Secure Azure Network with Azure Firewall

This blog explains how to secure a Virtual network in Azure with Firewall Projection. 

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection. 

In this demonstration we will create a single Virtual network with two subnets

• Virtual Network Name: Infrabeast_testvNet 
• Network 10.0.0.0/16.
• Subnet 1 AzureFirewallSubnet 
• Subnet Range 10.0.0.128/26
• Subnet 2 dataSubnet01
• Subnet Range 10.0.0.0/25

We will cover the following configurations in this LAB setup 

• Setup the network using Terraform. 
• Deploy a virtual machine in the Data subnet. 
• Deploy Azure Firewall and Policy
• Create a default, Route. 
• Configure an application rule to allow access to www.google.com.
• Configure a network rule to allow access to external DNS servers.
• Configure a NAT rule to allow a remote desktop to the test server.
• Test the Firewall Policy 

Step 1: Setup the network Using Terraform  

We are using Terraform code to deploy the required Azurer resouces for this lab - The code can be found here - Code. 

The code will create the following resources in Azure . 

• Resource Group
• Virtual Network and subnets 
• Public IP for Firewall 
• IP Group for dataSubnet01
• Firewall Policies (Application policy, Network Policy) 
• Azure Firewall Instance 

Step 2: Create a Default route to forward all the traffic from Data subnet to Firewall local IP. 

1. From Azure portal search for Route tables 
2. Select Create, then enter or select the following values:
1. Subscription Select your Azure subscription.
2. Resource group Select Test-FW-RG.
3. Region Select the same location that you used previously.
4. Name DefaultRoute
3. Select Review + create.
4. Select Create.
5. Wait for the deployment to complete 
1. Go to resource.
2. On the Firewall-route page, select Subnets and then select Associate.
3. Select Virtual network > dataSubnet01
4. Select OK.
5. Select Routes and then select Add.
1. For Route name, enter fw-dg.
2. For Address prefix, enter 0.0.0.0/0.
3. For Next hop type, select Virtual appliance.
4. For Next hop address, enter the private IP address for the firewall.
5. Select OK

 

Step 3: Deploy a virtual machine in the Data subnet

     Once the infrastructure has configured let's create a VM in the data subnet to test the firewall policies. A Windows server VM is created withe below configuration. 

Resource group       infra-test-rg01

Virtual machine name Data-SRV-01

Region       eastus

Username              *******

Password       *******

Network        Infrabeast-testv-Net

Subnet          subnet-server  

Public IP       NON

Step 4 Configure a NAT rule to allow a remote desktop to the test server.

This rule allows you to connect a remote desktop to the virtual machine through the firewall. 

1. Select the DNAT rules.
2. Select Add a rule collection.
3. For Name, RDP Redirect.
4. For Priority, enter 200.
5. For Rule collection group, select DefaultDnatRuleCollectionGroup.
6. Under Rules, for Name, enter DataVM
7. For Source type, select IP address.
8. For Source, enter *.
9. For Protocol, select TCP.
10. For Destination Ports, enter 3389.
11. For Destination Type, select IP Address.
12. For Destination, enter the firewall public IP address.
13. For Translated address, enter the Srv-work private IP address.
14. For Translated port, enter 3389.
15. Select Add.

Step 4 Test the Firewall Policy 

Now we can test the firewall to confirm it works as expected 

1. Connect a remote desktop to firewall public IP address and this should take you the Virtual machine in dataSubnet01
2. Open Internet Explorer and browse to https://www.google.com, You should get the google page displayed. 
3. Browse to https://www.youtube.com. this will be blocked by firewall.