Azure Firewall Rule Collection Groups: Managing Windows Updates and Time Server Sync with Microsoft’s Verified Modules

Azure Firewall is a powerful cloud-native service that provides network security across your Azure environment. Managing traffic in and out of your virtual networks requires a precise and structured approach, and Azure Firewall helps achieve this with rule collection groups and rules. In this guide, we will explore how to use the Azure Verified Modules GitHub project. For more details, see the official Microsoft documentation on Azure Firewall rule collections. to enable Windows Updates and Time Server synchronization by configuring Azure Firewall rule collection groups.

What Are Azure Firewall Rule Collection Groups?

Azure Firewall’s rules are organized into rule collection groups and rules. This structure helps you maintain and manage the settings effectively.

• Rule Collection Groups: These are containers for organizing rule collections by priority. You can think of them as a way to categorize rules that have similar purposes.
• Rule Collections: Inside a group, rule collections are the actual sets of rules that Azure Firewall enforces. Rule collections are defined based on the type of traffic they manage—network rules, application rules, or NAT rules.
• Rules: Finally, within each rule collection, you define the specific rules that manage traffic. These rules control things like which IP addresses can communicate through which ports and protocols.

When working with Azure Firewall, setting up rules for basic functionalities like Windows Updates or Time Server synchronization may seem straightforward, but it can require detailed settings that can benefit from automation and consistency. This is where Microsoft’s Azure Verified Modules come in.

Azure Verified Modules GitHub Project

Microsoft provides the Azure Verified Modules. You can also refer to the Azure Firewall documentation for a broader understanding of firewall management. GitHub project to simplify and standardize Azure infrastructure deployments. These modules are built to help you achieve common tasks in Azure using well-defined Infrastructure as Code (IaC) practices. They leverage tools like Bicep and ARM templates, providing verified configurations that are reliable, repeatable, and secure.

We will use this project to configure Azure Firewall to allow Windows Updates and NTP (Network Time Protocol) server synchronization.

Setting Up Azure Firewall Rules for Windows Updates and Time Sync

To enable Windows Updates and time server synchronization, you need to create specific rule collection groups and rules. These rules will allow Azure virtual machines to reach Microsoft’s update servers and time servers.

Note you can either clone the repo or make use of the public repo that Azure provide, below shows you how to clone the repo.

Step 1: Cloning the Verified Modules Repository

Start by cloning the Azure Verified Modules repository:

# Clone the repository
git clone https://github.com/Azure/Azure-Verified-Modules

Step 2: Understanding the Module Structure

In the repository, you will find modules for managing Azure Firewall rule collections. The folder structure helps you locate different types of rule collections (such as Network Rules, Application Rules, and NAT Rules).

For enabling Windows Updates and time synchronization, we will focus on Application Rule Collections. Application rules are ideal for this scenario as they define fully qualified domain names (FQDNs) to allow outbound HTTP/S traffic, which is the type of traffic used for both updates and NTP.

Step 3: Using the Application Rules Module

Navigate to the module related to Firewall Application Rules. The module you need allows Azure Firewall to be configured with outbound rules for reaching well-known domains, like Windows Update servers and NTP servers. For more details, you can refer to the official documentation on Azure Firewall application rules.

The basic configuration requires defining a rule collection group that contains an application rule collection for the update and time synchronization domains.

Example Bicep File

Below is an example Bicep configuration that uses Azure Firewall to create rules allowing Windows Updates and NTP. Refer to the Azure Bicep documentation for more information on using Bicep to manage Azure resources.

param firewallName string
param resourceGroupName string
param location string = resourceGroup().location
param windowsUpdateDomains array = [
  'windowsupdate.microsoft.com',
  '*.windowsupdate.microsoft.com',
  '*.update.microsoft.com',
  '*.delivery.mp.microsoft.com'
]
param ntpDomains array = [
  'time.windows.com'
]

resource firewall 'Microsoft.Network/azureFirewalls@2021-08-01' existing = {
  name: firewallName
  resourceGroup: resourceGroupName
}

resource appRuleCollection 'Microsoft.Network/azureFirewalls/ruleCollections@2021-08-01' = {
  name: '${firewallName}-app-rule-collection'
  parent: firewall
  properties: {
    priority: 200
    ruleCollectionType: 'FirewallPolicy'
    rules: [
      {
        name: 'Allow-Windows-Updates'
        ruleType: 'ApplicationRule'
        targetFqdns: windowsUpdateDomains
        protocols: [
          {
            protocolType: 'Https'
            port: 443
          }
        ]
      }
      {
        name: 'Allow-NTP-Sync'
        ruleType: 'ApplicationRule'
        targetFqdns: ntpDomains
        protocols: [
          {
            protocolType: 'Https'
            port: 443
          }
        ]
      }
    ]
  }
}

Explanation of the Bicep Configuration

• Parameters: The script defines several parameters, including the firewall name, resource group, and domains for Windows Updates and NTP.
• Firewall Resource: The firewall resource is defined as an existing resource, meaning that the script expects the Azure Firewall to already be deployed.
• Application Rule Collection: This rule collection contains two application rules—one for Windows Updates and one for NTP. Each rule targets the necessary FQDNs and specifies HTTPS (port 443) as the protocol.

