Implement Azure Firewall in Virtual Networks

This tutorial guides you through the process of deploying and configuring Azure Firewall to secure your virtual network traffic. Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Prerequisites: Before you begin, ensure you have an Azure subscription. If you don't have one, create a free account.

What You'll Learn

Step 1: Create a Virtual Network and Firewall Subnet

1

First, you need a virtual network (VNet) to deploy the firewall into. It's best practice to place Azure Firewall in its own dedicated subnet, named AzureFirewallSubnet.

To create the VNet and subnet:

  1. Sign in to the Azure portal.
  2. Search for and select "Virtual networks".
  3. Click "+ Create".
  4. Configure the basic settings: Subscription, Resource group, Name, and Region.
  5. Under "IP addresses", define an address space for your VNet (e.g., 10.1.0.0/16).
  6. Click "Next: Security >" and then "Next: IP addresses >".
  7. Under "Subnets", click "+ Add subnet".
  8. For "Subnet name", enter AzureFirewallSubnet.
  9. For "Address range", specify a range for this subnet (e.g., 10.1.1.0/24). This subnet is mandatory for Azure Firewall.
  10. Click "Add".
  11. Complete the VNet creation.

Step 2: Deploy Azure Firewall

2

Now, deploy the Azure Firewall instance into the VNet you just created.

To deploy the firewall:

  1. In the Azure portal, search for and select "Azure Firewall".
  2. Click "+ Create".
  3. Select your Subscription and Resource group.
  4. For "Name", enter a name for your firewall (e.g., fw-centralus).
  5. For "Region", select the same region as your VNet.
  6. For "Firewall policy", you can choose to create a new policy or use an existing one. For this tutorial, let's create a new one. Click "Create new".
  7. Give your firewall policy a name (e.g., fw-policy-main) and click "OK".
  8. For "SKU", choose "Standard" or "Premium" (Standard is sufficient for this tutorial).
  9. For "Virtual network", select the VNet you created earlier. The AzureFirewallSubnet will be automatically selected.
  10. For "Public IP address", select "Create new" and provide a name for the public IP (e.g., fw-publicip).
  11. Click "Review + create", then "Create".

Deployment can take several minutes.

Step 3: Configure Network Rules

3

Network rules allow you to filter traffic to and from resources within your VNet based on IP address, port, and protocol.

To add a network rule collection:

  1. Navigate to your deployed Azure Firewall resource in the Azure portal.
  2. Under "Settings", click "Network rules".
  3. Click "+ Add network rule collection".
  4. Rule collection name: Enter a name (e.g., Allow-HTTPS).
  5. Priority: Enter a priority number (lower numbers are processed first, e.g., 200).
  6. Rule type: Select "Network".
  7. Rules: Click "+ Add a rule".
    • Name: Allow-Web-Servers
    • Source type: "IP Address"
    • Source: Specify the IP address range of your internal network (e.g., 10.1.0.0/16).
    • Protocol: "TCP"
    • Destination type: "IP Address"
    • Destination: Enter the IP address of the web server you want to allow access to (e.g., 10.1.2.4).
    • Destination port: 443
    • Click "Add".
  8. Click "Add" to save the rule collection.

Step 4: Configure Application Rules

4

Application rules allow you to filter traffic based on Fully Qualified Domain Names (FQDNs).

To add an application rule collection:

  1. Navigate to your Azure Firewall resource and click "Application rules".
  2. Click "+ Add application rule collection".
  3. Rule collection name: Enter a name (e.g., Allow-External-Sites).
  4. Priority: Enter a priority number (e.g., 300).
  5. Rule type: Select "Application".
  6. Rules: Click "+ Add a rule".
    • Name: Allow-Azure-Docs
    • Source type: "IP Address"
    • Source: Specify your internal network range (e.g., 10.1.0.0/16).
    • Protocol: http,https
    • Target FQDNs: Enter www.azure.com
    • Click "Add".
  7. Click "Add" to save the rule collection.

Step 5: Configure Default Route Table

5

To route traffic from your subnets through the firewall, you need to update the route table associated with your VNet's subnets (excluding the AzureFirewallSubnet itself).

To create and associate a route table:

  1. In the Azure portal, search for and select "Route tables".
  2. Click "+ Create".
  3. Configure Subscription, Resource group, and Region.
  4. For "Name", enter a name (e.g., rt-firewall-traffic).
  5. Leave "Propagate gateway routes" as "Yes".
  6. Click "Review + create", then "Create".
  7. Once created, navigate to the route table.
  8. Under "Settings", click "Routes" and then "+ Add".
  9. Route name: DefaultRoute
  10. Address prefix: 0.0.0.0/0
  11. Next hop type: "Virtual appliance"
  12. Next hop address: Enter the private IP address of your Azure Firewall. You can find this on the firewall's overview page.
  13. Click "Add".
  14. Now, navigate back to your Virtual Network. Under "Settings", click "Subnets".
  15. Click on each subnet (except AzureFirewallSubnet) and select the route table you just created (rt-firewall-traffic) from the "Route table" dropdown.
  16. Click "Save".

Step 6: Test Firewall Rules

6

Deploy a virtual machine in a subnet other than AzureFirewallSubnet and test connectivity.

To test:

  1. Deploy a VM into one of your subnets.
  2. Connect to the VM (e.g., via RDP or SSH).
  3. From the VM, try to access an external website like www.azure.com using a web browser. This should be allowed by your application rule.
  4. Try to access a resource on the internet on port 80 (HTTP). This should be allowed by your network rule if configured for HTTP.
  5. Attempt to access a forbidden website or service to verify that your deny rules (if configured) or default deny policy is working.

Conclusion

You have successfully deployed Azure Firewall, configured network and application rules, and set up routing to direct traffic through the firewall. This provides a robust layer of security for your Azure virtual networks.

Further Learning: Explore Azure Firewall Manager for centralized policy management across multiple VNets and workspaces.