Open in app

Sign in

Write

Sign in

How to deploy and configure Azure firewall
Firewall

How to deploy and configure Azure firewall

Selvi Perumal
7 min readMay 17, 2023

--

In this blog, we are going to see how to create firewall rules to restrict network traffic for accessing certain websites (outside the world) from a VM hosted in Azure via a firewall.

🎯What is an Azure firewall?

A managed cloud-based network security service that protects your Azure virtual network resources

📌Steps involved in setting up Azure Firewall:

  • Create a resource group.
  • Create vnets and subnets.
  • Create VMs.
  • Deploy a firewall and a firewall policy.
  • Create a default route.
  • Configure an application rule.
  • Configure a network rule.
  • Configure the DNAT rule.
  • Change the primary and secondary DNS addresses for the server’s network interface.
  • Test the firewall.

✅Task 1: Create a Resource Group

  1. Log in to your Azure portal account.
  2. On the Azure portal home page, select Resource Groups.
  3. Select Create.
  4. On the Basics tab, in the Resource Group, enter "Test-FW-RG".
  5. On the Region page, select your preferred region from the list. for e.g., East-US
  6. Then resource groups are created.

✅Task 2: Create a single virtual network with two subnets

  1. On the Azure portal home page, in the search box, type virtual network and select Virtual Network when it appears.
  2. Select Create.
  3. Select the "Test-FW-RG" resource group you created previously.
    In the name box, enter Test-FW-VN.
  4. Select Next: IP Addresses. Enter the IPv4 address space "10.0.0.0/16" if it is not already there by default.

6. Under Subnet Name, select the word default.

7. In the Edit subnet dialog box, change the name to AzureFirewallSubnet.

8. Change the Subnet address range to 10.0.1.0/26.

9. Select Save

10. Select Add subnet to create another subnet, which will host the workload server that you will create shortly.

11. In the Edit subnet dialog box, change the name to Workload-SN.

12. Change the subnet address range to 10.0.2.0/24.

13. Select Add.

14. Select Review + Create.

15. Select Create.

✅Task 3: Create the workload virtual machine and place it in the workload-SN subnet

  1. On the Azure portal, open the PowerShell session within the Cloud Shell pane.
  2. Cloud Shell → Toolbar → Upload/Download. Upload firewall.json and firewall.parameters.json as customized files. (Refer to the documentation to create those files.)

3. Deploy the following ARM templates to create the VM.

$RGName = "Test-FW-RG" 
New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile firewall.jso
n -TemplateParameterFile firewall.parameters.json

4. Go to Azure portal → Select Virtual machine → Click Overview → Networking → Note down the private IP addr of the created VM.

✅Task 4: Deploy the firewall into the virtual network with a firewall policy configured.

  1. On the Azure portal → Select Create resources → Create Firewall.
  2. On the Basics tab, create a firewall using the information in the table below.
Subscription       : Select your subscription
Resource group     : Test-FW-RG
Firewall name      : Test-FW01
Region             : Your region
Firewall SKU       : Standard
Firewall management: Use a Firewall Policy to manage this firewall
Firewall policy    : Select Add new
Name               : fw-test-pol
Region             : your region

3. Click review + create.

4. Go to firewall → Note down the private ip of the firewall.

5. Under settings → Select Public IP configuration → note down public IP Address.

✅Task 5: Create a Default Route

  1. On Azure portal → Create Route table → Configure Basic with below info.
Subscription        :  Select your subscription
Resource group      :  Test-FW-RG
Region              :  Your region
Name                :  Firewall-route
Propagate GW routes :  Yes

2. After deployment completes, select Go to resource.

3. On the Firewall-route page, under Settings, select Subnets and then select Associate.

4. On Virtual network, select Test-FW-VN and then select corresponding subnets.

5. Under Settings, select Routes and then select Add.

6. On Route name, enter fw-dg.

On Address prefix destination, enter 0.0.0.0/0.

On Next hop type, select Virtual appliance.

On Next hop address, type the private IP address for the firewall that you noted previously (e.g., 10.0.1.4)

Select Add.

✅Task 6: Configure an Application rule

In this task, you will add an application rule that allows outbound access to www.google.com.

