CoursesAzure securityNetwork security & segmentation

Azure Firewall & egress control

Central FQDN allowlists, threat intel, IDPS.

Advanced35 min · lesson 5 of 15

NSGs filter by IP, port, and ASG, but they cannot reason about domains or inspect application-layer traffic. Azure Firewall adds the centralized, FQDN-aware egress control and threat intelligence that turn a compromised workload’s outbound channel from open to blocked-and-logged.

Centralized egress with FQDN rules

Deploy Azure Firewall in a hub VNet and route spoke traffic through it, so all egress passes one enforcement and logging point. Application rules allow outbound only to approved FQDNs (a package mirror, an internal API, a partner endpoint) and deny the rest; network rules handle non-HTTP flows; threat-intelligence filtering blocks traffic to known-malicious IPs and domains. For most workloads the legitimate egress list is short, which makes an allowlist practical — and any attempt to reach an unlisted destination becomes an immediate signal.

an FQDN egress allowlist
# Application rule collection: allow only approved outbound FQDNs from the spoke.
az network firewall application-rule create -g rg -f hub-fw \
--collection-name egress-allow --name approved --priority 100 --action Allow \
--protocols Https=443 --source-addresses 10.1.0.0/16 \
--target-fqdns *.ubuntu.com *.github.com login.microsoftonline.com
# Enable threat-intel filtering to alert+deny known-bad destinations.
az network firewall update -g rg -n hub-fw --threat-intel-mode Deny

Why egress is the neglected half

Almost everyone filters inbound and leaves outbound wide open, yet exfiltration and command-and-control both leave through egress. A default-open outbound policy assumes everything inside the VNet is trustworthy — the exact assumption modern attacks break. Combine the firewall allowlist with DNS Proxy and query logging to catch tunnelling, and the IDPS features of the Premium tier for signature-based detection of exfil and C2 patterns. Default-deny egress is one of the highest-leverage and most commonly missing controls.

Hub egress enforcement
1spoke workloads
no direct internet route
2route to hub firewall
single egress path
3FQDN allowlist + threat intel
approved destinations only
4deny + log the rest
unapproved egress is loud
One central firewall inspects and logs all outbound. Unrestricted egress is free C2 and exfiltration — close it.
Open egress is a ready-made C2 channel
If a compromised workload can open arbitrary outbound connections, the attacker already has exfiltration and command-and-control with no further privilege. Route egress through Azure Firewall with an FQDN allowlist and threat-intel deny — it is worth more than most inbound controls.