Table of Contents

 
Securing a network perimeter is one of the most important aspects for any organization, here in this blog we are going to demonstrate Azure Firewall deployment and basic configuration.
 

Before we start let’s have a little brief about Azure Firewall and Its consideration.

  • Azure Firewall is stateful firewall as a Service with high availability integrated and unrestricted cloud scalability that protects Azure virtual network resources.
  • You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model.
  • Azure Firewall supports inbound and outbound filtering. Inbound protection is for non-HTTP/S protocols. For example, RDP, SSH, and FTP protocols.
  • Azure Firewall needs a dedicated subnet “AzureFirewallSubnet”
  • Azure Firewall is integrated with Azure Monitor for viewing and analyzing firewall logs.
  • Azure Firewall supports rules and rule collections.
    • A rule collection is a set of rules that share the same order and priority.
    • Rule collections are executed in order of their priority.
    • Network rule collections are higher priority than application rule collections, and all rules are terminating.
  • Azure Firewall cost:
    • Fixed fee: $1.25/firewall/hour,
    • Data Processing fee: $0.016 per GB processed by the firewall (ingress or egress)
    • A fixed hourly fee will be charged per a firewall deployment regardless of scale. In addition, data processing fee is billed per deployment for any date processed by your firewall.

In this post, you will learn step by step how to:

  • Set up a network environment (Vnets and SNets).
  • Deploy Azure Firewall
  • Create a default route to route traffic through Azure firewall.
  • Configure an application rule to allow access to www.3tallah.com
  • Configure a network rule to allow access to Google DNS servers
  • Create virtual machines for Test purpose.
  • Create Azure Bastion to connect to Workload Servers
  • Test the firewall

Set up the network

NOTE: Firewall and its Vnet should be in the same resource group.
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration

Deploy Azure Firewall

Step by Step Azure Firewall Deployment and Configuration
 

Create a default route

Configure the outbound default route to go through the firewall for Servers Workload subnet.
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Let’s Associate Azure firewall with Servers Workload (Snet-HUB-MGMT) subnet
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Under Azure firewall Subnet Settings, Associate Servers Workload (Snet-HUB-MGMT) subnet.
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Now its time to add a route for routing all traffic from Servers Workload subnet to Azure Firewall Appliance Private IP.
 
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
 
· Azure Firewall is actually a managed service, but virtual appliance works in this situation.
· For Next hop address, type the private IP address for the firewall that you noted previously.
 
 
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration

Configure an application rule

Application rules are used to block and allow a website access to a subnet.
This is the application rule that allows outbound access to *.3tallah.com.
1. Open the Azure Firewall and select the rules.
 
 
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
  • For Source, type 172.17.128.192/27. (Internal Workload Servers IP Range)
  • For Protocol:port, type http, https.
  • For Target FQDNS, type www.3tallah.com
 
Step by Step Azure Firewall Deployment and Configuration
 

Configure a network rule

Network Rules are applied first then the application rules and it is containing source addresses, protocols, destination ports, and destination addresses.
Creating a network rule to allow outbound access to Google DNS Server on port 53.
Step by Step Azure Firewall Deployment and Configuration
  • For Protocol, select UDP
  • For Destination address, type 8.8.8.8,8.8.4.4
  • For Destination Ports, type 53.
 
Step by Step Azure Firewall Deployment and Configuration

Create virtual machines

Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration

Change DNS addresses for the Workload Server NIC.

 
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
 

Create Azure Bastion to connect to Workload Servers

Step by Step Azure Firewall Deployment and Configuration
Step by Step Azure Firewall Deployment and Configuration
 

Test the firewall

· Connect to Workload Server using Azure Bastion.
· Browse to https://www.google.com, You should be blocked by the
· Open Internet Explorer and browse to https://3tallah.com, You should see my website home page.
 
Step by Step Azure Firewall Deployment and Configuration
 
· As shown in the below Blog.3tallah.com is accessible but images are not loaded and this is because we created a rule to allow *.3tallah.com Only, and those images source is blogspot.com.
Step by Step Azure Firewall Deployment and Configuration
 
Let’s Edit “FW-AppColl-3tallah.com” application rule collection and Allow blogspot.com then check the result.
Step by Step Azure Firewall Deployment and Configuration
As a result of allow both websites in the Azure Firewall, our website is accessible normally as shown below.
 
Step by Step Azure Firewall Deployment and Configuration

References:

Share:

administrator

Microsoft MVP & MCT | Azure Service Delivery Lead with over 12 years of experience in Microsoft solutions and Professional services, Leading the Azure team to help our customers to build successful Azure practices, Blogger, Speaker, and Community leader. Focus on Azure, Cloud Security, Modern Workspace, AVD, Infrastructure as Code, Endpoint Management, Office 365, EMS.