  1. On the Azure portal home page, select All resources.
  2. In the list of resources, select your firewall policy, fw-test-pol.
  3. Under Settings, select Application Rules.
  4. Select Add a rule collection.
  5. On the Add a rule collection page, create a new application rule using the information in the table below.

Name                  :   App-Coll01
Rule collection type  :   Application
Priority              :   200
Rule collection action:   Allow
Rule collection group :   DefaultApplicationRuleCollectionGroup
Rules Section  
Name                  :   Allow-Google
Source type           :   IP Address
Source                :   10.0.2.0/24
Protocol              :   http,https
Destination type      :   FQDN
Destination           :   www.google.com

✅Task 7: Configure a Network rule

In this task, you will add a network rule that allows outbound access to two IP addresses at port 53 (DNS).

  1. On the fw-test-pol page, under Settings, select Network Rules.
  2. Select Add a rule collection.

3. On the Add a rule collection page, create a new network rule using the below information

Name                     :   Net-Coll01
Rule collection type     :   Network
Priority                 :   200
Rule collection action   :   Allow
Rule collection group    :   DefaultNetworkRuleCollectionGroup
Rules Section  
Name                     :   Allow-DNS
Source type              :   IP Address
Source                   :   10.0.2.0/24
Protocol                 :   UDP
Destination Ports        :   53
Destination Type         :   IP Address
Destination              :   209.244.0.3, 209.244.0.4 (public DNS servers operated by Century Link)

✅Task 8: Configure an DNAT rule

In this task, you will add a DNAT rule that allows you to connect a remote desktop to the VM through the firewall.

  1. On the fw-test-pol page, under Settings, select DNAT Rules.
  2. Select Add a rule collection.
  3. On the Add a rule collection page, create a new DNAT rule using the information in the table below.
Name                             :  rdp
Rule collection type             :  DNAT
Priority                         :  200
Rule collection group            :  DefaultDnatRuleCollectionGroup
Rules Section  
Name                             :  rdp-nat
Source type                      :  IP Address
Source                           :  *
Protocol                         :  TCP
Destination Ports                :  3389
Destination Type                 :  IP Address
Destination                      :  firewall public IP address
Translated address               :  private IP address of VM
Translated port                  :  3389

✅Task 9: Change the primary and secondary DNS address for the server’s network interface

For testing purposes in this task, you will configure the VM server primary and secondary DNS addresses. However, this is not a general Azure Firewall requirement.

  1. On the Azure portal home page, select Resource groups.
  2. In the list of resource groups, select your resource group, Test-FW-RG.
  3. In the list of resources in this resource group, select the network interface for the VM.
  4. Under Settings, select DNS servers.
  5. Under DNS servers, select Custom.
  6. Type 209.244.0.3 in the Add DNS server text box, and 209.244.0.4 in the next text box.
  7. Select Save
  8. Restart the VM.

✅Task 10: Test the Firewall

In this final task, you will test the firewall to verify that the rules are configured correctly and working as expected. This configuration will enable you to connect a remote desktop connection to the virtual machine through the firewall, via the firewall’s public IP address.

  1. Open Remote Desktop Connection on your PC.
  2. On the Computer box, enter the firewall’s public IP address (e.g., 20.90.136.51) followed by :3389 (e.g., 20.90.136.51:3389).
  3. Enter username
  4. Select Connect.
  5. On the Enter your credentials dialog box, log into the VM server
  6. Select OK.
  7. Select Yes on the certificate message.
  8. Open Internet Explorer and browse to https://www.google.com.
  9. On the Security Alert dialog box, select OK.
  10. Select Close on the Internet Explorer security alerts that may pop-up.
  11. You should see the Google home page

✅Task 11: Clean up resources

  1. On the Azure portal, open the PowerShell session within the Cloud Shell pane.
  2. Delete all resource groups you created throughout the labs of this module by running the following command
Remove-AzResourceGroup -Name 'Test-FW-RG' -Force -AsJob

Thanks for reading the article; I hope this helps!

👉 Follow me Selvi Perumal and the Cloudnloud Tech Community on Linkedin for more insightful knowledge & resources.

Azure
Security
Learning
Firewall
Careers

--

--

Selvi Perumal

Written by Selvi Perumal

87 Followers

Cloud DevOps enthusiast , talks about Azure, K8s and Google cloud.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams