TABLE OF CONTENT
1. Introduction to Azure Firewall2. Configure Azure Firewall Service NAT Rules Configuration4. Firewall Firewall Restrictions Conclusion6. Azure Firewall7: Real-time Use Cases CloudThat 8. FAQs Enterprise organizations use Firewalls in order to protect their private resources against malicious attacks from the Internet. This is done with the help a set of firewall rules.
This article will show you how to configure Azure Firewall and create different firewall rules.
1. Introduction to Azure Firewall
Azure Firewall, a managed service from Azure, has high availability and is stateful. It can understand what packets of traffic/data it should allow and deny. It also includes threat intelligence that allows us to block traffic from/to malicious domains and IP addresses. To ensure high availability, we can also deploy an Azure firewall across multiple AZ. Filtering traffic can also be done based on fully qualified domain names.
2. Configuration of Azure Firewall Service
First, we will create a Windows VM of any size that we choose without a public IP.
Then we need to create a subnet in the same Vnet with the name “AzureFirewallSubnet”. This subnet will host the Azure firewall service.
Now, we need to search the Azure Portal for Firewall. You will need to enter the required details as shown in the image below
We need to mention the location same as that of the virtual network where we created our “AzureFirewallSubnet.”
We select the Standard Tier in tier.
As part of the Firewall, we create many rules; the Firewall Policy is used to manage these.
So, we create a firewall policy like the one shown below in the same area.
Select the option “Existing Virtual-network” and choose the Vnet from the dropdown
It will display an error if there isn’t an AzureFirewallSubnet in the virtual network.
Create a new public IP address and then create
After creation, the Firewall will be assigned a private Ip address for communication with resources within the Virtual network and a public Ip adres to communicate with the internet.
3. Configuration of NAT rules
This section will show you how to add a Firewall Rule to your VM. It allows you to log in to your VM without having to use the public Ip resource of the azure firewall.
This is why we need to navigate to the firewall policy, and then select the DNAT rules.
These are Network address translation rules that will allow us connect to VM.
Please enter the values shown in the image below.
We need to give details like source = IP address, Source is our IP address (in my case, Laptop), protocol = TCP, destination port could be anything
We must provide public ip address of our Firewall for destination. Translated address Private IP address of our VM. Translate port to 3389 (RDP). After done click on ADD.
As you can see, RDP to VM can be done using firewalls public IP or port.
4. Firewall Firewall Restrictions Traffic
Usually, traffic from a VM to the internet is allowed. Firewall is needed to restrict traffic to the internet from VMs. We will setup this Firewall below.
To do this, we need to route traffic from a VM to Firewall via a Route Table.
We create a Route Table in the same region of our virtual network.
Select subnets in the route table settings and associate the subnet with the Vnet where our demo VM is located
Next, we look at routes and add details such as the one below. This shows that traffic to the internet must route to the Azure Firewall via its private IP address.
Once we have the route set up, we can now access URLs from the VM.
