Azure Firewall Deployment: A Comprehensive Tutorial

Learn how to deploy and configure Azure Firewall for robust network security in your cloud environment.

Azure Firewall is a managed, cloud-native network security service that protects your virtual network resources. It's a highly available and scalable stateful firewall as a service. This tutorial will guide you through the essential steps to deploy Azure Firewall.

Prerequisites

Before you begin, ensure you have the following:

Step 1: Create a Virtual Network

If you don't already have a VNet, you'll need to create one. For this tutorial, we'll assume a VNet named MyVNet with an address space of 10.1.0.0/16.

Using Azure Portal

  1. Navigate to the Azure portal.
  2. Search for "Virtual networks" and select "Create".
  3. Fill in the required details:
    • Subscription: Select your subscription.
    • Resource group: Create a new one (e.g., RG-Firewall-Demo) or select an existing one.
    • Name: Enter MyVNet.
    • Region: Choose a region.
    • IP addresses: Set the address space to 10.1.0.0/16.
  4. Click "Review + create" and then "Create".

Step 2: Create the AzureFirewallSubnet

Azure Firewall requires a dedicated subnet named AzureFirewallSubnet. This subnet needs a minimum prefix of /26.

Using Azure Portal

  1. Go to your newly created Virtual Network (MyVNet).
  2. Under "Settings", select "Subnets".
  3. Click "+ Subnet".
  4. Name: Enter AzureFirewallSubnet.
  5. Address range: Specify a CIDR block like 10.1.255.0/26. Ensure it doesn't overlap with other subnets.
  6. Leave other settings as default and click "Save".
Diagram showing VNet with AzureFirewallSubnet

(Placeholder for an image illustrating the VNet and AzureFirewallSubnet configuration.)

Step 3: Deploy Azure Firewall

Now, you can deploy the Azure Firewall resource itself.

Using Azure Portal

  1. In the Azure portal, search for "Firewalls" and select "Create".
  2. Fill in the required details:
    • Subscription: Select your subscription.
    • Resource group: Select RG-Firewall-Demo.
    • Name: Enter MyAzureFirewall.
    • Region: Choose the same region as your VNet.
    • Availability zone: Select an availability zone (optional, but recommended for high availability).
    • Tier: Select Standard or Premium. For this tutorial, we'll use Standard.
    • Virtual network: Select MyVNet.
    • Public IP address: Click "Create new" and name it MyFirewallPublicIP.
  3. Click "Review + create" and then "Create". The deployment can take some time.

# Example Azure CLI command for deploying Azure Firewall
az network firewall create \
  --name MyAzureFirewall \
  --resource-group RG-Firewall-Demo \
  --location eastus \
  --vnet-name MyVNet \
  --public-ip-address MyFirewallPublicIP \
  --sku Standard

Step 4: Configure Network Security Rules

After deployment, you'll want to configure firewall rules to control traffic flow.

Network Rules

Network rules allow you to allow or deny traffic to specific IP addresses, ports, and protocols.

Adding a Network Rule (Allow HTTP/HTTPS)

  1. Navigate to your deployed Azure Firewall resource (MyAzureFirewall).
  2. Under "Settings", select "Rules".
  3. Click the "Network rule collections" tab, then click "+ Add network rule collection".
  4. Fill in the details:
    • Name: Enter AllowWebTraffic.
    • Priority: Enter a number (e.g., 200). Lower numbers have higher priority.
    • Rule type: Select Network rule.
    • Rules: Click "+ Add a rule".
      • Name: Enter AllowHTTPS.
      • Protocol: Select TCP.
      • Source type: Select IP Address.
      • Source addresses: Enter the source IP range (e.g., 10.1.0.0/24 for your workload subnet).
      • Destination type: Select Service Tag.
      • Destination: Select Internet.
      • Destination ports: Enter 443.
    • Click "Add".
  5. Click "Add" to save the rule collection.
Screenshot of Azure Firewall rules configuration

(Placeholder for a screenshot of the Azure Firewall rules interface.)

Application Rules

Application rules allow you to filter traffic based on fully qualified domain names (FQDNs).

Adding an Application Rule (Allow specific websites)

  1. In the Azure Firewall resource, go to "Rules" and click the "Application rule collections" tab.
  2. Click "+ Add application rule collection".
  3. Fill in the details:
    • Name: Enter AllowSpecificSites.
    • Priority: Enter 300.
    • Rule type: Select Application rule.
    • Rules: Click "+ Add a rule".
      • Name: Enter AllowMicrosoftDocs.
      • Source type: Select IP Address.
      • Source addresses: Enter your source IP range (e.g., 10.1.0.0/24).
      • Target FQDNs: Enter *.microsoft.com.
      • Web categories: (Optional)
      • URL keywords: (Optional)
    • Click "Add".
  4. Click "Add" to save the rule collection.

Step 5: Configure Route Tables

To direct traffic through the Azure Firewall, you need to configure user-defined routes (UDRs) in your VNet.

Creating a Route Table

  1. Search for "Route tables" in the Azure portal and click "Create".
  2. Fill in the details:
    • Subscription: Select your subscription.
    • Resource group: Select RG-Firewall-Demo.
    • Region: Choose the same region as your VNet.
    • Name: Enter RT-Firewall-Traffic.
  3. Click "Review + create" and then "Create".

Adding a Route to Direct Traffic to Firewall

  1. Navigate to the route table you just created (RT-Firewall-Traffic).
  2. Under "Settings", select "Routes", then click "+ Add".
  3. Fill in the details:
    • Route name: Enter ToAzureFirewall.
    • Address prefix: Enter 0.0.0.0/0 to route all internet-bound traffic.
    • Next hop type: Select Virtual appliance.
    • Next hop address: Enter the private IP address of your Azure Firewall. You can find this on the Firewall's overview page. It will typically be the first usable IP in the AzureFirewallSubnet.
  4. Click "Add".

Associating Route Table with Subnet

  1. Navigate back to your Virtual Network (MyVNet).
  2. Under "Settings", select "Subnets".
  3. Click on your workload subnet (e.g., WorkloadSubnet, assuming you have one).
  4. Under "Route table", select RT-Firewall-Traffic.
  5. Click "Save".
Important: Ensure that your workload subnet's Network Security Group (NSG) allows traffic to and from the Azure Firewall's subnet. Also, consider disabling the default NSG on the AzureFirewallSubnet itself, as Azure Firewall manages its own security.

Conclusion

You have successfully deployed and configured Azure Firewall, set up basic network and application rules, and routed traffic through the firewall. This provides a fundamental layer of security for your Azure resources.