Introduction

Azure Firewall is a new network security feature in Azure. This new feature has been introduced in 2018 as a managed service in order to protect your Azure Virtual Network resources.

Azure Firewall offers the following features as described by Microsoft:

Built-in high availability : No additional load balancers are required

: No additional load balancers are required Unrestricted cloud scalability : Azure Firewall can scale up as much as you need

: Azure Firewall can scale up as much as you need Application FQDN filtering rules : You can limit outbound web traffic

: You can limit outbound web traffic Network traffic filtering rules : You can allow or deny network filtering rules by source and destination IP address, port, and protocol

: You can allow or deny network filtering rules by source and destination IP address, port, and protocol FQDN tags : You can easily use tags to allow or deny traffic

: You can easily use tags to allow or deny traffic Outbound SNAT support : Outbound IP addresses are translated to the Azure Firewall public IP

: Outbound IP addresses are translated to the Azure Firewall public IP Inbound DNAT support : Inbound traffic to the firewall public IP address is translated to internal IP addresses.

: Inbound traffic to the firewall public IP address is translated to internal IP addresses. Azure Monitor logging: All events are integrated with Azure Monitor

In this article, we will explore the following steps:

Create a Resource Group Create a vNet Create 3 subnets Create 2 Virtual Machines Deploy the Firewall Configure a default route Create an application rule Test the Firewall

Here is an overview of the architecture:

Create a Resource Group

Let’s start this article by creating a new Resource Group. This Resource Group contains all the resources for this guide. Open the Azure portal and click Resource Groups.

Subscription : Select your Azure subscription

: Select your Azure subscription Resource group name : Type a friendly name

: Type a friendly name Region: Select the location where the resources will be located

Validate by clicking Create.

Create a Virtual Network

We need to create a single Virtual Network that will contain three subnets. Search for “Virtual Networks”

Enter the following information:

Name : Type a friendly name for this Virtual Network

: Type a friendly name for this Virtual Network Address space : Enter the address space you want

: Enter the address space you want Subscription : Select your Azure subscription

: Select your Azure subscription Resource Group : Select the RG that you previously created

: Select the RG that you previously created Location : Select the location where the resource will be located

: Select the location where the resource will be located Subnet: This step is very important because you must use a fixed name called “AzureFirewallSubnet”. (Be careful on my screenshot, the name is wrong)

Once the Virtual Network is created, you must create the second subnet:

This subnet will contain a server. In this article, the address range is 10.1.2.0/24.

Repeat this step to create the subnet for the Jump server (10.1.3.0/24).

So finally, you will get the following subnets as shown below:

Create Virtual Machine

At this step, we created a Resource Group and a Virtual Network including three subnets. Now, we just need to create two Virtual Machines. The first one is the Jump server that will be used to connect to the second Virtual Machine. The Jump machine is called “JUMP01” and the server is called “SRV01”.

Create a new Virtual Machine using the Azure wizard and do not forget to add this Virtual Machine in the Resource Group previously created.

In the Networking area, select the Jump subnet and create a new Public IP Address in order to access to the jump server from the Internet. You just need to allow the RDP Protocol.

Repeat this step to deploy the SRV01 Virtual Machine.

This Virtual Machine must be located in the “SRV-VNet” subnet and you do not need to open any public inbound ports.

Deploy Azure Firewall

At this step, we need to deploy the Azure Firewall. So, go to the Azure Portal and search for “Firewalls”

Click “Add” to deploy your first Azure Firewall

Enter the following information:

Select your Azure subscription

Select the Resource Group previously created

Enter a friendly name for your Firewall

Select the Virtual Network previously created

And do not forget to create a Public IP Address

Once the Firewall is created, note the private IP address in the overview section, because you will need it later.

Create The Route Tables

Go to the Azure Portal and search for “Route tables”

Create a new route table called “Go-To-FW”. This route table will contain the default route that your server will choose to route the traffic.

Once the route table is created, you must associate the server subnet to this route table. Go to the “Subnets” section and click “Associate”

Select the Virtual Network and the Subnet:

You should see the following output:

Now, we must add a default route to the Virtual Appliance. Go to the “Routes” section and click “Add”

Enter the following information:

Route name : it is a friendly name for the default route

: it is a friendly name for the default route Address prefix : To indicate the default route, you must enter 0.0.0.0/0

: To indicate the default route, you must enter 0.0.0.0/0 Next hop type : Select “Virtual Appliance”

: Select “Virtual Appliance” Next hop address: Enter the private IP Address that you copied previously

You should see something like that:

Create Application Rule Collection

The Firewall is deployed, so we can add an application rule in order to filter the outbound web traffic. Go to the “Rules” section, and click “Add application rule collection“:

Enter a friendly name for this rule, then set a priority and select the action (Allow or Deny). Next, you must indicate the source addresses, the protocol and the target FQDN.

In my case, I want to allow web traffic to my personal blog from the SRV01 Virtual Machine.

To resolve the FQDN, the machine must be able to contact DNS servers. In this article, I created a network rule to allow the DNS requests from the server subnet to the OpenDNS Servers.

Now, you must be sure that your machine will use this DNS addresses to resolve FQDNS. Go to the network interface, and add custom DNS servers.

Do not forget to reboot the machine in order to take effects.

Test the Firewall

Now, it’s time to test our Firewall rules! First, we need to connect to the Jump Server from the Public IP Address.

Then, I can start a new MSTSC window to connect to the SRV01 machine using the private IP Address.

The last step is to check the application rule previously created in the Azure Firewall. I just need to open a web browser and type the website URL.

In my case, I can confirm that my blog is responding but if try to browse Google, an error message appears. I should create an application rule to allow www.google.com.

VSAN from StarWind eliminates any need for physical shared storage just by mirroring internal flash and storage resources between hypervisor servers. Furthermore, the solution can be run on the off-the-shelf hardware. Such design allows VSAN from StarWind to not only achieve high performance and efficient hardware utilization but also reduce operational and capital expenses. Learn more about ➡ VSAN from StarWind

Conclusion

Thanks to Azure Firewall, you can very easily and quickly protect your Azure Resources. You can also automate tasks using Azure PowerShell.

Azure Firewall allows you to create Application Rules and Network Rules to control the inbound and outbound network traffic.

Thanks for reading!

Related materials:

Views All Time Views All Time 15 Views Today Views Today 24

Appreciate how useful this article was to you?

5 out of 5, based on 1 review 5 out of 5, based on 1 review

Loading... Loading...