Azure Firewall Configuration

This document guides you through the essential configuration steps for Azure Firewall, a cloud-native network security service that protects your Azure Virtual Network resources. Properly configuring Azure Firewall is crucial for enforcing network policies, controlling inbound and outbound traffic, and detecting malicious activity.

Prerequisites

Before you begin, ensure you have the following:

An Azure subscription.
A virtual network (VNet) deployed in Azure.
A dedicated subnet for Azure Firewall, named AzureFirewallSubnet. This subnet must be named exactly this and cannot have any other resources deployed in it.
Appropriate permissions to create and manage network resources in Azure.

Creating an Azure Firewall Instance

You can create an Azure Firewall instance using the Azure portal, Azure CLI, or Azure PowerShell.

Using the Azure Portal

Navigate to the Azure portal.
Search for Firewall and select it.
Click Create.
On the Basics tab:
- Select your subscription and resource group.
- Enter a name for your firewall (e.g., myAzureFirewall).
- Choose a region that is the same as your virtual network.
- Select the Availability zone (if applicable).
- For Edition, choose Standard or Premium.
On the IP Configurations tab:
- Click Add IP configuration.
- Enter a name for the IP configuration (e.g., FirewallIPConfig).
- Select the Virtual network where your AzureFirewallSubnet resides.
- Select the AzureFirewallSubnet.
- For Public IP address, select an existing one or click Create new to create a new static public IP address.
On the Tags tab, you can add tags if needed.
Click Review + create, then click Create.

Using Azure CLI


az network firewall create \
    --name myAzureFirewall \
    --resource-group myResourceGroup \
    --location eastus \
    --vnet-name myVNet \
    --public-ip-name FirewallPublicIp \
    --sku Standard

Configuring Network Rules

Network rules allow you to permit or deny traffic based on IP addresses, ports, and protocols. These rules are evaluated before application rules.

Rule Collection Types

Network Rule Collection: For L3/L4 traffic (IP addresses, ports, protocols).
Application Rule Collection: For FQDNs (Fully Qualified Domain Names) and HTTP/HTTPS traffic.
NAT Rule Collection: For Network Address Translation, typically for inbound connections.

Creating a Network Rule Collection

Navigate to your Azure Firewall instance in the Azure portal.
Under Settings, select Rules.
Click on the Network rule collections tab.
Click Add network rule collection.
Provide a Name for the collection (e.g., AllowInternalWeb).
Set the Priority (lower numbers are processed first).
Select the Rule collection type: Network.
Under Rules, click Add rule:
- Name: e.g., AllowHTTP_80
- Source type: e.g., IP Address
- Source: e.g., 10.0.1.0/24
- Protocol: e.g., TCP
- Destination type: e.g., IP Address
- Destination: e.g., 10.0.2.5
- Destination port: e.g., 80
- Action: Allow
Click Add to save the rule and then Add again to save the collection.

Note: Azure Firewall has a default deny rule for all traffic. You must explicitly allow traffic you wish to permit.

Configuring Application Rules

Application rules enable granular control over HTTP and HTTPS traffic based on Fully Qualified Domain Names (FQDNs) or FQDN tags.

In your Azure Firewall instance, go to Rules > Application rule collections.
Click Add application rule collection.
Provide a Name (e.g., AllowMicrosoftUpdate).
Set the Priority.
Set the Rule collection type: Application.
Under Rules, click Add rule:
- Name: e.g., AllowWindowsUpdate
- Source type: IP Address
- Source: e.g., 10.0.1.0/24
- Protocol: e.g., http,https
- Destination type: e.g., FQDN
- Target FQDNs: e.g., *.windowsupdate.microsoft.com
- Web categories: (Optional)
- Action: Allow
Click Add to save the rule and then Add again to save the collection.

Important: For HTTPS traffic, you may need to configure TLS inspection for the firewall to inspect the content of encrypted traffic. This is an advanced configuration.

Configuring NAT Rules

NAT rules are used to translate private IP addresses and ports to public ones, allowing external access to internal resources.

In your Azure Firewall instance, go to Rules > NAT rule collections.
Click Add NAT rule collection.
Provide a Name (e.g., AllowRDPInbound).
Set the Priority.
Set the Rule collection type: NAT.
Under Rules, click Add rule:
- Name: e.g., RDP_Public_IP
- Protocol: TCP
- Source type: IP Address
- Source: * (or specific IPs if known)
- Destination type: IP Address
- Destination: Your firewall's public IP address.
- Destination port: The public port for RDP (e.g., 3389).
- Translated address: The private IP address of the internal server (e.g., 10.0.2.10).
- Translated port: The private port for RDP (e.g., 3389).
- Action: Dnat
Click Add to save the rule and then Add again to save the collection.

Tip: For security, it's recommended to restrict the source IP addresses for NAT rules to only trusted networks or specific public IPs.

Next Steps

Once your Azure Firewall is configured, consider setting up threat intelligence, monitoring firewall logs, and integrating with Azure Security Center for comprehensive security posture management.

← Previous: Architecture Next: Rules →