azure/firewall/create-ip-group

@tamirkamara
Copy link
Collaborator

tamirkamara commented Nov 29, 2022

  1. IMO the wording is not quite right as although Microsoft now recommends using the newer Firewall Policy objects, it's not like there's something wrong with the older implementation of classic rules.
  2. We have looked at IP Groups but since they are limited to 200 per firewall decided not to proceed with it.

@chboudry
Copy link
Author

chboudry commented Nov 29, 2022

  1. I think we are saying the same thing, a recommendation is a best practice, right?
    I'm not saying the older implementation does not work,
    but we (FasTrack, CSA, PFE) do advise customer not to use it anymore on new setup (new Azure topology, not TRE related),
    That's why it would make sense to update

  2. you would hit that limit? I was thinking you may have 1 or 2 IP groups per workspace max?

@tamirkamara
Copy link
Collaborator

  1. I understand, but since TRE isn't new we have our own "legacy". Migrating to the newer policies is something we talked about but didn't see a clear advantage.
  2. We currently have 2 per workspace and will have more since we're adding more "address spaces" to a workspace. In the past it was considered that 100 workspaces aren't out of the question.

@marrobi
Copy link
Member

marrobi commented Jan 20, 2023

@tamirkamara are you doing some work around the IP groups element at the moment?

Does it make sense to focus this issue on moving to firewall policies?

@tamirkamara
Copy link
Collaborator

tamirkamara commented Jan 22, 2023

  1. I'm doing some work around IP Groups, but only when it comes to core subnets. I don't see an easy way for us to handle workspace level ones.
  2. Opened a separate issue (Use Azure Firewall Policies #3100) just for the policies which will be handled in an upcoming PR.

@tamirkamara
Copy link
Collaborator

I'm closing this issue per the last comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants