Azure Firewall

Introduction

Azure Firewall is a new network security feature in Azure. This new feature has been introduced in 2018 as a managed service in order to protect your Azure Virtual Network resources.

Azure Firewall offers the following features as described by Microsoft:

  • Built-in high availability: No additional load balancers are required
  • Unrestricted cloud scalability: Azure Firewall can scale up as much as you need
  • Application FQDN filtering rules: You can limit outbound web traffic
  • Network traffic filtering rules: You can allow or deny network filtering rules by source and destination IP address, port, and protocol
  • FQDN tags: You can easily use tags to allow or deny traffic
  • Outbound SNAT support: Outbound IP addresses are translated to the Azure Firewall public IP
  • Inbound DNAT support: Inbound traffic to the firewall public IP address is translated to internal IP addresses.
  • Azure Monitor logging: All events are integrated with Azure Monitor

In this article, we will explore the following steps:

    1. Create a Resource Group
    2. Create a vNet
    3. Create 3 subnets
    4. Create 2 Virtual Machines
    5. Deploy the Firewall
    6. Configure a default route
    7. Create an application rule
    8. Test the Firewall

Here is an overview of the architecture:

architecture

Create a Resource Group

Let’s start this article by creating a new Resource Group. This Resource Group contains all the resources for this guide. Open the Azure portal and click Resource Groups.

      • Subscription: Select your Azure subscription
      • Resource group name: Type a friendly name
      • Region: Select the location where the resources will be located

Resource Groups

Validate by clicking Create.

Create a Virtual Network

We need to create a single Virtual Network that will contain three subnets. Search for “Virtual Networks

Virtual Network

Enter the following information:

      • Name: Type a friendly name for this Virtual Network
      • Address space: Enter the address space you want
      • Subscription: Select your Azure subscription
      • Resource Group: Select the RG that you previously created
      • Location: Select the location where the resource will be located
      • Subnet: This step is very important because you must use a fixed name called “AzureFirewallSubnet”. (Be careful on my screenshot, the name is wrong)

Create a Virtual Network

Once the Virtual Network is created, you must create the second subnet:

subnet

This subnet will contain a server. In this article, the address range is 10.1.2.0/24.

address range

Repeat this step to create the subnet for the Jump server (10.1.3.0/24).

So finally, you will get the following subnets as shown below:

Jump server

Create Virtual Machine

At this step, we created a Resource Group and a Virtual Network including three subnets. Now, we just need to create two Virtual Machines. The first one is the Jump server that will be used to connect to the second Virtual Machine. The Jump machine is called “JUMP01” and the server is called “SRV01”.

Create a new Virtual Machine using the Azure wizard and do not forget to add this Virtual Machine in the Resource Group previously created.

Create a new Virtual Machine

In the Networking area, select the Jump subnet and create a new Public IP Address in order to access to the jump server from the Internet. You just need to allow the RDP Protocol.

Public IP

Repeat this step to deploy the SRV01 Virtual Machine.

SRV01

This Virtual Machine must be located in the “SRV-VNet” subnet and you do not need to open any public inbound ports.

SRV-VNet

Deploy Azure Firewall

At this step, we need to deploy the Azure Firewall. So, go to the Azure Portal and search for “Firewalls

Azure Portal

Click “Add” to deploy your first Azure Firewall

Firewall

Enter the following information:

      • Select your Azure subscription
      • Select the Resource Group previously created
      • Enter a friendly name for your Firewall
      • Select the Virtual Network previously created
      • And do not forget to create a Public IP Address

information

Once the Firewall is created, note the private IP address in the overview section, because you will need it later.

Firewall is created

Create The Route Tables

Go to the Azure Portal and search for “Route tables”

Route tables

Create a new route table called “Go-To-FW”. This route table will contain the default route that your server will choose to route the traffic.

Go-To-FW

Once the route table is created, you must associate the server subnet to this route table. Go to the “Subnets” section and click “Associate

Associate

Select the Virtual Network and the Subnet:

Subnet

You should see the following output:

output

Now, we must add a default route to the Virtual Appliance. Go to the “Routes” section and click “Add

Routes

Enter the following information:

      • Route name: it is a friendly name for the default route
      • Address prefix: To indicate the default route, you must enter 0.0.0.0/0
      • Next hop type: Select “Virtual Appliance”
      • Next hop address: Enter the private IP Address that you copied previously

add Route

You should see something like that:

process

Create Application Rule Collection

The Firewall is deployed, so we can add an application rule in order to filter the outbound web traffic. Go to the “Rules” section, and click “Add application rule collection“:

wp-image-11775

Enter a friendly name for this rule, then set a priority and select the action (Allow or Deny). Next, you must indicate the source addresses, the protocol and the target FQDN.

In my case, I want to allow web traffic to my personal blog from the SRV01 Virtual Machine.

FQDN

To resolve the FQDN, the machine must be able to contact DNS servers. In this article, I created a network rule to allow the DNS requests from the server subnet to the OpenDNS Servers.

OpenDNS Servers

Now, you must be sure that your machine will use this DNS addresses to resolve FQDNS. Go to the network interface, and add custom DNS servers.

add custom DNS servers

Do not forget to reboot the machine in order to take effects.

Test the Firewall

Now, it’s time to test our Firewall rules! First, we need to connect to the Jump Server from the Public IP Address.

Public IP Address

Then, I can start a new MSTSC window to connect to the SRV01 machine using the private IP Address.

MSTSC

The last step is to check the application rule previously created in the Azure Firewall. I just need to open a web browser and type the website URL.

In my case, I can confirm that my blog is responding but if try to browse Google, an error message appears. I should create an application rule to allow www.google.com.

check the application rule

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses.

Learn more about ➡ VSAN from StarWind

Conclusion

Thanks to Azure Firewall, you can very easily and quickly protect your Azure Resources. You can also automate tasks using Azure PowerShell.

Azure Firewall allows you to create Application Rules and Network Rules to control the inbound and outbound network traffic.

Thanks for reading!

Views All Time
14
Views Today
38
Appreciate how useful this article was to you?
1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5
5 out of 5, based on 1 review
Loading...
Back to blog
The following two tabs change content below.
Nicolas Prigent
Nicolas Prigent
Nicolas Prigent works as an IT Production Manager, based in Paris, with a primary focus on Microsoft technologies. Nicolas is a three-time Microsoft MVP in Cloud and Datacenter Management with 10 years experience in administering Windows products. He also received the "PowerShell Heroes 2016" Award.