Table of Contents
Before we start let’s have a little brief about Azure Firewall and Its consideration.
- Azure Firewall is stateful firewall as a Service with high availability integrated and unrestricted cloud scalability that protects Azure virtual network resources.
- You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model.
- Azure Firewall supports inbound and outbound filtering. Inbound protection is for non-HTTP/S protocols. For example, RDP, SSH, and FTP protocols.
- Azure Firewall needs a dedicated subnet “AzureFirewallSubnet”
- Azure Firewall is integrated with Azure Monitor for viewing and analyzing firewall logs.
- Azure Firewall supports rules and rule collections.
- A rule collection is a set of rules that share the same order and priority.
- Rule collections are executed in order of their priority.
- Network rule collections are higher priority than application rule collections, and all rules are terminating.
- Azure Firewall cost:
- Fixed fee: $1.25/firewall/hour,
- Data Processing fee: $0.016 per GB processed by the firewall (ingress or egress)
- A fixed hourly fee will be charged per a firewall deployment regardless of scale. In addition, data processing fee is billed per deployment for any date processed by your firewall.
In this post, you will learn step by step how to:
- Set up a network environment (Vnets and SNets).
- Deploy Azure Firewall
- Create a default route to route traffic through Azure firewall.
- Configure an application rule to allow access to www.3tallah.com
- Configure a network rule to allow access to Google DNS servers
- Create virtual machines for Test purpose.
- Create Azure Bastion to connect to Workload Servers
- Test the firewall
Set up the network
Deploy Azure Firewall
Create a default route
Configure an application rule
- For Source, type 172.17.128.192/27. (Internal Workload Servers IP Range)
- For Protocol:port, type http, https.
- For Target FQDNS, type www.3tallah.com
Configure a network rule
- For Protocol, select UDP
- For Destination address, type 18.104.22.168,22.214.171.124
- For Destination Ports, type 53.