Deploy Azure Firewall using the Azure portal

This tutorial guides you through the process of deploying Azure Firewall using the Azure portal. Azure Firewall is a cloud-native network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Prerequisites

Before you begin, ensure you have the following:

  • An Azure subscription. If you don't have one, create a free account before you begin.
  • A virtual network (VNet) with at least one subnet. For this tutorial, we'll assume you have a VNet named `VNet-FW-Test` with a subnet named `AzureFirewallSubnet`. The subnet name MUST be exactly `AzureFirewallSubnet`.
  • Consider the IP address ranges for your virtual network and Azure Firewall subnet to avoid conflicts.

Steps to Deploy Azure Firewall

1. Create the Azure Firewall Resource

Follow these steps to create the firewall resource in the Azure portal:

  1. Sign in to the Azure portal.
  2. In the search bar, type Firewall and select Firewalls.
  3. Click Create.
  4. On the Basics tab, configure the following settings:
    • Subscription: Select your Azure subscription.
    • Resource group: Select an existing resource group or create a new one.
    • Name: Enter a name for your firewall (e.g., `FW-Test`).
    • Region: Select the same region as your virtual network.
    • Availability zones: Choose an availability zone option if needed for high availability.
    • Firewall policy: Select Create new and provide a name for your policy (e.g., `FW-Policy-Test`).
    • Default rules collection group: This will be created automatically with the policy.
  5. Click Next: IP Addresses.

2. Configure IP Addresses

On the IP Addresses tab, configure the following:

  1. Public IP address:
    • Select Create new.
    • Enter a name for the public IP address (e.g., `PublicIP-FW-Test`).
    • Choose a SKU (Standard is recommended).
    • Click OK.
  2. Click Next: Advanced Settings.

3. Configure Advanced Settings (Optional)

On the Advanced Settings tab, you can configure features like Threat Intelligence, but for this basic deployment, you can leave the defaults.

  1. Click Next: Tags.

4. Add Tags (Optional)

Add any necessary tags for resource management.

  1. Click Next: Review + create.

5. Review and Create

Review all the settings you've configured. Once validation passes, click Create.

Deployment Time: The deployment of Azure Firewall can take several minutes to complete. You can monitor the progress in the notifications area.

6. Associate Firewall with the Virtual Network

After the firewall is deployed, you need to associate it with your virtual network:

  1. Navigate to your deployed Azure Firewall resource.
  2. In the firewall menu, under Settings, select Overview.
  3. Click the link to your virtual network (e.g., `VNet-FW-Test`).
  4. In the virtual network menu, under Settings, select Subnets.
  5. Click the AzureFirewallSubnet.
  6. Under Firewall, select your deployed Azure Firewall (e.g., `FW-Test`).
  7. Click Save.

7. Configure Route Tables

To direct traffic through the Azure Firewall, you need to configure route tables.

  1. In the Azure portal, search for and select Route tables.
  2. Click Create.
  3. Configure the route table:
    • Subscription
    • Resource group
    • Region
    • Name (e.g., `RT-FW-Traffic`)
  4. Click Review + create, then Create.
  5. Once created, navigate to your new route table.
  6. Under Settings, select Routes.
  7. Click Add.
  8. Configure the route:
    • Route name (e.g., `ToFW`)
    • Address prefix: Set to `0.0.0.0/0` to route all traffic.
    • Next hop type: Select Virtual appliance.
    • Next hop address: Enter the private IP address of your Azure Firewall. You can find this on the Overview page of your Azure Firewall.
  9. Click Add.
  10. Now, associate this route table with your subnets that need to go through the firewall. Navigate back to your Virtual Network, select the relevant Subnets (excluding `AzureFirewallSubnet`), and associate the `RT-FW-Traffic` route table.

Verifying the Deployment

After completing these steps, your Azure Firewall should be deployed and configured to route traffic. You can test connectivity and security rules to ensure it's functioning as expected.

Next Steps: Explore Azure Firewall policies for granular rule management, network address translation (NAT) rules, and threat intelligence-based filtering.