From e62045aaf0678eff76f881d91a70014fd2bd4dec Mon Sep 17 00:00:00 2001
From: Fernando Antivero <v-feanti@microsoft.com>
Date: Wed, 13 May 2026 13:28:44 -0300
Subject: [PATCH] tighten firewall application rules

Replace overly permissive allow-all rule (targetFqdns: '*',
sourceAddresses: '*') with a scoped rule allowing only Windows
Update FQDNs from the spoke network prefix.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 .../azure-network-azuredeploy.bicep            | 18 ++++--------------
 .../azure-network-azuredeploy.json             | 18 ++++--------------
 2 files changed, 8 insertions(+), 28 deletions(-)

diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
index 27e2448f..cb4a9d03 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.bicep
@@ -533,22 +533,12 @@ resource azureFirewallResource 'Microsoft.Network/azureFirewalls@2024-05-01' = {
           }
           rules: [
             {
-              name: 'all-internet'
-              protocols: [
-                {
-                  protocolType: 'Http'
-                  port: 80
-                }
-                {
-                  protocolType: 'Https'
-                  port: 443
-                }
-              ]
-              targetFqdns: [
-                '*'
+              name: 'windows-update'
+              fqdnTags: [
+                'WindowsUpdate'
               ]
               sourceAddresses: [
-                '*'
+                spokeNetwork.addressPrefix
               ]
             }
           ]
diff --git a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
index 8cb3aed7..e19726a5 100644
--- a/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
+++ b/solutions/secure-hybrid-network/nestedtemplates/azure-network-azuredeploy.json
@@ -628,22 +628,12 @@
                             },
                             "rules": [
                                 {
-                                    "name": "all-internet",
-                                    "protocols": [
-                                        {
-                                            "protocolType": "Http",
-                                            "port": 80
-                                        },
-                                        {
-                                            "protocolType": "Https",
-                                            "port": 443
-                                        }
-                                    ],
-                                    "targetFqdns": [
-                                        "*"
+                                    "name": "windows-update",
+                                    "fqdnTags": [
+                                        "WindowsUpdate"
                                     ],
                                     "sourceAddresses": [
-                                        "*"
+                                        "[parameters('spokeNetwork').addressPrefix]"
                                     ]
                                 }
                             ]