Tutorial: Deploy & configure Azure Firewall and policy using the Azure portal (2024)

Table of Contents
In this article Prerequisites Set up the network Create a resource group Create a VNet Create a virtual machine Deploy the firewall and policy Create a default route Configure an application rule Configure a network rule Configure a DNAT rule Change the primary and secondary DNS address for the Srv-Work network interface Test the firewall Clean up resources Next steps
  • Article

Controlling outbound network access is an important part of an overall network security plan. For example, you may want to limit access to web sites. Or, you may want to limit the outbound IP addresses and ports that can be accessed.

One way you can control outbound network access from an Azure subnet is with Azure Firewall and Firewall Policy. With Azure Firewall and Firewall Policy, you can configure:

  • Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
  • Network rules that define source address, protocol, destination port, and destination address.

Network traffic is subjected to the configured firewall rules when you route your network traffic to the firewall as the subnet default gateway.

For this tutorial, you create a simplified single VNet with two subnets for easy deployment.

  • AzureFirewallSubnet - the firewall is in this subnet.
  • Workload-SN - the workload server is in this subnet. This subnet's network traffic goes through the firewall.

For production deployments, a hub and spoke model is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.

In this tutorial, you learn how to:

  • Set up a test network environment
  • Deploy a firewall and firewall policy
  • Create a default route
  • Configure an application rule to allow access to www.google.com
  • Configure a network rule to allow access to external DNS servers
  • Configure a NAT rule to allow a remote desktop to the test server
  • Test the firewall

If you prefer, you can complete this procedure using Azure PowerShell.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Set up the network

First, create a resource group to contain the resources needed to deploy the firewall. Then create a VNet, subnets, and a test server.

Create a resource group

The resource group contains all the resources for the tutorial.

  1. Sign in to the Azure portal.

  2. On the Azure portal menu, select Resource groups or search for and select Resource groups from any page, then select Create. Enter or select the following values:

    SettingValue
    SubscriptionSelect your Azure subscription.
    Resource groupEnter Test-FW-RG.
    RegionSelect a region. All other resources that you create must be in the same region.

  3. Select Review + create.

  4. Select Create.

Create a VNet

This VNet will have two subnets.

Note

The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see Azure Firewall FAQ.

  1. On the Azure portal menu or from the Home page, select Create a resource.

  2. Select Networking.

    See Also
    Azure Firewall rule processing logicAzure Firewall vs WAFAzure Firewall – Cloud Network Security Solutions | Microsoft AzureBest practice and use case scenario of Azure Firewall ? - Microsoft Q&A

  3. Search for Virtual network and select Create.

  4. Enter or select the following values:

    SettingValue
    SubscriptionSelect your Azure subscription.
    Resource groupSelect Test-FW-RG.
    NameEnter Test-FW-VN.
    RegionSelect the same location that you used previously.

  5. Select Next.

  6. On the Security tab, select Next.

  7. For IPv4 Address space, accept the default 10.0.0.0/16.

  8. Under Subnets, select default.

  9. On the Edit subnet page, for Subnet purpose, select Azure Firewall.

    The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.

  10. For Starting address, type 10.0.1.0.

  11. Select Save.

Next, create a subnet for the workload server.

  1. Select Add subnet.
  2. For Subnet name, type Workload-SN.
  3. For Starting address, type 10.0.2.0/24.
  4. Select Add.
  5. Select Review + create.
  6. Select Create.

Create a virtual machine

Now create the workload virtual machine, and place it in the Workload-SN subnet.

  1. On the Azure portal menu or from the Home page, select Create a resource.

  2. Select Windows Server 2019 Datacenter.

  3. Enter or select these values for the virtual machine:

    SettingValue
    SubscriptionSelect your Azure subscription.
    Resource groupSelect Test-FW-RG.
    Virtual machine nameEnter Srv-Work.
    RegionSelect the same location that you used previously.
    UsernameEnter a username.
    PasswordEnter a password.

  4. Under Inbound port rules, Public inbound ports, select None.

  5. Accept the other defaults and select Next: Disks.

  6. Accept the disk defaults and select Next: Networking.

  7. Make sure that Test-FW-VN is selected for the virtual network and the subnet is Workload-SN.

  8. For Public IP, select None.

  9. Accept the other defaults and select Next: Management.

  10. Select Next:Monitoring.

  11. Select Disable to disable boot diagnostics. Accept the other defaults and select Review + create.

  12. Review the settings on the summary page, and then select Create.

    See Also
    No inbound traffic to external firewall interfaces in Azure and change to default NSG behaviour

  13. After the deployment completes, select the Srv-Work resource and note the private IP address for later use.

Deploy the firewall and policy

Deploy the firewall into the VNet.