Step 4: Deploying the Bicep File

To deploy this Bicep file, use the following Azure CLI command:

az deployment group create \
  --resource-group  \
  --template-file .bicep

Replace and with your specific values. This command will deploy the rule collection group to your existing Azure Firewall.

Verifying the Configuration

Once the deployment is complete, it is important to verify that the Azure Firewall is properly configured to allow the necessary traffic. You can also refer to the Azure Firewall verification steps in the official Microsoft Docs for additional troubleshooting and validation methods.

• Windows Updates: You can verify if Windows Updates are working by manually triggering an update check on a virtual machine. If configured correctly, the VM should reach Microsoft’s update servers without issues.
• NTP Synchronization: For NTP, you can verify the time sync status by running the following command on a Windows VM:w32tm /query /statusThis command should display the synchronization details if the connection to the NTP server is successful.

Best Practices for Managing Firewall Rules

When managing Azure Firewall rules, it is crucial to follow a few best practices to keep your infrastructure secure and manageable. Microsoft provides a set of best practices that you can find in their official documentation:

• Organize Rules by Function: Group rules by their function—for example, rules for Windows Updates, security services, etc. This makes it easier to manage and understand.
• Use Appropriate Priorities: Rule priorities determine the order in which they are evaluated. Ensure that more specific rules have higher priorities (lower numerical values).
• Minimize Wildcards: Avoid using wildcards (*) in domain names as much as possible. While convenient, they can open unnecessary access and compromise security.
• Test Thoroughly: Always test new rules in a controlled environment before applying them in production. This helps to avoid disruptions.

Real world example

param firewallPolicyName string
param appGatewaySubnetAddress string 
param vmSubnetAddress string
param location string

resource updateAzureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-01-01' = {
  name: firewallPolicyName
  location:location
  properties: {
    sku: {
      tier: 'Premium'
    }
    threatIntelMode: 'Deny'
    threatIntelWhitelist: {
      fqdns: []
      ipAddresses: []
    }
    dnsSettings: {
      servers: []
      enableProxy: true
    }
    sql: {
      allowSqlRedirect: false
    }
    intrusionDetection: {
      mode: 'Deny'
      configuration: {
        signatureOverrides: []
        bypassTrafficSettings: []
        privateRanges: [
          '172.16.0.0/12'
         ]
      }
    }
  }
}

resource createAzureFireWallServerActivationRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2024-01-01' = {
  parent: updateAzureFirewallPolicy
  name: 'ServerActivation'
  properties: {
    priority: 2900
    ruleCollections: [
      {
        ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
        action: {
          type: 'Allow'
        }
        rules: [
          {
            ruleType: 'NetworkRule'
            name: 'KMS'
            ipProtocols: [
              'TCP'
            ]
            sourceAddresses: [
              appGatewaySubnetAddress
            ]
            sourceIpGroups: []
            destinationAddresses: []
            destinationIpGroups: []
            destinationFqdns: [
              'kms.core.windows.net'
            ]
            destinationPorts: [
              '1688'
            ]
          }
          {
            ruleType: 'NetworkRule'
            name: 'AppGatewaytoCustomer'
            ipProtocols: [
              'TCP'
            ]
            sourceAddresses: [
              appGatewaySubnetAddress
            ]
            sourceIpGroups: []
            destinationAddresses: [
              vmSubnetAddress
            ]
            destinationIpGroups: []
            destinationFqdns: []
            destinationPorts: [
              '8080'
              '443'
            ]
          }
          {
            ruleType: 'NetworkRule'
            name: 'AllowWindowsTimeServer'
            ipProtocols: [
              'UDP'
            ]
            sourceAddresses: [
              '*'
            ]
            sourceIpGroups: []
            destinationAddresses: []
            destinationIpGroups: []
            destinationFqdns: [
              'time.windows.com'
            ]
            destinationPorts: [
              '123'
            ]
          }
          {
            ruleType: 'NetworkRule'
            name: 'AllowAzureBackupAllowMonitor'
            ipProtocols: [
              'TCP'
            ]
            sourceAddresses: [
              '*'
            ]
            sourceIpGroups: []
            destinationAddresses: [
              'AzureBackup'
              'AzureMonitor'
            ]
            destinationIpGroups: []
            destinationFqdns: []
            destinationPorts: [
              '*'
            ]
          }
          {
            ruleType: 'NetworkRule'
            name: 'msedge.api.cdp.microsoft.com'
            ipProtocols: [
              'TCP'
            ]
            sourceAddresses: [
              '*'
            ]
            sourceIpGroups: []
            destinationAddresses: []
            destinationIpGroups: []
            destinationFqdns: [
              'msedge.api.cdp.microsoft.com'
            ]
            destinationPorts: [
              '*'
            ]
          }
          {
            ruleType: 'NetworkRule'
            name: 'AllowLinuxTimeServer'
            ipProtocols: [
              'UDP'
            ]
            sourceAddresses: [
              '*'
            ]
            sourceIpGroups: []
            destinationAddresses: []
            destinationIpGroups: []
            destinationFqdns: [
              'ntp.ubuntu.com'
            ]
            destinationPorts: [
              '*'
            ]
          }
        ]
        name: 'ServerActivation'
        priority: 2900
      }
      {
        ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
        action: {
          type: 'Allow'
        }
        rules: [
          {
            ruleType: 'ApplicationRule'
            name: 'Ubuntu Updates'
            protocols: [
              {
                protocolType: 'Http'
                port: 80
              }
              {
                protocolType: 'Https'
                port: 443
              }
            ]
            fqdnTags: []
            webCategories: []
            targetFqdns: [
              '*.ubuntu.com'
            ]
            targetUrls: []
            terminateTLS: false
            sourceAddresses: [
              appGatewaySubnetAddress
            ]
            destinationAddresses: []
            sourceIpGroups: []
            httpHeadersToInsert: []
          }
          {
            ruleType: 'ApplicationRule'
            name: 'Windows Updates'
            protocols: [
              {
                protocolType: 'Http'
                port: 80
              }
              {
                protocolType: 'Https'
                port: 443
              }
            ]
            fqdnTags: [
              'WindowsUpdate'
              'WindowsDiagnostics'
            ]
            webCategories: []
            targetFqdns: []
            targetUrls: []
            terminateTLS: false
            sourceAddresses: [
              appGatewaySubnetAddress
            ]
            destinationAddresses: []
            sourceIpGroups: []
            httpHeadersToInsert: []
          }
          {
            ruleType: 'ApplicationRule'
            name: 'Azure Monitor'
            protocols: [
              {
                protocolType: 'Http'
                port: 8080
              }
              {
                protocolType: 'Https'
                port: 443
              }
            ]
            fqdnTags: []
            webCategories: []
            targetFqdns: [
              '*.azure.com'
              '*.windows.net'
            ]
            targetUrls: []
            terminateTLS: false
            sourceAddresses: [
              appGatewaySubnetAddress
            ]
            destinationAddresses: []
            sourceIpGroups: []
            httpHeadersToInsert: []
          }
        ]
        name: 'LinuxUpdates'
        priority: 3000
      }
    ]
  }
}

resource createAzureFireWallTimeSyncRuleCollectionGroup 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2024-01-01' = {
  parent: updateAzureFirewallPolicy
  name: 'TimeSync'
  properties: {
    priority: 2000
    ruleCollections: [
      {
        ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
        action: {
          type: 'Allow'
        }
        rules: [
          {
            ruleType: 'NetworkRule'
            name: 'TimeSync'
            ipProtocols: [
              'Any'
            ]
            sourceAddresses: [
              appGatewaySubnetAddress
            ]
            sourceIpGroups: []
            destinationAddresses: [
              '*'
            ]
            destinationIpGroups: []
            destinationFqdns: []
            destinationPorts: [
              '123'
            ]
          }
        ]
        name: 'TimeSync'
        priority: 2000
      }
    ]
  }
  dependsOn:[
    createAzureFireWallServerActivationRuleCollectionGroup
  ]
}

Conclusion

Configuring Azure Firewall with rule collection groups and rules for enabling Windows Updates and time server synchronization is an important part of managing Windows workloads in Azure. By leveraging Microsoft’s Azure Verified Modules from GitHub, you can automate the deployment of these configurations, ensuring a consistent and reliable approach.

Using the example Bicep script above, you can quickly implement rules that allow your VMs to stay updated and correctly synchronized with Microsoft’s time servers, all while maintaining a secure and organized firewall configuration. Azure Firewall, combined with the automation provided by these verified modules, makes network management simpler and more effective.