Deploy Azure Firewall

Deploy Azure Firewall

In this post we will look at how to create and deploy Azure Firewall as well as creating two Azure virtual machines and connect one through the Azure Firewall. These servers will be categorized as a Jump host and workload server. All resources for the Azure firewall and VMs are created in a single Resource Group in this post.

To get started

Logon to Azure Portal https://portal.azure.com >> Resource Groups and click on + Add to create a new Resource Group for the Firewall.

On the Basics tab, select the Subscription and provide a Resource Group name. Then lastly select the region for your Firewall Resource Group.

Click on Review + create at the bottom of the page to create the new Resource Group.

After validation, you can click on Create at the bottom of the page.

Your new Resource Group will be listed under Resource Groups.

The next step would be to create a new V-Net before we can deploy the Firewall.

Click on the newly created Resource Group and then click on + Add

From the Marketplace click on Networking on the left-hand side

and then select Virtual network

Click on Create to deploy the new Virtual Network.

Provide the needed details for the Virtual Network.

• For the Address space type: 10.0.0.0/16
• Set the Location to that of your Resource Group
• Subnet name should be: AzureFirewallSubnet (this is a requirement for the Firewall)
• Address range type: 10.0.0.0/24
• The rest of the settings can be kept as default.

Click on Create at the bottom to deploy the new VNet

From your newly create Resource Group you will notice that the newly created VNET will be listed.

Next let’s create an additional Subnet where we will deploy a Jump Host servers and for the Workload servers to connect to the environment.

Click on the newly created VNET and click on Subnets

Click on + Subnet

Provide the new subnet Name and Range for the JUMP Host Subnet i.e 10.1.1.0/24

Click on Ok at the bottom to create the new Subnet.

Follow the same process to creates a Subnet for the Workload Servers.

All new subnets will be listed under subnets.

Next step will be to deploy a new Jump host sever in the Firewall VNET and select the Jump Host Subnet.

To create the new VM, click on + Create a resource

Select Compute >> Virtual Machine

From the Basics section select the same Subscription as the Firewall VNET and select the Firewall Resource group created on top. Provide a name for the VM and select the Image and Size.

Click Next to continue, keep Disk as default and click next to networking.

From the Networking page, Select the Jump Host Subnet and keep the Public Ip as default.

From the Public inbound ports select Allow selected ports and select RDP (3389)

Click on Next: Management

Click on Boot diagnostics Off and then click on Review + create

Next step would be to create an additional VM with the same configuration and select the Subnet as Workload Subnet.

Select Workload Subnet and remove the Public IP and set the Public inbound ports to None for this VM.

The new Resources will be listed under the new Resource group which was created in step one.

Now that we have a Production Subnet and Jump host Subnet with both having Vm’s running in them , let’s go ahead and create the new Firewall.

Deploy Firewall

To deploy the Firewall, click on + Create a resource

In the Search box type Firewall and press Enter

On the firewall page, click Create

On the Basic config section of the Firewall set the following.

• Set the Subscription: Your Subscription Name
• Select the Firewall Resource Group created: RSG-MSFT-SA-N-FW
• Provide a Name for the Firewall: LAZYPRODFW
• Select your Region

Choose to use an existing virtual network

Click on Create new for Public IP address

Once Public IP creation is done, click on Review + create

Then after validation click on Create

Azure Firewall Deploy ?

Now next step would be to create the default route.

For the Workload Subnet lets go ahead and configure the Subnet to route through the Firewall.

To route the Workload Subnet through the Firewall, Click on All services

Then click on Networking >> Route Table

On the Route Tables page, click on +Add

Create a name for the Route: LAZYPRODFW-ROUTE

Subscription: Your Subscription name

Resource Group: Select your Firewall Resource Group RSG-MSFT-SA-N-FW

Keep your region the same as the resource group region then click Create.

Next you will have to select the Subnet that will be associated with the Firewall-Route.

Click on newly created Firewall route >> Subnets and then + Associate

Select your Firewall VNET and then select the Workload Subnet.

Click Ok to associate.

Next Select Routes

Then click on + Add

Add the Route Name: LAZYPROD-FW-DG

The Add the Address Prefix as: 0.0.0.0/0

Select the next hop type as: Virtual Appliance

On the Next hop address: Type the Private IP of the Firewall

Azure Firewall is actually a managed service, but virtual appliance works in this situation.

Click on Ok to create the route.

Create Application Rule

In the next step, we will look at creating a application Rule on the Azure Firewall that will allow outbound traffic to www.google.com and www.thatlazyadmin.com.

From the newly created Resource Group, click on the newly created firewall.

In the firewall section, click on Rules

In the Rules section click on Application Rule Collection Then Add application rule collection

Provide a Name for the new Rule: AppRule-01

Priority: 200

Action: Allow

Under the Target FQDNs add the following:

Name: ALLOWTHATLAZYADMIN

Protocol Type: http and https

Source: Add the IP range of the Workload Subnet 10.1.2.0/24

Target FQDN: www.thatlazyadmin.com

Click on Add to add the rule.

Your new rule will be visible the in the Firewall portal.

The last section, we will look at creating a Network Rule on the firewall to allow outbound access to two IP addresses on port 53 (DNS)

Create Network Rule

To create a new Network Rule, Click on Rules on the Firewall.

On the Network rule collection tab, click on +Add network rule collection

Provide a Name: Net-Coll01

Priority type: 200

Action select: Allow

To complete the rule, we will have to provide the Name for the rule and the ports as well as the destination IPs. For this post we will use destination DNS server IPs:

• 209.244.0.3
• 209.244.0.4

Name: ALLOWDNS

Protocol: UDP

Source: Add the IP range of the Workload Subnet 10.1.2.0/24

Destination Port: 53

Then click on Add to create the new rule.

On the Workload server created in the above steps, lets change the Primary and Secondary DNS of the server to point to:

• 209.244.0.3
• 209.244.0.4

How to Change the Primary and Secondary DNS address on VM network interface

From the Azure portal, Open the Resource Group housing the Workload VM: RSG-MSFT-SA-N-FW

From the Resource Group select the network interface of the workload server: LAZYWORKHORSE01

Under the settings section of the network interface, click on DNS Servers

Click on custom and add the DNS server Ips which you added in the network firewall rule.

Once you click save, you will have to restart the Workload server for the new Ips to take effect.

Test the newly created Firewall and its rules:

1. RDP to the Jump server created: LAZYJUMP01
2. From the Jump server connect to the Workload server via private Ip: 10.1.2.4

Open Internet explorer on the Workload server then open www.thatlazyadmin.com

As you can see we can open the website: www.thatlazyadmin.com

Let’s go ahead and try and open www.microsoft.com

The website www.mirosoft.com is blocked and you receive the following message.

And that is how you can quickly create a new Azure firewall and connect your non internet facing servers to the Azure Firewall.

Sharing is caring!