Deploy Azure Firewall

Azure Firewall

What is Azure Firewall ?

Azure FIrewall is a sertice to secure your network on Azure. The ressources has now been protected by one firewall. This service permit high availability and unlimited scalability on the cloud platform. With this functionnality, you centralize application and network connectivity policies. Azure Firewall use static public address. The configuration of Azure Firewall will require the following operations :

  • Create virtual network
  • Deploy Azure Firewall
  • Create a default route
  • Add Application Rules

Create virtual network

On the Azure poral, click on Create a ressource and then click on Networking

Create Virtual Network on Azure

Enter the name of the Virtual Network and the Address Space. Select the desired Ressource Group and the Location.

Configure Virtual Network on AZure

The subnet must be named AzureFirewallSubnet otherwise you will not be able to create the firewall. Configure the subnetwork and click on Create.

Configure Subnet on Virtual Network Azure

You can create other subnetwork for your infrastructure server (database, application,…).

Add Subnet on Virtual Network

Deploy Azure Firewall

You can now deploy Azure firewall. On the Azure platform, click on Create a resource. On the field, enter Firewall?

Create ressource on Azure

Click on Create for lauch creation of the Firewall.

Create Azure Firewall on Azure

Select the desired Ressource group and enter the name of your Firewall. Select the Azure region.

Configure properties of Azure Firewall.

Select Use existing option on Virtual network configuration. Select the virtual network created previously and create New Public Ip address. Click on Review + Create for lauch creation.

Création of Azure Firewall

After creating the firewall, access the firewall configuration. In Overview tab retrieve the Private IP address assigned to the firewall.

Retieve Private Ip address of the firewall

Create a default route

It is now necessary to configure the default outgoing route for the Virtual Network of the firewall. This allows you to configure the default route to pass through the firewall. On the Azure portal, clik on All Services and enter route on the field. Click on Route tables on the central panel.

Create route tables on Azure

On the central panel, click on Create route table.

Create route table on azure portal

Enter the name that you want and select the desired Ressource Group. Select the same location that you previously used. Click on Create for lauch creation.

Create route table on Azure

The route has been created. Click on the route previously created.

Route has present on Azure Portal

Select the desired rules and click on Subnets. On the central panel, click on Associate.

Associate Subnet to the Default Rules

Select the Virtual network and Subnet previously created. Click on OK for validate the modification.

Select desired virtual network
Select the desired subnet

Click on the Routes menu and click on Add.

Add new default route

Enter the name that you want on the Name field and 0.0.0.0/0 on the Address Prefix field. Select Virtual Appliance on the menu Next hop type, Enter the Private IP Address of the Azure Firewall. Click on OK for validate the choice.

Add new route on the firewall

After setting up the Azure firewall, it is impossible for me to connect in RDP to my various servers. It is necessary to set up a jump server. First of all, it is necessary to create a dedicated Subnet for this server.

Add new subnet for the jumserver in Azure

You can now create the Virtual Machine. I allow only RDP since my Public Ip address on the NSG

Properties of Azure Virtual Machine
Configure NSG for secure Azure virtual machine

Add Application Rules

On the server, I cant access to the Internet. I need configure Application Rules for allow web site.

Access denied when azure server try to acess on Internet

On Azure portal, access to Firewall configuration. and click on Rules.

Create Rules on Azure Firewall

It’s possible to create three types of rules.

  • Nat Rules : For publishing services on Internet (RDP, SSH or non-HTTP/S)
  • Network Rules : Permit to allow any non-HTTP/S traffic to flow through the firewall (Example : web server on subnet 1 and Database server on subnet 2).
  • Application rules : Permit to allow HTTP/HTTPS traffic.

Select Application rule collection and click on Add application rule collection

Add application rule collection on Azure Firewall

On the Target FQDNs, enter the Name and the priority (100 minimum) of the rules. Enter Allow-Google on Name Field and the source IP Address (I enter 10.1.1.0/24 for apply the rules at all server connected to my subnet). Enter http, https on the protocol:port field. Enter the target FQDNs allowed. Click on Add for create rules.

Add new rules on Azure Firewall

The rules has now been present on Azure portal.

Rules are been present on Azure Firewall

Google is now been allowed. If I try to go on Microsoft.com, access is denied.

Access to the google website
Access to Microsoft.com

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.