Add Firewall Rules By Using a Startup Task
Updated: August 21, 2014
Custom firewall settings can be configured by using a startup task.
In Windows Azure, there are effectively two firewalls. The first firewall controls connections between the virtual machine and the outside world. This is controlled by the Endpoints element in the ServiceDefinition.csdef file. For more information on Endpoints in the ServiceDefinition.csdef file, see Enable Communication for Role Instances in Azure.
The second firewall controls connections between the virtual machine and the processes within that virtual machine. This is controlled by the netsh advfirewall firewall command line tool, and is the focus of this article.
Windows Azure creates firewall rules for the processes started within your roles. For example, when you start a service or program, Windows Azure automatically creates the necessary firewall rules to allow that service to communicate with the Internet. However, if you create a service that is started by a process outside your role (for example, a COM+ service, or a program that starts by using the Windows Scheduler), you will need to manually create a firewall rule to allow access to that service. These firewall rules can be created by using a startup task.
A startup task that creates a firewall rule must have an executionContext of elevated.
<Task commandLine="AddFirewallRules.cmd" executionContext="elevated" taskType="simple" />
To add the firewall rule, you must use the appropriate netsh advfirewall firewall commands in your startup batch file. In this example, the startup task requires security and encryption for TCP port 80.
REM Add a firewall rule in a startup task. REM Add an inbound rule requiring security and encryption for TCP port 80 traffic. netsh advfirewall firewall add rule name="Require Encryption for Inbound TCP/80" protocol=TCP dir=in localport=80 security=authdynenc action=allow >> "%TEMP%\StartupLog.txt" 2>&1 REM If an error occurred, return the errorlevel. EXIT /B %errorlevel%