In this post, we’ll explore the benefits of using Azure Firewall as an explicit proxy for your outbound traffic and how to set it up for seamless application connectivity.
Azure Firewall – Explicit Proxy
Azure Firewall operates primarily in a transparent proxy mode by default, enabling seamless interception and management of outbound network traffic. In this configuration, traffic is directed to the firewall via a user-defined route (UDR), allowing the firewall to monitor, inspect, and permit or deny network traffic packets in real time as they flow to their intended destinations. Azure Firewall ensures the zero-trust principle by never trust, always verify the network traffic paths.
When you enable the Explicit proxy on the outbound traffic path, it helps to further refine how applications interact with the Azure Firewall. This configuration allows customers to configure specific proxy settings within the sending application — for instance, a web browser — effectively designating the Azure Firewall as the proxy.
Consequently, any traffic generated by the configured application is directed to the firewall’s private IP address, allowing it to egress directly from the firewall itself without relying on a UDR. The Explicit proxy mode, specifically designed to support HTTP and HTTPS traffic, allows users to set proxy settings in their browsers or applications.
Users can manually enter the firewall’s private IP address in the application settings, or use a Proxy Auto-Config (PAC) file for automated configuration. Once uploaded to Azure Firewall, this PAC file can be hosted directly by the firewall to efficiently handle proxy requests. As a result, it streamlines user request management while ensuring that all outbound traffic is routed through the firewall for enhanced security and control.
As Microsoft has announced, starting March 31, 2026, Azure will remove default, implicit outbound internet access for new virtual networks (VNets) to enhance security, adopting a “secure by default” posture. VMs in new VNets will require an explicit outbound connectivity method, such as a NAT Gateway, Load Balancer, or Firewall, to access public internet endpoints.
Steps to enable
The steps below show how to enable an explicit proxy in Azure Firewall. Please note that this feature is currently in preview.
- Log in to the Azure portal with appropriate credentials.
- Select the Azure Firewall resource, click Policy, and look for Explicit proxy in the left-hand menu.
- Select the “Enable explicit proxy” and define the ports required for HTTP and HTTP(s).
- Optionally, you can enable the proxy auto configuration (PAC). The .pac file should be uploaded to the Azure storage account, and a SAS URL with read access should be created.
- Provide the SAS URL and PAC file port.
To test the configuration after enabling Explicit proxy, create application rules to allow or deny web requests from clients using Azure Firewall as a proxy. The Azure Firewall network rules won’t work for the application or workloads on the explicit proxy feature.
Conclusion
This feature will help customers to adopt the proxy configuration with Azure firewalls. The Explicit proxy feature in Azure Firewall enhances network security by enabling granular traffic control, content filtering, and secure outbound access. It offers centralised management and advanced logging, helping organisations safeguard their networks against evolving cyber threats.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.
