Before we understand the implementation of the Azure firewall service, we need to have some idea about traditional Firewalls that are used in corporate data center setup. Enterprise organizations use Firewalls to protect their private resources from malicious attacks from the internet with the help of a set of defined firewall rules.
This article will walk you through the steps to configure the Azure Firewall service and set up different firewall rules.
1. Introduction to Azure Firewall
Azure Firewall is a managed service of Azure that has built-in high availability and is stateful, so it understands what packet of traffic/data to allow and what to not. It also has built-in threat intelligence, allowing us to deny traffic from/to malicious IP addresses and domains. We can also deploy an Azure firewall across two or more AZ to ensure high availability. We can also filter traffic based on fully-qualified domain names.
2. Setup of Azure Firewall Service
First, we will set up a Windows VM of any size of our choice without a public IP.
Then we need to create a subnet in the same Vnet with the name “AzureFirewallSubnet“. This is the subnet that will host the Azure firewall service
Now we need to search for Firewall in the Azure Portal. We need to fill in the necessary details as mentioned in the below image
We need to mention the location same as that of the virtual network where we created our “AzureFirewallSubnet.”
In tier, we select the Standard tier.
We create several rules as part of the Firewall; the Firewall policy is used to manage these rules.
So we create a firewall policy as shown below in the image in the same region
Now we select the option existing Virtual-network and select the Vnet displayed in the dropdown
If we don’t have an AzureFirewallSubnet already in place in the virtual network it will show an error in this step.
Create a new public ip address, and finally create
After creation, the Firewall will get its own private Ip address to communicate with resources inside the Virtual network and a public Ip address to communicate to the internet.
3. NAT rules Configuration
This section will look at the setup to add a Firewall rule, allowing us to log into our VM without public Ip through the azure firewall resource.
So, for this, we must navigate to the firewall policy and select DNAT rules
These are Network address translation rules which will allow us to connect to VM.
Please enter the values as given in the below image.
We need to provide details such as source = Ip address, Source is our IP address from where we are connecting ( Laptop in my case ) , Protocol = TCP, destination port can be anything
In destination we need to provide public ip of our Firewall. In translated address Private Ip address of our VM and translated port as 3389 (RDP). After done click on ADD.
Now as we can see below we can RDP to VM by using firewalls public IP and port
4. Restricting Traffic from Firewall
Usually, any traffic from a VM is allowed to the internet. To restrict traffic to outside internet we need to have next-hop as Firewall which we will set up below.
For this, to work we will need to route any traffic originating from a VM to Firewall using a Route Table.
We create a Route table in the same region as our virtual network
Now in the route table settings, select subnets and associate the subnet and Vnet on which we have our demo VM located
Next, we go on routes, and we add details as given in the below image – which says any traffic destined for the internet needs to route to the Azure Firewall on its private IP address
Now once we have the route in place and when we try to access URLs from the VM the URLS will be blocked. So here basically all the URLs are being blocked and if we want to have any specific URLs whitelisted then we can have Application Rules set up
So, we have seen the setup of the Firewall and its different rules and functionalities of it. Still, one of the important points to note when we deploy the Azure Firewall in a virtual network is that we need to deploy the Firewall in the same region as that of the virtual network. It needs to be in the same resource group as the virtual network.
6. Real-time Use Cases of Azure Firewall
One scenario where users use Azure Firewall is when they want to gain access to web applications hosted on Azure from the internet or outside the world.
Many SaaS-based software providers have their solutions hosted on the cloud using Azure Firewall to restrict and monitor traffic between partners and the SaaS platform.
7. About CloudThat
CloudThatis the authorized AWS Well-Architected Partner, helping other businesses build secure, high-performing, resilient, and efficient infrastructures for their application and workloads.
CloudThat is also the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.
Drop a query if you have any questions regarding Microsoft Azure Firewall, Microsoft Azure Services, or consulting opportunities, and I will get back to you quickly. To get started, go through ourExpert Advisorypage and Managed Services Package that isCloudThat’s offerings.
Does Azure Firewall support monitoring and logging?
Yes, Azure Firewall integrates with Azure Monitor to View and analyze firewall logs. We can also send the logs to log analytics and use various tools such as Power BI and Excel to analyze
How is Azure Firewall different from existing services such as NVAs in Azure Marketplace or traditional firewalls?
Azure Firewall is a managed service with built-in high availability and scalability. It is also pre-integrated with certain third-party security providers to provide additional security to our virtual networks.