[diroussel]

I was on a team that tried to implement this at a bank, using azure. The idea was not at the app level but at machine (vm) level.

Machines in the legacy data center didn’t have internet access, and so they didn’t want could machines to have it either.

But once we locked down the network so many things broke. Not just user level stuff like doing code builds in maven, but also machine level stuff like enabling drive encryption.

Preventing out of band exfiltration on of data and downloading of exploit materials is very important to a defence in depth approach and none of the clouds seem to embrace it.

The problem was that all azure services were provided on public IP ranges, so given them at VM services needed to communicate with azure Ana gent endpoints we couldn’t block on the IP, so had to implement via HTTP proxies.

Using explicit HTTP proxies was a config night mare as not everything honoured the HTTPS_PROXY env var (e.g. Java). And using an implicit proxy was a nightmare of MITM, custom certs, updating a myriad of trust roots and then the proxy would use a ‘captive portal’ and cause broken redirects.

[samwillis]

Exactly! There has got to be a billion dollar company in this if the UX for administering it was done right so it wasn’t a pain.

Little Snitch as an example of UX in this area is perfect as you can run it for a while first to see what is connecting to what, then start looking down everything else.

[notreallyserio]

Google offers a way to access Google services from your VM 1918 IPs so you don't need to use NAT. I wonder if Azure would consider doing the same.

[jaywalk]

If you do the blocking in Azure via a Network Security Group, it's simple. You can allow outbound traffic to Azure services and deny anything else.

[ThePowerOfFuet]

Until an Azure service is misused for exfil.

[infogulch]

Not all services support it yet, but private endpoints are a great solution to this issue in azure.