What is Azure Firewall ?
Azure FIrewall is a sertice to secure your network on Azure. The ressources has now been protected by one firewall. This service permit high availability and unlimited scalability on the cloud platform. With this functionnality, you centralize application and network connectivity policies. Azure Firewall use static public address. The configuration of Azure Firewall will require the following operations :
- Create virtual network
- Deploy Azure Firewall
- Create a default route
- Add Application Rules
Create virtual network
On the Azure poral, click on Create a ressource and then click on Networking
Enter the name of the Virtual Network and the Address Space. Select the desired Ressource Group and the Location.
The subnet must be named AzureFirewallSubnet otherwise you will not be able to create the firewall. Configure the subnetwork and click on Create.
You can create other subnetwork for your infrastructure server (database, application,…).
Deploy Azure Firewall
You can now deploy Azure firewall. On the Azure platform, click on Create a resource. On the field, enter Firewall?
Click on Create for lauch creation of the Firewall.
Select the desired Ressource group and enter the name of your Firewall. Select the Azure region.
Select Use existing option on Virtual network configuration. Select the virtual network created previously and create New Public Ip address. Click on Review + Create for lauch creation.
After creating the firewall, access the firewall configuration. In Overview tab retrieve the Private IP address assigned to the firewall.
Create a default route
It is now necessary to configure the default outgoing route for the Virtual Network of the firewall. This allows you to configure the default route to pass through the firewall. On the Azure portal, clik on All Services and enter route on the field. Click on Route tables on the central panel.p style=”text-align: center;”>
On the central panel, click on Create route table.p style=”text-align: center;”>
Enter the name that you want and select the desired Ressource Group. Select the same location that you previously used. Click on Create for lauch creation.p style=”text-align: center;”>
The route has been created. Click on the route previously created.
Select the desired rules and click on Subnets. On the central panel, click on Associate.
Select the Virtual network and Subnet previously created. Click on OK for validate the modification.
Click on the Routes menu and click on Add.
Enter the name that you want on the Name field and 0.0.0.0/0 on the Address Prefix field. Select Virtual Appliance on the menu Next hop type, Enter the Private IP Address of the Azure Firewall. Click on OK for validate the choice.
After setting up the Azure firewall, it is impossible for me to connect in RDP to my various servers. It is necessary to set up a jump server. First of all, it is necessary to create a dedicated Subnet for this server.
You can now create the Virtual Machine. I allow only RDP since my Public Ip address on the NSG
Add Application Rules
On the server, I cant access to the Internet. I need configure Application Rules for allow web site.
On Azure portal, access to Firewall configuration. and click on Rules.
It’s possible to create three types of rules.
- Nat Rules : For publishing services on Internet (RDP, SSH or non-HTTP/S)
- Network Rules : Permit to allow any non-HTTP/S traffic to flow through the firewall (Example : web server on subnet 1 and Database server on subnet 2).
- Application rules : Permit to allow HTTP/HTTPS traffic.
Select Application rule collection and click on Add application rule collection
On the Target FQDNs, enter the Name and the priority (100 minimum) of the rules. Enter Allow-Google on Name Field and the source IP Address (I enter 10.1.1.0/24 for apply the rules at all server connected to my subnet). Enter http, https on the protocol:port field. Enter the target FQDNs allowed. Click on Add for create rules.
The rules has now been present on Azure portal.
Google is now been allowed. If I try to go on Microsoft.com, access is denied.