Azure Firewall Role-Based Access Control

Role-based access control in Azure allows you to control fine-grained permissions to specific resources. In the scenario of controlling Azure Firewall, you would need to have custom role definition to give which permission to whom.

In this article, let’s have a look at Azure Firewall actions you can control in your cloud environment.

Before constructing a role definition, you need to know what kind of operation that support on Azure Firewall. Run the following PowerShell to get the list of operations”

The result shows you three operations:

  • Microsoft.Network/azurefirewalls/read : allows to read Azure Firewall resource information, including rules, property, general information under Overview blade.
  • Microsoft.Network/azurefirewalls/write : this operation basically allows to create and update Azure Firewall including resource and rule.
  • Microsoft.Network/azurefirewalls/delete : allows to delete Azure Firewall resources.

You may like to learn about Azure Firewall Monitoring here.

Depending on your cloud governance, role definition may vary. Here is what I’d propose to keep fine-grained permission for the people who operate your Azure Firewall.

The role definition gives the assigned group or person the ability to authorize Azure resource, to query Activity Log and to control Azure Firewall. Microsoft.Support/*  is an additional permission if you’d like to allow your team to create support ticket to Microsoft.

To create the custom role and assign it to an existing group (e.g SecOps), run the following PowerShell script

 

Comments

Leave a Reply

© 2018 The Soldier of Fortune.