Configure Firewall for Azure Virtual WAN

How to Configure Firewall for Azure Virtual WAN

This guide provides step-by-step instructions on integrating and configuring Azure Firewall with your Azure Virtual WAN hub to secure your branch and VNet traffic.

Prerequisites

An existing Azure Virtual WAN hub deployed.
An Azure Firewall deployed and associated with your Virtual WAN hub.
Network Security Groups (NSGs) configured for your connected VNets (optional, but recommended).
Sufficient permissions to manage Azure Virtual WAN and Azure Firewall resources.

Step 1: Deploy Azure Firewall in the Virtual WAN Hub

If you haven't already deployed Azure Firewall into your Virtual WAN hub, follow these steps:

Navigate to your Virtual WAN resource in the Azure portal.
Under "Connectivity," select "Hubs."
Click on your hub, then select "Azure Firewall."
Click "Create Firewall" and follow the wizard to deploy a new Azure Firewall instance within the hub. Choose the appropriate SKU (Standard or Premium) and configure networking settings.

Step 2: Configure Firewall Policy and Rules

Once Azure Firewall is deployed, you need to define its policies and rules to control traffic flow. You can manage these through Firewall Manager or directly on the Azure Firewall resource.

Using Azure Firewall Manager (Recommended)

Navigate to "Azure Firewall Manager" in the Azure portal.
Under "Security management," select "Firewall policies."
Click "Create firewall policy."
Associate the policy with your Virtual WAN hub.
Define "Network rules" to allow or deny traffic based on IP addresses, ports, and protocols.
Define "Application rules" to allow or deny traffic to specific FQDNs (Fully Qualified Domain Names).
Define "NAT rules" to translate destination IP addresses and ports for incoming connections.

Directly on Azure Firewall Resource

Alternatively, you can configure rules directly on the Azure Firewall resource associated with the hub:

Navigate to your deployed Azure Firewall resource in the Azure portal.
Select "Firewall policy" or navigate to "Rules" directly.
Configure Network, Application, and NAT rules as described above.

Step 3: Configure Route Tables for Hub Routing

To enforce traffic inspection through Azure Firewall, you need to configure the route tables within your Virtual WAN hub.

Navigate back to your Virtual WAN hub in the Azure portal.
Under "Connectivity," select "Route tables."
Select the default route table or create a new one.
For each connection (e.g., VNet connection, VPN/ExpressRoute connection), associate it with the route table that has Azure Firewall as the next hop for relevant traffic.
Add routes to direct traffic from your spokes (VNets) and on-premises sites to the Azure Firewall private IP address.

Note: Ensure that the route for Azure Firewall's private IP address is configured in the route tables associated with the relevant connections to guarantee traffic flows through the firewall.

Step 4: Validate Firewall Configuration

After configuring rules and routes, it's crucial to validate that traffic is being inspected as expected.

Use network diagnostic tools to test connectivity between your connected resources.
Monitor Azure Firewall logs and network logs to observe traffic patterns and any blocked connections.
Test access to external resources from your connected VNets/sites to verify firewall policies are effective.

Key Considerations

Firewall SKU: Choose between Standard and Premium SKUs based on your performance and feature requirements. Premium offers advanced features like TLS inspection and threat intelligence.
Centralized Management: Azure Firewall Manager provides a centralized console for managing firewall policies across multiple hubs and environments, simplifying governance.
Logging and Monitoring: Enable diagnostic settings for Azure Firewall to collect logs and metrics. Integrate with Azure Monitor or Sentinel for advanced security analytics and threat detection.
SNAT and DNAT: Understand Source Network Address Translation (SNAT) and Destination Network Address Translation (DNAT) rules to manage outbound and inbound traffic respectively.

Tip: For highly secure environments, consider deploying Azure Firewall Premium to leverage advanced threat protection features.

Azure Virtual WAN Firewall Architecture Diagram

Conclusion

By following these steps, you can effectively integrate Azure Firewall with your Azure Virtual WAN to establish a robust security posture, centralize network traffic inspection, and protect your cloud and hybrid network resources.