Allow creation of NSG rules based on FQDN along with Ports
NSG gives option to configure NSG rules with IPAddress and Ports. Same like that we need option to configure Inbound/Outbound NSG rules based on the FQDN. Because most of our customers wants to block Internet access from their Azure IaaS VMs, If we do so, we lose the ability to configure Azure Disk Encryption, Azure Keyvault, Azure File Storage Services, Azure Websites...etc. Because all these Azure services requires its endpoints (FQDN) to be reachable from inside the VM
This remains on our long-term backlog as something we want to offer
For now we recommend trying Azure Firewall as the prefered solution to control outbound to Internet
This is a major oversite within the NSG. Given the feature was posted 2 years ago I am guessing its either not easily achieved and/or simply not a priority.
Pranav Jariwala commented
Is this feature still in road map
Jeff Miles commented
This is a really crucial feature that's missing right now.
NIST recommendations are a "Deny by default" posture, even for outbound traffic. We want to adhere to this, and block all outbound, but need to add ability to access Windows Update, and other interfaces like *.argis.com.
Is it possible to add FQDN’s to incoming or outgoing rules in Azure Network Security Groups?
This is a requirement for the On-Premise Data Gateway for Power BI and PowerApps, since the SQL database is hosted in Azure.
Do you have an ETA for this feature on the roadmap?
Sean McNellis commented
Cross posting this as a source of feedback for this same thing: https://feedback.azure.com/forums/34192--general-feedback/suggestions/14997987-network-security-group
Sean McNellis commented
Please please please - those of us using DNS services (even large scale like cloudflare) could benefit from using FQDN based rules as sources. Additionally it helps secure RDP and VPN Services for clients that may be located at sites with Dynamic DNS.
Mario Lopez [MSFT] commented
Thanks for the feedback, we have on our roadmap some features related to this problem
System Tags for Microsoft services like SQL and Storage are going to be available to user to define NSG Rules in an abstract form, this Tags will be maintained by us to reflect only the services endpoints you use
I Hope it helps, it's not the same but it goes on the same direction, to help users to create and managed his security rules in an abstract form.