Microsoft Azure pros share their thoughts on Firewall IP Groups, working with Container Registry and Helm charts, or the role of Bring Your Own Key and monitoring tools.

Leveraging Azure Firewall IP Groups

Microsoft MVP Joe Carlyle, writing on We Do Azure shared his thoughts on Azure Firewall IP Groups. For the moment, these are still in-preview. IP Groups can contain one or more IP addresses and IP address ranges, and are used for Network, Application, and DNAT rules in Azure Firewall. Currently, they are limited to 5000 individual IP addresses per firewall instance, for 50 IP Groups or less. He wrote:

What this means is that while your rules should already be scoped accurately, you may need to use a couple of extra IP groups if you’re working with large address ranges. A simple example is a /16 will simply not work in an IP Group, /20 is basically your limit per IP Group. If you've worked with Azure Firewall, I'm sure you've already thought of several places these rules can really help. For me, it was within Network Rule Collections. 

An added limitation is that Azure portal won't let users add an IP Group as a destination. Users must exercise tremendous caution if they have Firewall in production because they can easily overwrite collections. Carlyle demonstrated some code as a workaround.

Container Registry and Helm charts