Deploy Azure Firewall
In this post we will look at how to create and deploy Azure Firewall as well as creating two Azure virtual machines and connect one through the Azure Firewall. These servers will be categorized as a Jump host and workload server. All resources for the Azure firewall and VMs are created in a single Resource Group in this post.
To get started
Logon to Azure Portal https://portal.azure.com >> Resource Groups and click on + Add to create a new Resource Group for the Firewall.
On the Basics tab, select the Subscription and provide a Resource Group name. Then lastly select the region for your Firewall Resource Group.
Click on Review + create at the bottom of the page to create the new Resource Group.
After validation, you can click on Create at the bottom of the page.
Your new Resource Group will be listed under Resource Groups.
The next step would be to create a new V-Net before we can deploy the Firewall.
Click on the newly created Resource Group and then click on + Add
From the Marketplace click on Networking on the left-hand side
and then select Virtual network
Click on Create to deploy the new Virtual Network.
Provide the needed details for the Virtual Network.
- For the Address space type: 10.0.0.0/16
- Set the Location to that of your Resource Group
- Subnet name should be: AzureFirewallSubnet (this is a requirement for the Firewall)
- Address range type: 10.0.0.0/24
- The rest of the settings can be kept as default.
Click on Create at the bottom to deploy the new VNet
From your newly create Resource Group you will notice that the newly created VNET will be listed.
Next let’s create an additional Subnet where we will deploy a Jump Host servers and for the Workload servers to connect to the environment.
Click on the newly created VNET and click on Subnets
Click on + Subnet
Provide the new subnet Name and Range for the JUMP Host Subnet i.e 10.1.1.0/24
Click on Ok at the bottom to create the new Subnet.
Follow the same process to creates a Subnet for the Workload Servers.
All new subnets will be listed under subnets.
Next step will be to deploy a new Jump host sever in the Firewall VNET and select the Jump Host Subnet.
To create the new VM, click on + Create a resource
Select Compute >> Virtual Machine
From the Basics section select the same Subscription as the Firewall VNET and select the Firewall Resource group created on top. Provide a name for the VM and select the Image and Size.
Click Next to continue, keep Disk as default and click next to networking.
From the Networking page, Select the Jump Host Subnet and keep the Public Ip as default.
From the Public inbound ports select Allow selected ports and select RDP (3389)
Click on Next: Management
Click on Boot diagnostics Off and then click on Review + create
Next step would be to create an additional VM with the same configuration and select the Subnet as Workload Subnet.
Select Workload Subnet and remove the Public IP and set the Public inbound ports to None for this VM.
The new Resources will be listed under the new Resource group which was created in step one.
Now that we have a Production Subnet and Jump host Subnet with both having Vm’s running in them , let’s go ahead and create the new Firewall.
To deploy the Firewall, click on + Create a resource
In the Search box type Firewall and press Enter
On the firewall page, click Create
On the Basic config section of the Firewall set the following.
- Set the Subscription: Your Subscription Name
- Select the Firewall Resource Group created: RSG-MSFT-SA-N-FW
- Provide a Name for the Firewall: LAZYPRODFW
- Select your Region
Choose to use an existing virtual network
Click on Create new for Public IP address
Once Public IP creation is done, click on Review + create
Then after validation click on Create
Azure Firewall Deploy 😊
Now next step would be to create the default route.
For the Workload Subnet lets go ahead and configure the Subnet to route through the Firewall.
To route the Workload Subnet through the Firewall, Click on All services
Then click on Networking >> Route Table
On the Route Tables page, click on +Add
Create a name for the Route: LAZYPRODFW-ROUTE
Subscription: Your Subscription name
Resource Group: Select your Firewall Resource Group RSG-MSFT-SA-N-FW
Keep your region the same as the resource group region then click Create.
Next you will have to select the Subnet that will be associated with the Firewall-Route.
Click on newly created Firewall route >> Subnets and then + Associate
Select your Firewall VNET and then select the Workload Subnet.
Click Ok to associate.
Next Select Routes
Then click on + Add
Add the Route Name: LAZYPROD-FW-DG
The Add the Address Prefix as: 0.0.0.0/0
Select the next hop type as: Virtual Appliance
On the Next hop address: Type the Private IP of the Firewall
Azure Firewall is actually a managed service, but virtual appliance works in this situation.
Click on Ok to create the route.
Create Application Rule
From the newly created Resource Group, click on the newly created firewall.
In the firewall section, click on Rules
In the Rules section click on Application Rule Collection Then Add application rule collection
Provide a Name for the new Rule: AppRule-01
Under the Target FQDNs add the following:
Protocol Type: http and https
Source: Add the IP range of the Workload Subnet 10.1.2.0/24
Target FQDN: www.thatlazyadmin.com
Click on Add to add the rule.
Your new rule will be visible the in the Firewall portal.
The last section, we will look at creating a Network Rule on the firewall to allow outbound access to two IP addresses on port 53 (DNS)
Create Network Rule
To create a new Network Rule, Click on Rules on the Firewall.
On the Network rule collection tab, click on +Add network rule collection
Provide a Name: Net-Coll01
Priority type: 200
Action select: Allow
To complete the rule, we will have to provide the Name for the rule and the ports as well as the destination IPs. For this post we will use destination DNS server IPs:
Source: Add the IP range of the Workload Subnet 10.1.2.0/24
Destination Port: 53
Then click on Add to create the new rule.
On the Workload server created in the above steps, lets change the Primary and Secondary DNS of the server to point to:
How to Change the Primary and Secondary DNS address on VM network interface
From the Azure portal, Open the Resource Group housing the Workload VM: RSG-MSFT-SA-N-FW
From the Resource Group select the network interface of the workload server: LAZYWORKHORSE01
Under the settings section of the network interface, click on DNS Servers
Click on custom and add the DNS server Ips which you added in the network firewall rule.
Once you click save, you will have to restart the Workload server for the new Ips to take effect.
Test the newly created Firewall and its rules:
- RDP to the Jump server created: LAZYJUMP01
- From the Jump server connect to the Workload server via private Ip: 10.1.2.4
Open Internet explorer on the Workload server then open www.thatlazyadmin.com
As you can see we can open the website: www.thatlazyadmin.com
Let’s go ahead and try and open www.microsoft.com
The website www.mirosoft.com is blocked and you receive the following message.
And that is how you can quickly create a new Azure firewall and connect your non internet facing servers to the Azure Firewall.