Azure Firewall explicit proxy Migration Guide
This blog highlights the significant upcoming updates to the Azure Firewall explicit proxy and provides thorough guidance for users currently utilising PAC file configurations. It also explains the deployment options available for enabling the explicit proxy after these changes take effect, including methods via the Azure portal, PowerShell, and Azure CLI.
Designed for those using the preview version of Azure Firewall explicit proxy, this article will help you understand how to set up the new PAC file SAS URL retrieval method, which will soon become the standard.
By default, Azure Firewall functions in a transparent proxy mode. In this mode, you can configure a user-defined route (UDR) to send your traffic through the firewall. The firewall then intercepts that traffic inline and directs it to its intended destination.
However, when you implement the explicit proxy on the outbound path, you can set up proxy settings in your sending application (like a web browser) to route traffic through the Azure Firewall as the proxy. Consequently, traffic from your application goes directly to the firewall’s private IP address, allowing it to exit straight from there without needing a UDR.
At the time of writing, the Azure Firewall explicit proxy feature is still in Preview mode.
- The PAC (Proxy Auto-Configuration) file size is capped at 256 KB.
- Now you can support HTTP and HTTPS traffic over a single HTTP proxy port.
- The previous dual-port configuration requirement (explicit proxy v1) has been removed.
- You can now enable explicit proxy directly by creating a Firewall Policy in the Azure portal.
- Once the feature reaches general availability (GA), both a PAC file SAS URL and Managed Identity (MSI) will be required, along with the proper role assignments to align with Microsoft’s security protocols.
- Navigate to Members → Managed Identity and choose the identity you created earlier. Review your selections and click Assign in the Review + Assign blade.
- Check that your modifications are showing under Role Assignments by searching for the managed identity. Please ensure that the Managed Identity begins with “PacFileMSI-“.
Once you have both the PAC file SAS URL and Managed Identity, you can enable the PAC file in the explicit proxy configuration by:
- Inputting the PAC file SAS URL, and
- Choosing the Managed Identity you set up earlier.
For secure usage of the explicit proxy, you need to ensure that:
- You have the PAC file SAS URL, and
- A Managed Identity with the necessary permissions to access the PAC file from your Blob Storage account.
- Create a Firewall Policy with explicit proxy settings:
$exProxy = New-AzFirewallPolicyExplicitProxy ` -EnableExplicitProxy ` -HttpPort 100 ` -EnablePacFile ` -PacFilePort 130 ` -PacFile "https://sampleurlfortesting.blob.core.windows.net/container/proxy.pac" - Update the Firewall Policy with explicit proxy configuration:
New-AzFirewallPolicy ` -Name "fp1" ` -ResourceGroupName "TestRg" ` -ExplicitProxy $exProxy ` -UserAssignedIdentityId "/subscriptions/e7eb2257-46e4-4826-94df-153853fea38f/resourcegroups/testrg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/PacFileMSI-eproxyidentity"
- Create a Firewall Policy with explicit proxy settings:
az network firewall policy create -g "testrg" -n "testfwpolicy" --sku Premium --explicit-proxy enable-explicit-proxy=true http-port=9001 enable-pac-file=true pac-file-port=122 pac-file="https://eproxypstestresources.blob.core.windows.net/explicitproxycontainer/proxy.pac" --identity "Identity_ID" - Update the Firewall Policy with explicit proxy configuration:
az network firewall policy update -g "testrg" -n "testfwpolicy" --explicit-proxy enable-explicit-proxy=true http-port=9001 enable-pac-file=true pac-file-port=124 pac-file="https://eproxypstestresources.blob.core.windows.net/explicitproxycontainer/proxy.pac" --identity "Identity_ID"
Share this content:
