Azure Firewall - Demo


In the last post we discussed what Azure firewall is and all the features provided by it and today we are going to perform the demo “deploy and configure Azure Firewall”.

Azure Firewall controls the outbound network access & that is an important part of overall network security plan. Azure firewall does that task or control the traffic by configuring: -

·        Application Rules – define FQDNs that can be accessed from a subnet.
·        Network Rules – define source address, protocol, destination port and destination address.


Now to deploy and configure Azure Firewall Demo – lets create the required Lab

·        Create Resource group
·        Create Virtual Network
·        Create 3 subnets – one for Azure Firewall , One for Jump server and one for workloads.
·        Create VM in jump and workload subnet
·        Create Firewall
·        Configure Network and application rules
·        Create route
·        Configure route tables
·        Perform the testing


Lets start with creating Vnet in East-us2 as shown in the below configured snippet  -


In above snippet you can see , I have created one Vnet and 3 subent in East-us2 location under Arun.RG.
Important thing to notice Azure Firewall needs its separate subnet just like gateway or other NVA's, along with that Subnet name shoould be  AzureFirewallSubnet


Now we need to spin two VM's one as Jump server and other one as a workload VM which would help us during the testing of Firewall rule.

Jump server - Windows server with RDP enabled NSG and Public IP needed.

Workload server - Windows server with None RDP and None Public IP.

I am assuming you guys are trained to create VM and Vnet hence skipping those initial steps , all you need to make sure is the setting that i provided for both the servers along with there subnets But we would discuss all the settings of Azure Firewall creation.

As you can see i have 2 VM's in running state -




Now navigate to Create a resource and search Firewall and click on create as shown below -





Once you hit the create below window would appear where you need to provide all the information its looking for:-


·        Resource Group
·        Name of the Azure Firewall
·        Region
·        Virtual Network
·        Subnet
·        Public Ip






Now important thing to keep in mind is Subnet name "AzureFirewallSubnet" and public IP that creats is static. Now once you configure all as per the requirement selecting right region and vnet and it would look like this after creation.





You need to copy the private IP as you need that to update the route table. 

Now navigate the Route Table and click on Add and it would ask for very basic information as shown in the snippet.




Now once the route table is create you need to click on Route under settings and add a route . Where you provide some name to the route table and -

Address prefix = 0.0.0.0/0 that means all traffic or internet.
Next hop type = select virtual appliance 
Next hop address = Private ip of your Azure Firewall





Now you have the route created and we need to associate this route to subnet , here we would associate it with the prod-subnet where all the workloads are lying and whenever they would try to go to internet , they would be re-directed to the firewall.






Now lets go the firewall again and set the Network and Application rule. To configure the rule navigate to Azure firewall and under settings you will find rules and on the right hand side you have Network rule and Application rule.


Lets click on Application rule and click on Add and configure it as shown below -
Priority: 200
Action: Allow
Target FQDN :
Name : Allow-Google
Source Address : 10.0.2.0/24
Protocol:port = Http:80,Https:443
Target FQDNS: www.google.com





Now click on Network Rule collection and click on Add & configure it as shown below -

Priority: 200
Action: Allow
IP Address
Name: Allow-DNS
Protocol: UDP
Source Address: 10.0.2.0/24
Destination Address: 209.244.0.3,209.244.0.4





Now both the Rules configured and we are good to test. So to perform testing login to the jump server and RDP workload server and try to browse google.com and microsoft.com. Below snippet confirms the testing.






Google.com works as this is allowed but Microsoft doesn't as its not allowed and even error says the same thing


 Reference link -

https://docs.microsoft.com/en-us/azure/firewall/overview

 https://docs.microsoft.com/en-us/azure/firewall/fqdn-tags


- No comments:
Labels: , , ,

Understand Azure Firewall - Manged cloud based Security Service


Azure provides a lot of in-built security features however organizations tend to use a lot of 3rd party virtual appliance to have more authority in hands to control traffic and secure environment.


Recently Azure also presented Azure Firewall which would provide a lot of security features and help you secure your network. Azure firewall deployed or work in combination with NSG’s and provide features like –


·        Threat intelligence-based filtering & fully integrated with Azure Monitor for logging and analytics.
·        A stateful firewall as a service that provides outbound control over traffic based on port, protocol and/or by manually whitelisting the fully qualified domain name, or FQDN
·        Built-in high availability with unrestricted cloud scalability.
·        Source and destination Network Address Translation (SNAT and DNAT) support.
·        price based on each Azure Firewall instance deployed plus bandwidth consumed.
·        Ability to centrally create, enforce and log application and network connectivity policies



So, what is Azure Firewall?

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.



(Burrowed from MS Docs)



You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.
Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.


Few Important concepts to understand which are provided by Azure Firewall –

Outbound SNAT support (Source Network Address Translation) - 

All the outbound virtual network traffic would translate into the Azure Firewall public IP that means if virtual network is the source destination wouldn’t know the actual source as traffic translated to Firewall IP & if destination is private IP then Azure Firewall wouldn’t SNAT.


** If destination private network uses public IP then Az Firewall will SNAT to one of the firewall private IP address in Azure Firewall Subnet **



Inbound DNAT support (Destination Network Address Translation)-

Inbound network traffic to your Azure Firewall public IP address translated and filtered to the private IP addresses on your virtual networks.


Azure firewall has the following Known issues

In next post will be deploying and configure Azure firewall.

- 1 comment:
Subscribe to: Posts (Atom)

MS Defenders

 Microsoft Defender offers a wide range of security solutions, similar to the ones we've discussed (Defender for Containers, Defender fo...

  • Define Budget & Configure Cost center quotas - Azure
    There are several types of quotas that are applicable to subscriptions, including resource quotas and spending quotas. We can easily see al...
  • Azure VM Disk Caching
    Azure VM Disk types : there are 3 types of disk used with Azure VM's OS Disk - azure automatically attaches a vhd for the OS when...
  • Terraform - random_id
    This is a great resource type which you can utilize for the resources names which require unique name or strings for .e.g Storage account o...