  1. On the Azure portal menu or from the Home page, select Create a resource.

  2. Type firewall in the search box and press Enter.

  3. Select Firewall and then select Create.

  4. On the Create a Firewall page, use the following table to configure the firewall:

    SettingValue
    SubscriptionSelect your Azure subscription.
    Resource groupSelect Test-FW-RG.
    NameEnter Test-FW01.
    RegionSelect the same location that you used previously.
    Firewall managementSelect Use a Firewall Policy to manage this firewall.
    Firewall policySelect Add new, and enter fw-test-pol.
    Select the same region that you used previously.
    Choose a virtual networkSelect Use existing, and then select Test-FW-VN.
    Public IP addressSelect Add new, and enter fw-pip for the Name.

  5. Accept the other default values, then select Next: Tags.

  6. Select Next : Review + create.

  7. Review the summary, and then select Create to create the firewall.

    This will take a few minutes to deploy.

  8. After deployment completes, go to the Test-FW-RG resource group, and select the Test-FW01 firewall.

  9. Note the firewall private and public IP addresses. You'll use these addresses later.

Create a default route

For the Workload-SN subnet, configure the outbound default route to go through the firewall.

  1. On the Azure portal menu, select All services or search for and select All services from any page.

  2. Under Networking, select Route tables.

  3. Select Create, then enter or select the following values:

    SettingValue
    SubscriptionSelect your Azure subscription.
    Resource groupSelect Test-FW-RG.
    RegionSelect the same location that you used previously.
    NameEnter Firewall-route.

  4. Select Review + create.

  5. Select Create.

After deployment completes, select Go to resource.

  1. On the Firewall-route page, under Settings, select Subnets and then select Associate.

  2. For Virtual network select Test-FW-VN.

  3. For Subnet, select Workload-SN.

  4. Select OK.

  5. Select Routes and then select Add.

  6. For Route name, enter fw-dg.

  7. For Destination type select IP Addresses.

  8. For Destination IP addresses/CIDR ranges prefix, enter 0.0.0.0/0.

  9. For Next hop type, select Virtual appliance.

    Azure Firewall is actually a managed service, but virtual appliance works in this situation.

  10. For Next hop address, enter the private IP address for the firewall that you noted previously.

  11. Select Add.

Configure an application rule

This is the application rule that allows outbound access to www.google.com.

  1. Open the Test-FW-RG resource group, and select the fw-test-pol firewall policy.
  2. Under Settings, Select Application rules.
  3. Select Add a rule collection.
  4. For Name, enter App-Coll01.
  5. For Priority, enter 200.
  6. For Rule collection action, select Allow.
  7. Under Rules, for Name, enter Allow-Google.
  8. For Source type, select IP address.
  9. For Source, enter 10.0.2.0/24.
  10. For Protocol:port, enter http, https.
  11. For Destination Type, select FQDN.
  12. For Destination, enter www.google.com
  13. Select Add.

Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. For more information, see Infrastructure FQDNs.

Configure a network rule

This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).

  1. Select Network rules.
  2. Select Add a rule collection.
  3. For Name, enter Net-Coll01.
  4. For Priority, enter 200.
  5. For Rule collection action, select Allow.
  6. For Rule collection group, select DefaultNetworkRuleCollectionGroup.
  7. Under Rules, for Name, enter Allow-DNS.
  8. For Source type, select IP Address.
  9. For Source, enter 10.0.2.0/24.
  10. For Protocol, select UDP.
  11. For Destination Ports, enter 53.
  12. For Destination type select IP address.
  13. For Destination, enter 209.244.0.3,209.244.0.4.
    These are public DNS servers operated by CenturyLink.
  14. Select Add.

Configure a DNAT rule

This rule allows you to connect a remote desktop to the Srv-Work virtual machine through the firewall.

  1. Select the DNAT rules.
  2. Select Add a rule collection.
  3. For Name, enter RDP.
  4. For Priority, enter 200.
  5. For Rule collection group, select DefaultDnatRuleCollectionGroup.
  6. Under Rules, for Name, enter rdp-nat.
  7. For Source type, select IP address.
  8. For Source, enter *.
  9. For Protocol, select TCP.
  10. For Destination Ports, enter 3389.
  11. For Destination, enter the firewall public IP address.
  12. For Translated type, select IP Address.
  13. For Translated address, enter the Srv-work private IP address.
  14. For Translated port, enter 3389.
  15. Select Add.

