Azure Firewall Deployment

Comprehensive guide for deploying and managing Azure Firewall

Introduction to Azure Firewall Deployment

Deploying Azure Firewall is a critical step in securing your Azure network. This guide walks you through the process, from planning to configuration, ensuring your network is protected against threats.

Azure Firewall is a managed, cloud-native network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Prerequisites

Before you begin, ensure you have the following:

  • An Azure subscription.
  • Permissions to create network resources, such as Virtual Networks, subnets, and Azure Firewall.
  • A defined Virtual Network (VNet) where the firewall will be deployed.
  • A dedicated subnet named AzureFirewallSubnet with a /26 or larger address prefix.
  • (Optional) Other VNets that will route traffic through the Azure Firewall.

Deployment Methods

Azure Firewall can be deployed using various methods, each offering different levels of automation and flexibility.

Azure Portal Deployment

The Azure portal provides a user-friendly graphical interface for deploying Azure Firewall.

  1. Navigate to the Azure portal.
  2. Search for "Firewall" and select "Firewalls" from the results.
  3. Click "Create firewall".
  4. Fill in the required fields: Subscription, Resource Group, Name, Region, Firewall type (Standard/Premium), SKU, Management IP configuration, and VNet.
  5. Configure the AzureFirewallSubnet.
  6. Review and create the firewall.
Azure Firewall Deployment in Portal
Azure Firewall deployment wizard in the Azure portal.

Azure CLI Deployment

Use the Azure CLI for scripted and automated deployments.


az group create --name MyResourceGroup --location eastus
az network vnet create \
  --resource-group MyResourceGroup \
  --name MyVnet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name AzureFirewallSubnet \
  --subnet-prefix 10.0.1.0/26
az network firewall create \
  --resource-group MyResourceGroup \
  --name MyFirewall \
  --location eastus \
  --vnet-name MyVnet \
  --public-ip-name MyFirewallPublicIp \
  --threat-intel-mode Alert

Azure PowerShell Deployment

Deploy Azure Firewall programmatically using Azure PowerShell.


$RG = New-AzResourceGroup -Name "MyResourceGroup" -Location "EastUS"
$VNet = Get-AzVirtualNetwork -Name "MyVnet" -ResourceGroupName "MyResourceGroup"
$Subnet = Get-AzVirtualNetworkSubnetConfig -Name "AzureFirewallSubnet" -VirtualNetwork $VNet
$fwip = New-AzPublicIpAddress -Name "MyFirewallPublicIp" -ResourceGroupName "MyResourceGroup" -Location "EastUS" -AllocationMethod Static -Sku Standard
$fwconfig = New-AzFirewallConfig -Name "MyFirewall" -Location "EastUS" -Sku TierStandard
$fw = New-AzFirewall -Name "MyFirewall" -ResourceGroupName "MyResourceGroup" -Location "EastUS" -VirtualNetworkName "MyVnet" -PublicIpName "MyFirewallPublicIp" -FirewallConfig $fwconfig

ARM Templates

For complex and repeatable deployments, consider using Azure Resource Manager (ARM) templates.

An example ARM template snippet:


{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "firewallName": {
            "type": "string",
            "defaultValue": "myAzureFirewall"
        },
        "location": {
            "type": "string",
            "defaultValue": "[resourceGroup().location]"
        },
        "vnetName": {
            "type": "string",
            "defaultValue": "myVNet"
        },
        "publicIpName": {
            "type": "string",
            "defaultValue": "myFirewallPublicIp"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Network/firewalls",
            "apiVersion": "2021-05-01",
            "name": "[parameters('firewallName')]",
            "location": "[parameters('location')]",
            "properties": {
                "sku": {
                    "name": "AZFW_Standard",
                    "tier": "Standard"
                },
                "ipConfigurations": [
                    {
                        "name": "Default",
                        "properties": {
                            "subnet": {
                                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('vnetName'), 'AzureFirewallSubnet')]"
                            },
                            "publicIpAddress": {
                                "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('publicIpName'))]"
                            }
                        }
                    }
                ]
            }
        }
    ]
}

Network Planning for Azure Firewall

Effective network planning is crucial for a successful Azure Firewall deployment. Consider the following:

  • IP Addressing: Ensure adequate IP address space for the AzureFirewallSubnet and any associated VNets.
  • Routing: Define user-defined routes (UDRs) to direct traffic from other subnets to the Azure Firewall. This typically involves creating a route table and associating it with the relevant subnets.
  • Hub-Spoke Topology: Azure Firewall is commonly deployed in a hub VNet and used to protect spoke VNets. Plan your VNet peering and routing accordingly.
Important: The AzureFirewallSubnet must have a minimum prefix size of /26. Do not deploy any other resources in this subnet.

Configuring Firewall Rules

Once deployed, Azure Firewall needs rules to govern network traffic. There are three types of rules:

  • Network Rules: Control traffic flow to and from network endpoints based on IP addresses, ports, and protocols.
  • Application Rules: Filter traffic based on FQDNs (Fully Qualified Domain Names) for HTTP/S.
  • Network Security Groups (NSGs): While Azure Firewall provides network security, you can still use NSGs on other subnets for additional layer-3/layer-4 filtering.

You can manage these rules through the Azure portal, CLI, PowerShell, or ARM templates.

Tip: Start with basic rules and gradually refine them based on your security requirements and observed traffic patterns. Use Azure Firewall's threat intelligence to block known malicious IP addresses.

Advanced Configurations

Explore advanced features to enhance your security posture:

  • Azure Firewall Premium: Offers advanced features like TLS inspection, web filtering, and Intrusion Detection and Prevention System (IDPS).
  • Private IP Address Firewall: Deploy Azure Firewall with a private IP address to protect traffic within your private network.
  • Auto-scaling: Azure Firewall automatically scales to handle fluctuating network traffic.
  • High Availability: Azure Firewall is a managed service with built-in high availability across availability zones.

Troubleshooting Deployment Issues

Common issues and how to resolve them:

  • Subnet Name Incorrect: Ensure the subnet is named exactly AzureFirewallSubnet.
  • IP Address Conflicts: Verify that IP address ranges do not overlap between VNets or subnets.
  • Routing Issues: Double-check your user-defined routes (UDRs) to ensure traffic is correctly routed through the firewall.
  • Firewall Not Reachable: Confirm the firewall's public IP address is correctly configured and accessible. Check associated NSGs if applicable.

Utilize Azure Monitor and Firewall logs for detailed insights into network traffic and potential problems.