Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Deploy and configure Azure Firewall using Azure Portal

  1. Home
  3. Deploy and configure Azure Firewall using Azure Portal

Go back to Tutorial

In this tutorial, we will learn about setting up a test network environment, deploy and configure azure firewall. And, we will also understand about configure an application rule to allow access to www.google.com and a network rule to allow access to external DNS servers including testing the firewall.

However, controlling outbound network access is an important part of an overall network security plan. One way you can control outbound network access from an Azure subnet is with Azure Firewall. With Azure Firewall, you can configure:

  • Firstly, application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
  • Secondly, network rules that define source address, protocol, destination port, and destination address.

Next, for production deployments, a hub and spoke model is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.

  • AzureFirewallSubnet – the firewall is in this subnet.
  • Workload-SN – the workload server is in this subnet. This subnet’s network traffic goes through the firewall.
Deploy and configure Azure Firewall using Azure Portal
Image Source: Microsoft

Create a resource group

  • Firstly, sign in to the Azure portal at https://portal.azure.com.
  • Then, on the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Then select Add.
  • Thirdly, for Resource group name, enter Test-FW-RG.
  • And, for Subscription, select your subscription.
  • Next, for Resource group location, select a location. All other resources that you create must be in the same location.
  • Lastly, select Create.
Deploy and configure Azure Firewall AZ-104 practice tests

Create a VNet

  • Firstly, on the Azure portal menu or from the Home page, select Create a resource.
  • Secondly, select Networking > Virtual network.
  • Then, for Subscription, select your subscription. and, for Resource group, select Test-FW-RG.
  • Next, for Name, type Test-FW-VN. And, for Region, select the same location that you used previously.
  • After that, select Next: IP addresses.
  • Then, for IPv4 Address space, type 10.0.0.0/16.
  • Under Subnet, select default.
  • For Subnet name type AzureFirewallSubnet. Here, the firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.
  • For Address range, type 10.0.1.0/26.
  • Then, select Save.

Next, create a subnet for the workload server.

  • First Select Add subnet.
  • Then, for Subnet name, type Workload-SN.
  • And, for Subnet address range, type 10.0.2.0/24.
  • Then, select Add.
  • Select Review + create.
  • Lastly, select Create.

Create a virtual machine

  • Firstly, on the Azure portal menu or from the Home page, select Create a resource.
  • Secondly, select Compute and then select Virtual machine. And, Windows Server 2016 Datacenter in the Featured list.
  • Then, enter values for the virtual machine.
  • After that, under Inbound port rules, Public inbound ports, select None. And, accept the other defaults and select Next: Disks.
  • Then, accept the disk defaults and select Next: Networking.
  • Make sure that Test-FW-VN is selected for the virtual network and the subnet is Workload-SN.
  • Then, for Public IP, select None. And, accept the other defaults and select Next: Management.
  • Select Off to disable boot diagnostics. Accept the other defaults and select Review + create.
  • Lastly, review the settings on the summary page, and then select Create.

Deploy the firewall

  • On the Azure portal menu or from the Home page, select Create a resource.
  • Type firewall in the search box and press Enter.
  • Select Firewall and then select Create.
  • On the Create a Firewall page, use the following table to configure the firewall:
deploy firewall
Image Source: Microsoft
  • Then, select Review + create. And, Review the summary, and then select Create to create the firewall.
  • After deployment completes, go to the Test-FW-RG resource group, and select the Test-FW01 firewall.

Configure an application rule

  • Firstly, Open the Test-FW-RG, and select the Test-FW01 firewall.
  • On the Test-FW01 page, under Settings, select Rules.
  • Then, Select the Application rule collection tab. And there, Select Add application rule collection.
  • Next, For Name, type App-Coll01. And, For Priority, type 200.
  • For Action, select Allow.
  • Under Rules, Target FQDNs, for Name, type Allow-Google.
  • Then, For Source type, select IP address. And, For Source, type 10.0.2.0/24.
  • For Protocol:port, type http, https.
  • For Target FQDNS, type www.google.com
  • Lastly, Select Add.

Configure a network rule

  • Select the Network rule collection tab.
  • Select Add network rule collection.
  • For Name, type Net-Coll01.
  • For Priority, type 200.
  • For Action, select Allow.
  • Under Rules, IP addresses, for Name, type Allow-DNS.
  • For Protocol, select UDP.
  • For Source type, select IP address.
  • For Source, type 10.0.2.0/24.
  • For Destination type select IP address.
  • For Destination address, type 209.244.0.3,209.244.0.4
  • These are public DNS servers operated by CenturyLink.
  • For Destination Ports, type 53.
  • Select Add.

Test the firewall

  • Firstly, connect a remote desktop to firewall public IP address and sign in to the Srv-Work virtual machine.
  • Then, open Internet Explorer and browse to https://www.google.com.
  • Thirdly, select OK > Close on the Internet Explorer security alerts. There, you should see the Google home page.
  • Lastly, nrowse to https://www.microsoft.com. Here, you should be blocked by the firewall.
Deploy and configure Azure Firewall AZ-104 online course

Reference: Microsoft Documentation

Go back to Tutorial

Menu