Azure Firewall is a cloud-native, managed network security service provided by Microsoft Azure. It helps protect your Azure Virtual Network resources by controlling both inbound and outbound network traffic based on configured rules.
Key Features of Azure Firewall
Stateful Traffic Inspection
Maintains the state of connections, which means it can distinguish between legitimate and malicious traffic.
Built-in High Availability and Scalability
Azure Firewall is highly available out of the box and can scale automatically based on traffic load.
Centralized Policy Management
You can manage network and application rules across multiple subscriptions and virtual networks.
Threat Intelligence-Based Filtering
Integrates with Microsoft threat intelligence to allow or deny traffic from known malicious IPs or domains.
Application FQDN Filtering Rules
You can create rules based on fully qualified domain names (FQDNs), not just IP addresses.
Network Traffic Logging and Analytics
Integration with Azure Monitor, Log Analytics, and Event Hubs for logging and diagnostics.
DNS Proxy and Filtering
Azure Firewall can act as a DNS proxy and filter DNS queries.
Support for Hybrid Connections
Works with on-premises environments using VPN or ExpressRoute.
Scenario
Your organization requires centralized network security for the application virtual network. As the application usage increases, more granular application-level filtering and advanced threat protection will be needed. Also, it is expected the application will need continuous updates from Azure DevOps pipelines.
You identify these requirements.
- Azure Firewall is required for additional security in the app-vnet.
- A firewall policy should be configured to help manage access to the application.
- A firewall policy application rule is required. This rule will allow the application access to Azure DevOps so the application code can be updated.
- A firewall policy network rule is required. This rule will allow DNS resolution.
This rule Skilling tasks
Create an Azure Firewall.
Create and configure a firewall policy
Create an application rule collection.
Create a network rule collection.
Architecture diagram
STEPS ON CREATING AZURE FIREWALL
STEP 1: Create Azure Firewall subnet in our existing virtual network.
In the search box at the top of the portal, enter Virtual networks and select Virtual networks in the search results.
Select app-vnet
STEP 2: Select subnet and click on +subnet.
Enter these settings
Subnet purpose: Azure Firewall
Name: AzureFirewallSubnet
Starting address: 10.1.63.0
Click add after entering these settings
STEP 3: Search for and select Firewall
Select + create and enter these settings:
Name: app-vnet-firewall
Resource group: your resource group
Firewall SKU: Standard
Firewall management: Use a Firewall Policy to manage this firewall
Firewall policy: Add new
Policy name: policyastra
Region: East US
Policy Tier: Standard
Choose a virtual network: Use existing
Virtual network: app-vnet
Public IP address Add new: ipastra
Click Review + create when configured, click on create and wait for deployment to be completed.
STEP 4: Search for and select Firewall Policies
Select policyastra
Under Rules, select Application rules and then Add a rule collection.
Configure the application rule and select add
Name: app-vnet-fw-rule-collection
Rule collection type: Application
Priority: 200
Rule collection action: Allow
Rule collection group: DefaultApplicationRuleCollectionGroup
Name: AllowAzurePipelines
Source type: IP address
Source: 10.1.0.0/23
Protocol: https
Destination type: FQDN
Destination: dev.azure.com, azure.microsoft.com
NOTE:
The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.
Add a Network Rule
In the Settings blade, select Network rules and then Add a network collection.
Configure the network rule and then select Add.
Property Value
Name = app-vnet-fw-nrc-dns
Rule collection type = Network
Priority = 200
Rule collection action = Allow
Rule collection group = DefaultNetworkRuleCollectionGroup
Rule = AllowDns
Source = 10.1.0.0/23
Protocol = UDP
Destination ports = 53
Destination addresses = 1.1.1.1, 1.0.0.1
Verify the firewall and firewall policy status
Search for and select firewall, View the app-vnet-firewall and ensure the Provisioning state is Succeeded.
In the portal ,search for and select Firewall policies. View the policyastra and ensure the Provisioning state is Succeeded.
This exercise builds on previous work by adding an Azure Firewall to control outbound traffic in your virtual network. A centralized firewall is now in place, enabling secure, policy-driven control of traffic in Azure.
Top comments (0)