diff --git a/images/capi/ansible/windows/node_windows.yml b/images/capi/ansible/windows/node_windows.yml
index b44bab6212..0017b6121d 100644
--- a/images/capi/ansible/windows/node_windows.yml
+++ b/images/capi/ansible/windows/node_windows.yml
@@ -69,6 +69,8 @@
     - include_role:
         name: cloudbase-init
       when: install_cloudbase_init
+    - include_role:
+        name: providers
     - include_role:
         name: runtimes
     - include_role:
diff --git a/images/capi/ansible/windows/roles/providers/tasks/azure.yml b/images/capi/ansible/windows/roles/providers/tasks/azure.yml
new file mode 100644
index 0000000000..efdfbe3e61
--- /dev/null
+++ b/images/capi/ansible/windows/roles/providers/tasks/azure.yml
@@ -0,0 +1,18 @@
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+- name: Block traffic to 168.63.129.16 port 80 for cve-2021-27075
+  win_shell: |
+    New-NetFirewallRule -DisplayName 'Block-Outbound-168.63.129.16-port-80-for-cve-2021-27075' -Direction Outbound -RemoteAddress '168.63.129.16' -RemotePort '80' -Protocol TCP -Action Block
+  become: yes
+  become_method: runas
+  become_user: SYSTEM
diff --git a/images/capi/ansible/windows/roles/providers/tasks/main.yml b/images/capi/ansible/windows/roles/providers/tasks/main.yml
new file mode 100644
index 0000000000..f9a7a61981
--- /dev/null
+++ b/images/capi/ansible/windows/roles/providers/tasks/main.yml
@@ -0,0 +1,14 @@
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+- include_tasks: azure.yml
+  when: packer_builder_type.startswith('azure')
diff --git a/images/capi/packer/goss/goss-command.yaml b/images/capi/packer/goss/goss-command.yaml
index 1645368a0a..7eb2dcd2a0 100644
--- a/images/capi/packer/goss/goss-command.yaml
+++ b/images/capi/packer/goss/goss-command.yaml
@@ -138,4 +138,14 @@ command:
     - "{{.Vars.docker_ee_version}}"
     timeout: 30000
 {{end}}
-{{end}} #end windows
\ No newline at end of file
+
+{{if eq .Vars.PROVIDER "azure"}}
+  Verify firewall rule to block 168.63.129.16:80 for cve-2021-27075:
+    exit-status: 0
+    exec: powershell -command "(Get-NetFirewallRule -ErrorAction Stop -DisplayName 'Block-Outbound-168.63.129.16-port-80-for-cve-2021-27075').Enabled"
+    stdout:
+    - True
+    stderr: []
+    timeout: 30000
+{{end}}
+{{end}} #end windows