topic Re: Azure Datacenter Object - VM, Subnet and VMSS only? in Cloud Firewall

Azure Datacenter Object - VM, Subnet and VMSS only?

Sam2 — Mon, 09 Sep 2024 18:24:28 GMT

Are there any plans to support importing application services?

Reviewing: CloudGuard Controller for Microsoft Azure (checkpoint.com)

States that we can import VNETS, subnets, Virtual Machines, or VMSS. My org uses a ton of app services and i was hoping to use this datacenter import in place of updateable objects that include less specific ranges for azure services in a region.

Thanks

Re: Azure Datacenter Object - VM, Subnet and VMSS only?

Jeff_Engel — Mon, 09 Sep 2024 18:59:21 GMT

Hi @Sam2 ,

Can you please provide a specific example? It may be possible to improve Updatable Objects to get to the level of specificity you require. In the meantime, have you taken a look at External Network Feeds? That might fit the bill here.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/Network_Feed.htm

Best Regards!

Jeff

Re: Azure Datacenter Object - VM, Subnet and VMSS only?

Sam2 — Mon, 09 Sep 2024 19:01:54 GMT

I am looking to import addresses listed in the networking section under a web app/app service in azure, i cannot share screenshots as they would be specific to my organization.

I can take a look at external network feeds.

Re: Azure Datacenter Object - VM, Subnet and VMSS only?

Nir_Shamir — Tue, 10 Sep 2024 05:27:54 GMT

As you mentioned , we can import dynamic objects from your Azure account like VMs, Subnets, vNets, tags etc.

you need to follow the admin guide in order to create a DC center object of your azure subscription and this will allow you to pull these objects and use them in the rules as source or destination.

Re: Azure Datacenter Object - VM, Subnet and VMSS only?

Dan_Morris — Tue, 10 Sep 2024 13:26:58 GMT

Hi @Sam

To import IPs from Azure web apps or app services, you can use the CloudGuard controller with tags applied to the app services. This will allow you to effectively populate the IP addresses.

Please note that we do not currently support importing app services alone natively, which is why the Tag functionality is necessary.

Best Regards,

Dan Morris

Re: Azure Datacenter Object - VM, Subnet and VMSS only?

Sam2 — Fri, 04 Oct 2024 15:27:39 GMT

Hi Dan,

I tagged the resources but the new tags are not showing in dashboard when i check the datacenter object, is there another step i need to take to get the tags to appear? I can see the subscription and the VMs in the resource group i am working on. Just missing the tags on the webapps.

Thanks

Re: Azure Datacenter Object - VM, Subnet and VMSS only?

Sam2 — Tue, 22 Jul 2025 15:56:06 GMT

Reviving this thread as its come up again for me.

I have a datacenter object with azure, it is connected using a service principal and working. I can open it up and see all my subscriptions, I can see virtual networks and all the supported azure resource

As a test i created a new tag called "SamTag" i applied one version of this tag to a VM and another version of this tag to an App service. Refreshing my DC object for azure and looking in tags I can only see the tag that was applied to the VM, Is this expected behavior?

Re: Azure Datacenter Object - VM, Subnet and VMSS only?

Amir_Senn — Wed, 23 Jul 2025 13:04:04 GMT

Not supported on App service AFAIK.

You can see supported resources here: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_CloudGuard_Controller_AdminGuide/Content/Topics-CGRDG/Supported-Data-Centers-Azure.htm?tocpath=Supported%20Data%20Centers%7CCloudGuard%20Controller%20for%20Microsoft%20Azure%7C_____0#CloudGuard_Controller_for_Microsoft_Azure

Re: Azure Datacenter Object - VM, Subnet and VMSS only?

noyerez — Tue, 29 Jul 2025 10:47:20 GMT

Hi @Sam2 ,

For the app services that you want to use in the security policy as data center object, would you like to inspect the traffic only for the public ip ?