Specify Firewall Exceptions by Host Name Resolution
The current mechanism of specifying firewall exceptions is problematic for those without static IP addresses. Allowing permitted IP addresses to be specified by host name resolution would allow customers to use a dynamic DNS service and eliminate the need to manually update firewall rules when a new address is assigned.
Thank you for the suggestion. Layer 7 functionality is out of scope for NSG at this time. Please take a look at WAF options, including Application Gateway, to see if they can meet your needs. We’re also looking at ways to expose endpoints within the vnet itself.
Abhishek Kumar commented
Is there an update on this? We currently need host based outbound rule instead of IP based.
I would like to see this so that outbound (internet) access can be restricted more easily. For example, I have VMs that only need outbound internet connectivity for storage accounts and Azure SQL databases. Instead of allowing the VM outbound access to the entire internet I would like to restrict it to just the hostname of the storage account and Azure SQL database that it uses.
This is also helpful to allow outbound access to services that are sitting behind a CDN.
Ashwin Palekar [MSFT] commented
This is good feedback, thank you, and thank you for all who have taken the time to vote for this feature. This is something I would like to support in future.