<div dir="ltr">You should be able to cover 365 via the publicly available IP ranges <div><a href="https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide">https://docs.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide</a><br></div><div><br></div><div>For amazon S3</div><div><a href="https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-ip-address-ranges/">https://aws.amazon.com/premiumsupport/knowledge-center/s3-find-ip-address-ranges/</a><br></div><div><br></div><div>That should give you a good starting point.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Aug 16, 2021 at 7:36 PM Andres Miedzowicz <<a href="mailto:Andres.Miedzowicz@gsn.com.au">Andres.Miedzowicz@gsn.com.au</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-AU" style="overflow-wrap: break-word;">
<div class="gmail-m_2099994540778828977WordSection1">
<p class="MsoNormal">Hello,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">I need to create a firewall rule for outgoing traffic from my network to the internet for services hosted in public clouds where the destination URL has multiple dynamic IPs (ie: an AWS S3 bucket, Outlook 365 in Azure, etc) which makes
a rule based on a destination FQDN troubling because each DNS query will provide a different IP every time. My possible solutions are:<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<ol style="margin-top:0cm" start="1" type="1">
<li class="gmail-m_2099994540778828977MsoListParagraph" style="margin-left:0cm">Use a firewall rule using a Web URL filter, or application/content filtering (depending on the vendor) where I need to perform deep packet inspection to get the full destination URL
or detect the application (ie: email delivery to O365). When this method is used with most of the vendors, the process involves a MITM approach where the SSL Certificate presented to the client is one generated by the firewall with the root CA certificate
issued by the firewall as well.<u></u><u></u></li></ol>
<p class="gmail-m_2099994540778828977MsoListParagraph"><u></u> <u></u></p>
<ol style="margin-top:0cm" start="2" type="1">
<li class="gmail-m_2099994540778828977MsoListParagraph" style="margin-left:0cm">Set the destination IP of the rule the full list of possible ranges for the public cloud which could mean millions of IPs.<u></u><u></u></li></ol>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Any thoughts on security concerns with each of the approaches? Is it worth the potential decrease in security by using a non-trusted Root CA internally (even though we can install the certificate in the application/browser to force it to
trust it) vs. allowing access to destination IPs that are not necessary for this service but ensures uninterrupted encryption end-to-end?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thank you all,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Andres<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
AusNOG mailing list<br>
<a href="mailto:AusNOG@lists.ausnog.net" target="_blank">AusNOG@lists.ausnog.net</a><br>
<a href="http://lists.ausnog.net/mailman/listinfo/ausnog" rel="noreferrer" target="_blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
</blockquote></div>