Azure Firewall and App Connectors

More customers are deploying App Connectors in Azure, and also deploying Azure Firewall. Azure Firewall has L4 and L7 inspection capabilities, however the granular policies for bypassing SNI inspection does cause some issues.
Zscaler Client Connectors and Zscaler App Connectors establish TLS connections to the Service Edge through a DNS resolution and an appropriate SNI in the TLS Client Hello. For example the DNS resolution occurs to any.broker.prod.zpath.net, and the SNI would be customer.domain.prod.zpath.net (for example). The SNI is not publicly resolvable in DNS for understandable reasons.

An NG Firewall would inspect the SNI and may preform re-resolution for DNS, or apply allow/deny policy based on the SNI FQDN. With Zscaler Internet Access, a policy based on the SNI can be configured, and DNS Optimisation controls whether the Service Edge performs re-resolution (or not). However - These controls do not exist in Azure Firewall today. A firewall policy to allow *.zpath.net, *.zscaler.com would be appropriate following the recommendations at https://ips.zscalertwo.net/zpa.

However - to deploy the appropriate firewall rules on Azure Firewall, it’s necessary to write L4 rules (IP/PORT). You should copy the IP addresses at https://ips.zscalertwo.net/zpa and create a firewall rule to allow.

Create an outbound rule in Azure Firewall (Here priority 200)

From https://ips.zscalertwo.net/zpa download the IP addresses, and create a comma separated list - e.g. 8.25.203.0/24,8.34.34.0/24,8.35.35.0/24,52.18.93.240, etc - any /32 could be assumed.
Copy/Paste the list into destination Address field.
Source address 10.1.2.0/24 is the connector IP address range

Click create/apply rule. Your connector routes should now pass through the Azure Firewall and policy will be allowed.

4 Likes

Good post Mark.

(Attachment 4DD7A86E-E0C9-4BAC-A526-24199B015E2A is missing)

2 Likes