Using Azure Firewall or Squid as virtual appliance in Azure Route Table to overwrite Internet outbound system route of Azure VMs
By default, Azure has a system route that allows Internet outbound traffic which cannot be deleted. In order to ensure there is no Internet outbound traffic, most will just add a higher priority rule (lower number in setting — don’t ask why) for address prefix 0.0.0.0/0 and DENY it in the NSG. But there is another way and that is to use User Defined Route (UDR) which is basically Route Tables when searching in Azure Portal.
Some would say why not just do a NSG rule to just route 0.0.0.0/0 to Azure Firewall or Squid private IP with port number. Why make it so complex. I’m not going to debate on that here. This way works too and if this is good for you then you can stop here.
In this tutorial, we will explore how to setup and configure both Azure Firewall and Squid as a virtual appliance in a Route Table. The following diagram is the high-level architecture of this exercise:
I will not be going through how to provision the VNET, subnets and Azure Firewall shown in the diagram cos it’s quite straightforward.
How to create a Route Table
Search for “Route Tables” in Azure Portal and click “Add”
Fill in the necessary fields like subscription, resource group, region and name. For “Propagate gateway routes” setting, set this to yes if you want to propagate your on-premise routes to the network interfaces in associated virtual networks. For this exercise, set it to “No”. Click “Review + create” and “Create” to create the route table.
Once the route table is created, click on the “Subnets” blade on the left menu , click on “Associate”, select the the virtual network and subnet (in this case, it’s the Private subnet) that this route table will be associated to and click “Ok”.
When done, click “Routes” blade on the left menu and click “Add” to add a new route.
Note: we will need to enable IP forwarding on the Squid VM’s network interface.
Enter a friendly name for the “Route name” field. For “Address prefix” field, enter “0.0.0.0/0”. For “Next hop type” field, select “Virtual appliance” from the dropdown menu. Only “Virtual appliance” option will allow you to update the “Next hop address” field. Enter either the Azure Firewall or Squid private IP here. Click “Ok” to add the new route.
Next up, it’s how to configure Azure Firewall and Squid to route the Internet outbound requests from the Linux VM in the Private subnet.
Azure Setup & Firewall Configuration
For Azure Firewall, it’s as simple as creating a new network rule to control the source and destination traffic. Just search and go to your Azure Firewall resource and click “Rules” blade on the left menu.
Click “Network rule collection” and click “Add network rule collection”
Enter friendly rule name for the “Name” field, priority of rule for the “Priority” (the lower the number the higher the priority) and select “Allow” or “Deny” from the “Action” dropdown menu.
For this exercise, we just going to add a simple IP address rule to allow our Linux VM in the Private subnet to reach any destination IPs and and destination ports.
Enter a name for “Name”, select “Any” for “Protocol”, select “IP address” for “Source type”, enter the private IP of the Linux VM in the Private subnet for “Source”, select “IP address” for “Destination type”, enter “*” for “Destination Addresses” and lastly enter “*” for “Destination Ports”.
Enable IP Forwarding
Beside installing Squid, we first need to enable IP forwarding on the network interface of the Linux VM used for installing Squid. Search and select the Linux VM used for installing Squid and click on “Networking” blade on the left menu.
Click on the link on the right of “Network Interface” text in bold.
Click on “IP configurations”.
Enable “IP forwarding”.
Squid Setup and Configuration
To install Squid, just SSH into the Linux VM in the Private subnet and enter
To install Squid, just SSH into the Linux VM in the Private subnet and enter
$ sudo apt-get update
$ sudo apt-get install squidOnce installed, Squid will be up and listening on port 3128 by default. You can run the following to get the Squid status and listening port
$ sudo service squid status
$ netstat -an | grep tcpNext, we will need update the Squid configuration file (squid.conf) located in “/etc/squid” folder to setup Squid as a transparent proxy. Just enter the following to use VIM to edit the conf file.
$ sudo vim /etc/squid/squid.confAdd and update the following. To edit, enter “i” in VIM.
# squid listening port
#http_port 3128 - comment this line out# configuring Squid as a transparent proxy
http_port 8080 transparent# whitelisting domains using a file and each domain (e.g. .google.com) is a separate line in the whitelist file
#acl wcl whitelist dstdomain "/etc/squid/whitelist.txt"# only allow Linux VM to connect
acl localnet <Linux VM private IP>#http_access deny all - comment this line out
http_access allow localnet
http_access allow whitelist
Save and close VIM by hitting “ESC” key and enter “:wq” which means write and quit.
As Squid is listening on port 8080 and our UDR route is routing the request to Squid private IP (without port). We need to redirect the request from port 80 to port 8080. We can do this by creating a NAT rule using iptables.
$ sudo apt-get install iptables$ iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
Testing
To test, just SSH into the Linux VM in the Private subnet and do “curl http://www.google.com” and you should get a response back. Any other URL besides those whitelisted will not return any response.