From 77711a50024974ef22ddf660323c2db58fa5b6e2 Mon Sep 17 00:00:00 2001 From: Jon Ormond Date: Tue, 22 Sep 2015 16:34:33 -0700 Subject: [PATCH] Fix concurrent Azure.Tips again --- articles/virtual-network/virtual-networks-dmz-nsg-fw-udr-asm.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/articles/virtual-network/virtual-networks-dmz-nsg-fw-udr-asm.md b/articles/virtual-network/virtual-networks-dmz-nsg-fw-udr-asm.md index bb1362cd460..cea8c34655c 100644 --- a/articles/virtual-network/virtual-networks-dmz-nsg-fw-udr-asm.md +++ b/articles/virtual-network/virtual-networks-dmz-nsg-fw-udr-asm.md @@ -202,6 +202,7 @@ For this example, we need 7 types of rules, these rule types are described as fo >[AZURE.TIP] On the second application traffic rule, any port is allowed for easy of this example, in a real scenario the most specific port and address ranges should be used to reduce the attack surface of this rule.
+ >[AZURE.IMPORTANT] Once all of the above rules are created, it’s important to review the priority of each rule to ensure traffic will be allowed or denied as desired. For this example, the rules are in priority order. It's easy to be locked out of the firewall due to mis-ordered rules. At a minimum, ensure the management for the firewall itself is always the absolute highest priority rule. ### Rule Prerequisites @@ -304,6 +305,7 @@ There are four critical fields needed to create this rule: >[AZURE.TIP] This rule uses the service “Any” to make the sample application easier to setup and use, this will also allow ICMPv4 (ping) in a single rule. However, this is not a recommended practice. The ports and protocols (“Services”) should be narrowed to the minimum possible that allows application operation to reduce the attack surface across this boundary.
+ >[AZURE.TIP] Although this rule shows an explicit-dest reference being used, a consistent approach should be used throughout the firewall configuration. It is recommended that the named Network Object be used throughout for easier readability and supportability. The explicit-dest is used here only to show an alternative reference method and is not generally recommended (especially for complex configurations). - **Outbound to Internet Rule**: This Pass rule will allow traffic from any Source network to pass to the selected Destination networks. This rule is a default rule usually already on the Barracuda NG firewall, but is in a disabled state. Right-clicking on this rule can access the Activate Rule command. The rule shown here has been modified to add the two local subnets that were created as references in the prerequisite section of this document to the Source attribute of this rule.