You should be able to cover 365 via the publicly available IP ranges https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide
For amazon S3 https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-ip-address-ranges/ That should give you a good starting point. On Mon, Aug 16, 2021 at 7:36 PM Andres Miedzowicz < andres.miedzow...@gsn.com.au> wrote: > Hello, > > > > I need to create a firewall rule for outgoing traffic from my network to > the internet for services hosted in public clouds where the destination URL > has multiple dynamic IPs (ie: an AWS S3 bucket, Outlook 365 in Azure, etc) > which makes a rule based on a destination FQDN troubling because each DNS > query will provide a different IP every time. My possible solutions are: > > > > 1. Use a firewall rule using a Web URL filter, or application/content > filtering (depending on the vendor) where I need to perform deep packet > inspection to get the full destination URL or detect the application (ie: > email delivery to O365). When this method is used with most of the vendors, > the process involves a MITM approach where the SSL Certificate presented to > the client is one generated by the firewall with the root CA certificate > issued by the firewall as well. > > > > 1. Set the destination IP of the rule the full list of possible ranges > for the public cloud which could mean millions of IPs. > > > > Any thoughts on security concerns with each of the approaches? Is it worth > the potential decrease in security by using a non-trusted Root CA > internally (even though we can install the certificate in the > application/browser to force it to trust it) vs. allowing access to > destination IPs that are not necessary for this service but ensures > uninterrupted encryption end-to-end? > > > > Thank you all, > > > > Andres > _______________________________________________ > AusNOG mailing list > AusNOG@lists.ausnog.net > http://lists.ausnog.net/mailman/listinfo/ausnog >
_______________________________________________ AusNOG mailing list AusNOG@lists.ausnog.net http://lists.ausnog.net/mailman/listinfo/ausnog