topic (orchestrator): [fw] add production readiness note for fw rules (#52)

ferantivero · ckittel · web-flow · commit 39d3dccdc055 · 2025-06-05T08:04:29.000-05:00
Co-authored-by: Chad Kittel &lt;chad.kittel@gmail.com&gt;
diff --git a/infra-as-code/bicep/azure-firewall.bicep b/infra-as-code/bicep/azure-firewall.bicep
@@ -111,7 +111,7 @@ resource azureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-05-01' = {
               name: 'allow-dependencies'
               ipProtocols: ['Any']
               sourceAddresses: ['${virtualNetwork::jumpBoxesSubnet.properties.addressPrefix}']
-              destinationAddresses: ['*']
+              destinationAddresses: ['*'] // Production readiness change: tighten destination address to ensure egress traffic is restricted to the minimal required spaces.
               destinationPorts: ['*']
             }
           ]
@@ -120,7 +120,8 @@ resource azureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-05-01' = {
     }
   }
 
-  @description('Add rules for the Azure AI agent egress and jump boxes subnets. Extend to support other subnets as needed.')
+  @descriptiou('Add rules for the Azure AI agent egress and jump boxes subnets. Extend to support other subnets as needed.')
+
   resource applicationRules 'ruleCollectionGroups' = {
     name: 'DefaultApplicationRuleCollectionGroup'
     properties: {
@@ -145,7 +146,10 @@ resource azureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-05-01' = {
               ]
               fqdnTags: []
               webCategories: []
-              targetFqdns: ['*']
+              targetFqdns: [
+                 '*'
+                 // 'api.bing.microsoft.com' // Production readiness change: refine your target FQDNs to restrict egress traffic exclusively to the external services and endpoints your agent depends on. For instance this fqnd scopes access specifically to Grounding with Bing.
+              ]
               targetUrls: []
               terminateTLS: false
               sourceAddresses: ['${virtualNetwork::agentsEgressSubnet.properties.addressPrefix}']
@@ -177,7 +181,7 @@ resource azureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-05-01' = {
               ]
               fqdnTags: []
               webCategories: []
-              targetFqdns: ['*']
+              targetFqdns: ['*'] // Production readiness change: specify target FQDNs to ensure only approved resources can be accessed from your jumpbox.
               targetUrls: []
               terminateTLS: false
               sourceAddresses: ['${virtualNetwork::jumpBoxesSubnet.properties.addressPrefix}']
@@ -228,7 +232,6 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = {
             id: virtualNetwork::firewall.id
           }
         }
-        
       }
     ]
     firewallPolicy: {

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ resource azureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-05-01' = {`
`111`	`111`	`name: 'allow-dependencies'`
`112`	`112`	`ipProtocols: ['Any']`
`113`	`113`	`sourceAddresses: ['${virtualNetwork::jumpBoxesSubnet.properties.addressPrefix}']`
`114`		`- destinationAddresses: ['*']`
	`114`	`+ destinationAddresses: ['*'] // Production readiness change: tighten destination address to ensure egress traffic is restricted to the minimal required spaces.`
`115`	`115`	`destinationPorts: ['*']`
`116`	`116`	`}`
`117`	`117`	`]`
`@@ -120,7 +120,8 @@ resource azureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-05-01' = {`
`120`	`120`	`}`
`121`	`121`	`}`
`122`	`122`
`123`		`- @description('Add rules for the Azure AI agent egress and jump boxes subnets. Extend to support other subnets as needed.')`
	`123`	`+ @descriptiou('Add rules for the Azure AI agent egress and jump boxes subnets. Extend to support other subnets as needed.')`
	`124`	`+`
`124`	`125`	`resource applicationRules 'ruleCollectionGroups' = {`
`125`	`126`	`name: 'DefaultApplicationRuleCollectionGroup'`
`126`	`127`	`properties: {`
`@@ -145,7 +146,10 @@ resource azureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-05-01' = {`
`145`	`146`	`]`
`146`	`147`	`fqdnTags: []`
`147`	`148`	`webCategories: []`
`148`		`- targetFqdns: ['*']`
	`149`	`+ targetFqdns: [`
	`150`	`+ '*'`
	`151`	`+ // 'api.bing.microsoft.com' // Production readiness change: refine your target FQDNs to restrict egress traffic exclusively to the external services and endpoints your agent depends on. For instance this fqnd scopes access specifically to Grounding with Bing.`
	`152`	`+ ]`
`149`	`153`	`targetUrls: []`
`150`	`154`	`terminateTLS: false`
`151`	`155`	`sourceAddresses: ['${virtualNetwork::agentsEgressSubnet.properties.addressPrefix}']`
`@@ -177,7 +181,7 @@ resource azureFirewallPolicy 'Microsoft.Network/firewallPolicies@2024-05-01' = {`
`177`	`181`	`]`
`178`	`182`	`fqdnTags: []`
`179`	`183`	`webCategories: []`
`180`		`- targetFqdns: ['*']`
	`184`	`+ targetFqdns: ['*'] // Production readiness change: specify target FQDNs to ensure only approved resources can be accessed from your jumpbox.`
`181`	`185`	`targetUrls: []`
`182`	`186`	`terminateTLS: false`
`183`	`187`	`sourceAddresses: ['${virtualNetwork::jumpBoxesSubnet.properties.addressPrefix}']`
`@@ -228,7 +232,6 @@ resource azureFirewall 'Microsoft.Network/azureFirewalls@2024-05-01' = {`
`228`	`232`	`id: virtualNetwork::firewall.id`
`229`	`233`	`}`
`230`	`234`	`}`
`231`		`-`
`232`	`235`	`}`
`233`	`236`	`]`
`234`	`237`	`firewallPolicy: {`