Photo by Emily Reimer on Unsplash
I was asked to frequently add or remove IP to an Azure Web Application firewall configuration, in a case where a restriction to a subnet is not an option. That's why i wanted to automate this task, in order to add a lifetime to the add.
After some thoughts, i come with the following plan:
Validating request, and managing workflow of adding and removing IP.
It's a C# Azure Function exposing one Http input binding, requesting Azure Active Directory authentication. The workflow of add and removing IP is managed through a Durable Function.
The claims in the request must contains at least the ID of the allowed group, in order to trigger the logic. The configuration required to inject security groups into claims will be treated in a future post.
The message sent to the queue and record to the audit table contains:
- IP of the request
- date in the description
- a unique ID
Keep track of the demand, without exposing clearly any sensitive data linked to a person.
It's an audit log, with the capability of knowing if an IP has changed for a demand.
It's a pipe to transfer request to the function having rights to manage firewall without exposing it.
It's 2 Azure queue serving as link between 2 Azure Function.
Treating requests in Add and Remove queue by invoking simple Powershell Core commands.
It's a Powershell Azure Function validating request (only one IP added), and applying it to the firewall. The priority used is a constant.
The Function identity is an Azure Managed Service Identity, which has a role to manage firewall configuration on the targeted Web Application.
Hope this helps !