Change the primary and secondary DNS address for the Srv-Work network interface

For testing purposes in this tutorial, configure the server's primary and secondary DNS addresses. This isn't a general Azure Firewall requirement.

  1. On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Select the Test-FW-RG resource group.
  2. Select the network interface for the Srv-Work virtual machine.
  3. Under Settings, select DNS servers.
  4. Under DNS servers, select Custom.
  5. Enter 209.244.0.3 in the Add DNS server text box, and 209.244.0.4 in the next text box.
  6. Select Save.
  7. Restart the Srv-Work virtual machine.

Test the firewall

Now, test the firewall to confirm that it works as expected.

  1. Connect a remote desktop to firewall public IP address and sign in to the Srv-Work virtual machine.

  2. Open Microsoft Edge and browse to https://www.google.com.

  3. Select OK > Close on the Internet Explorer security alerts.

    You should see the Google home page.

  4. Browse to https://www.microsoft.com.

    You should be blocked by the firewall.

So now you've verified that the firewall rules are working:

  • You can browse to the one allowed FQDN, but not to any others.
  • You can resolve DNS names using the configured external DNS server.

Clean up resources

You can keep your firewall resources for the next tutorial, or if no longer needed, delete the Test-FW-RG resource group to delete all firewall-related resources.

Next steps

Deploy and configure Azure Firewall Premium

Tutorial: Deploy & configure Azure Firewall and policy using the Azure portal (2024)
Top Articles
Nuvei Corporation (NVEI.TO) Latest Stock News & Headlines - Yahoo Finance
States beg insurers not to drop climate-threatened homes • Missouri Independent
Occupational therapist
12 Rue Gotlib 21St Arrondissem*nt
Arkansas Gazette Sudoku
Evil Dead Rise Showtimes Near Massena Movieplex
Cumberland Maryland Craigslist
Kentucky Downs Entries Today
Category: Star Wars: Galaxy of Heroes | EA Forums
Learn How to Use X (formerly Twitter) in 15 Minutes or Less
Herbalism Guide Tbc
Summoner Class Calamity Guide
Unit 33 Quiz Listening Comprehension
Unlv Mid Semester Classes
N2O4 Lewis Structure & Characteristics (13 Complete Facts)
Katherine Croan Ewald
Velocity. The Revolutionary Way to Measure in Scrum
Obsidian Guard's Cutlass
Earl David Worden Military Service
Amih Stocktwits
Indystar Obits
Iroquois Amphitheater Louisville Ky Seating Chart
Poe Str Stacking
Aerocareusa Hmebillpay Com
Ppm Claims Amynta
Yog-Sothoth
Costco Gas Hours St Cloud Mn
Craigslist Alo
3 Ways to Drive Employee Engagement with Recognition Programs | UKG
Best Town Hall 11
Isablove
A Plus Nails Stewartville Mn
County Cricket Championship, day one - scores, radio commentary & live text
Wasmo Link Telegram
Kattis-Solutions
Craigslist Dallastx
PA lawmakers push to restore Medicaid dental benefits for adults
Domino's Delivery Pizza
Boggle BrainBusters: Find 7 States | BOOMER Magazine
Gary Lezak Annual Salary
A Comprehensive 360 Training Review (2021) — How Good Is It?
SF bay area cars & trucks "chevrolet 50" - craigslist
2023 Fantasy Football Draft Guide: Rankings, cheat sheets and analysis
Weather Underground Corvallis
Simnet Jwu
How to Quickly Detect GI Stasis in Rabbits (and what to do about it) | The Bunny Lady
Sour OG is a chill recreational strain -- just have healthy snacks nearby (cannabis review)
Jaefeetz
Ts In Baton Rouge
60 Second Burger Run Unblocked
4015 Ballinger Rd Martinsville In 46151
Blippi Park Carlsbad
Latest Posts
Boost Your Portfolio & Your Bank Account: The Samco Referral Advantage |
Writing JSONPath Expressions - Hevo Data
Article information

Author: Dr. Pierre Goyette

Last Updated:

Views: 5452

Rating: 5 / 5 (50 voted)

Reviews: 81% of readers found this page helpful

Author information

Name: Dr. Pierre Goyette

Birthday: 1998-01-29

Address: Apt. 611 3357 Yong Plain, West Audra, IL 70053

Phone: +5819954278378

Job: Construction Director

Hobby: Embroidery, Creative writing, Shopping, Driving, Stand-up comedy, Coffee roasting, Scrapbooking

Introduction: My name is Dr. Pierre Goyette, I am a enchanting, powerful, jolly, rich, graceful, colorful, zany person who loves writing and wants to share my knowledge and understanding with you.