WVD and Azure Firewall Premium – Web content filtering
Azure Firewall Premium is in preview and is full of new features! Check this article to learn more.
I am very interested in understanding the web content filtering capability because, as you probably know, a Windows Virtual Desktop virtual machine is able to surf the web with no restrictions unless you control it in some way.
Can I use Network security groups in order to rule the traffic? Yes, they are helpful but they are not supporting categories like adult content and so on.
On Premise Proxy server? Please no! We need something in the cloud…
Third party web content filtering services that I can deploy in Azure? Yes, this is a good solution.
Another possibility is (as I wrote in this article) Microsoft Defender for Endpoint but now we have also Azure Firewall Premium so let’s try it!
Note: this is only my first look to this new service and I am touching only the web content filtering part just to share how simple is to try it in a small lab environment.
First of all I created a Subnet called AzureFirewallSubnet with a /26 address space inside my existing WVD Virtual Network (this is a requirement)
I created the Firewall in the same region of the VNet and I selected the SKU Premium.
Don’t forget to create a new firewall policy clicking on Add-new
I selected my WVD VNET and I created a new public ip address for my firewall
I selected Create and I waited a couple of minutes.
I copied the internal IP Address assigned to the Firewall
I searched for Route tables in the Azure portal and I clicked on Create
Here are my choices
I clicked on Routes and Add
These are my entries, please note that I added the firewall IP as the next hop address.
In Subnets I clicked on Associate and I selected my WVD Virtual Network and my VM Subnet so all the traffic coming from the pooled VMs is going to be routed into the Firewall.
Now back to Firewalls I clicked on my new firewall name, Firewall Manager, Azure Firewall Manager
Azure Firewall Policies and WE-WVD-Firewall
Application Rules, Add a Rule Collection
I added the Application Rules written in this article
I created rules for DNS and KMS in the Network Rules according to this article
I am now able to connect to my session host but I cannot surf the web…
So I added a very “large” Application rule to let be possible to browse all the web (not a best practice but just to show you the last step).
Basically I allowed source "*" to destination "*" just to have everything (very) wide open but as I said, this is a first lab experience...
Now I can browse all the websites that I need but my will is to restrict the access to Twitter, Facebook and other social media using the Firewall web content filtering capability.
So I created another Application rule collection for deny and a rule that is targeting the social networking category. The priority of this rule must be higher than the rule that is allowing to browse all the web. (priority 100 is higher than priority 1000).
"Rule collections are processed according to the rule type in priority order, lower numbers to higher numbers from 100 to 65,000" Article.
And the result is that twitter is not anymore reachable.
These are the categories available:
- Alcohol + tobacco
- Child abuse images
- Child inappropriate
- Criminal activity
- Dating + personals
- Gambling
- Hacking
- Hate + intolerance
- Illegal drug
- Illegal software
- Lingerie + swimsuits
- Marijuana
- Nudity
- Pornography/sexually explicit
- School cheating
- Self-harm
- Sex education
- Tasteless
- Violence
- Weapons
- Image sharing
- Peer-to-peer
- Streaming media + downloads
- Download sites
- Entertainment
- Business
- Computers + technology
- Education
- Finance
- Forums + newsgroups
- Government
- Health + medicine
- Information security
- Job search
- News
- Non-profits + NGOs
- Personal sites
- Private IP addresses
- Professional networking
- Search engines + portals
- Translators
- File repository
- Web-based email
- Advertisements + pop-ups
- Chat
- Cults
- Games
- Instant messaging
- Shopping
- Social Networking
- Arts
- Fashion + beauty
- General
- Greeting cards
- Leisure + recreation
- Nature + conservation
- Politics
- Real estate
- Religion
- Restaurants + dining
- Sports
- Transportation
- Travel
- Uncategorized
Ok goal reached! At least for my small lab… I hope this article is going to help you to understand a feature of this new Azure service that could be helpful for Windows Virtual Desktop.
Hi Marco, Is it possible to assign the policy for specific user? for example user A cannot access twitter, while user B can. Great post!
Lifetime Learner | Cloud Solutions Architect | Azure/IBM/GCP | IBM Champion 2024-2025 | TOGAF 9, PowerVS on IBM Cloud, AzCAF, AzWAF, Hybrid Cloud (Azure Arc/Stack/IBM Cloud Satellite), AVD, AIX, MPEiX, Isilon
4 年Marco Moioli indeed an interesting article to go
Founder @CloudMatters | Enterprise Cloud Architect | Amateur Brewer | Speaker | Cloud Enthusiast | Microsoft Certified Trainer | Founder of the Microsoft Cloud & AI Netherlands Meetup
4 年Love this, now the wait is on GA....
Head Infrastructure & Cloud Platform Services (COE) at NUSUMMIT Technologies Private Limited (Former NSEIT LIMITED)
4 年Amazing inputs, very well put together and articulated.
Cloud Solutions Architect | Azure Architect | ANZ & APAC
4 年Nice work, Marco! Thank you for sharing this!