Configure Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. This tutorial walks you through the steps to create, configure, and manage an Azure Firewall instance.

Prerequisites

• An active Azure subscription.
• A Virtual Network (VNet) where the firewall will be deployed.
• Azure CLI or Azure PowerShell installed (optional but recommended).

Step 1 – Create a Resource Group

First, create a resource group to contain the firewall and related resources.

az group create --name MyFirewallRG --location eastus

Step 2 – Deploy the Azure Firewall

Use the Azure portal or CLI to provision the firewall.

az network firewall create \
  --resource-group MyFirewallRG \
  --name MyAzureFirewall \
  --location eastus \
  --sku AZFW_Hub

Step 3 – Configure Firewall IP Configurations

Attach a public IP and a firewall subnet (named AzureFirewallSubnet) to the firewall.

az network firewall ip-config create \
  --resource-group MyFirewallRG \
  --firewall-name MyAzureFirewall \
  --name FWIPConfig \
  --public-ip-address MyFWPublicIP \
  --vnet-name MyVNet

Step 4 – Create Network Rules

Network rules control traffic based on IP address, port, and protocol.

az network firewall network-rule collection create \
  --resource-group MyFirewallRG \
  --firewall-name MyAzureFirewall \
  --collection-name NetRuleCollection \
  --priority 100 \
  --action Allow \
  --rule-name AllowWeb \
  --protocols TCP \
  --source-addresses '*' \
  --destination-addresses '*' \
  --destination-ports 80 443

Step 5 – Create Application Rules

Application rules enable you to control outbound HTTP/S traffic.

az network firewall application-rule collection create \
  --resource-group MyFirewallRG \
  --firewall-name MyAzureFirewall \
  --collection-name AppRuleCollection \
  --priority 200 \
  --action Allow \
  --rule-name AllowOffice365 \
  --protocols Http=80 Https=443 \
  --target-fqdn-tags AzureCloud

Step 6 – Associate the Firewall with Subnets

Force traffic through the firewall by updating UDRs (User Defined Routes) on the subnets.

az network route-table create \
  --resource-group MyFirewallRG \
  --name MyUDR \
  --location eastus

az network route-table route create \
  --resource-group MyFirewallRG \
  --route-table-name MyUDR \
  --name RouteToFW \
  --address-prefix 0.0.0.0/0 \
  --next-hop-type AzureFirewall \
  --next-hop-ip-address 
  
az network vnet subnet update \
  --resource-group MyFirewallRG \
  --vnet-name MyVNet \
  --name MySubnet \
  --route-table MyUDR

Step 7 – Verify the Deployment

Test connectivity from a VM placed in the protected subnet.

curl -I https://www.microsoft.com

For a deeper dive into logging, diagnostics, and scaling, see the Advanced Azure Firewall guide.