Deploy and configure Azure Firewall

This tutorial will guide you through the process to deploy and configure Azure Firewall. Controlling outbound network access is a critical component of a comprehensive network security strategy. You could, for example, want to restrict access to certain websites. You could also wish to restrict access to outgoing IP addresses and ports.

Set up the network

To begin, build a resource group to hold the resources required for the firewall deployment. Create a VNet, subnets, and a test server after that.

Creating a resource group

All of the tutorial’s resources are housed in the resource group.

1. Sign in to the Azure portal.
2. On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Then select Add.
3. For Resource group name, enter Test-FW-RG.
4. Also, For Subscription, select your subscription.
5. For Resource group location, select a location. All other resources that you create must be in the same location.
6. Select Create.

Deploy the firewall

Install the firewall within the VNet.

1. On the Azure portal menu or from the Home page, select Create a resource.
2. Type firewall in the search box and press Enter.
3. Select Firewall and then select Create.
4. On the Create a Firewall page, use the following table to configure the firewall:TABLE 2SettingValueSubscription<your subscription>Resource groupTest-FW-RGNameTest-FW01LocationSelect the same location that you used previouslyChoose a virtual networkUse existing: Test-FW-VNPublic IP addressAdd new
   Name: fw-pip
5. Select Review + create.
6. Review the summary, and then select Create to create the firewall.This will take a few minutes to deploy.
7. After deployment completes, go to the Test-FW-RG resource group, and select the Test-FW01 firewall.
8. Note the firewall private and public IP addresses. You’ll use these addresses later.

Creating a default route

Configure the outbound default route for the Workload-SN subnet to go via the firewall.

1. On the Azure portal menu, select All services or search for and select All services from any page.
2. Under Networking, select Route tables.
3. Select Add.
4. For Name, type Firewall-route.
5. Then, For Subscription, select your subscription.
6. For Resource group, select Test-FW-RG.
7. Also, For Location, select the same location that you used previously.
8. Select Create.
9. Select Refresh, and then select the Firewall-route route table.
10. Also, Select Subnets and then select Associate.
11. Select Virtual network > Test-FW-VN.
12. For Subnet, select Workload-SN. Make sure that you select only the Workload-SN subnet for this route, otherwise your firewall won’t work correctly.
13. Select OK.
14. Select Routes and then select Add.
15. For Route name, type fw-dg.
16. For Address prefix, type 0.0.0.0/0.
17. Also, For Next hop type, select Virtual appliance.Azure Firewall is actually a managed service, but virtual appliance works in this situation.
18. For Next hop address, type the private IP address for the firewall that you noted previously.
19. Select OK.

Configuring an application rule

This is the application rule that enables access to www.google.com from outside the network.

1. Open the Test-FW-RG, and select the Test-FW01 firewall.
2. On the Test-FW01 page, under Settings, select Rules.
3. Select the Application rule collection tab.
4. Select Add application rule collection.
5. For Name, type App-Coll01.
6. Subsequently, For Priority, type 200.
7. For Action, select Allow.
8. Under Rules, Target FQDNs, for Name, type Allow-Google.
9. Also, For Source type, select IP address.
10. For Source, type 10.0.2.0/24.
11. Furthermore, For Protocol:port, type http, https.
12. For Target FQDNS, type www.google.com
13. Select Add.

Configure a network rule

This is the network rule that permits two IP addresses to access port 53 outward (DNS).

1. Select the Network rule collection tab.
2. Select Add network rule collection.
3. For Name, type Net-Coll01.
4. Also, For Priority, type 200.
5. For Action, select Allow.
6. Under Rules, IP addresses, for Name, type Allow-DNS.
7. For Protocol, select UDP.
8. For Source type, select IP address.
9. Also, For Source, type 10.0.2.0/24.
10. For Destination type select IP address.
11. Also, For Destination address, type 209.244.0.3,209.244.0.4These are public DNS servers operated by CenturyLink.
12. For Destination Ports, type 53.
13. Select Add.

Configure a DNAT rule

Through the firewall, you may connect a remote desktop to the Srv-Work virtual machine using this rule.

1. Select the NAT rule collection tab.
2. Select Add NAT rule collection.
3. For Name, type rdp.
4. For Priority, type 200.
5. Under Rules, for Name, type rdp-nat.
6. For Protocol, select TCP.
7. Also, For Source type, select IP address.
8. For Source, type *.
9. Furthermore, For Destination address, type the firewall public IP address.
10. For Destination Ports, type 3389.
11. Also, For Translated address, type the Srv-work private IP address.
12. For Translated port, type 3389.
13. Select Add.

Test the firewall

Now test the firewall to make sure it’s working properly.

1. Connect a remote desktop to firewall public IP address and sign in to the Srv-Work virtual machine.
2. Open Internet Explorer and browse to https://www.google.com.
3. Select OK > Close on the Internet Explorer security alerts.You should see the Google home page.
4. Browse to https://www.microsoft.com.You should be blocked by the firewall.

So now you’ve verified that the firewall rules are working:

• You can browse to the one allowed FQDN, but not to any others.
• You can resolve DNS names using the configured external DNS server.

Clean up resources

Keep your firewall resources for the next instruction, or destroy the Test-FW-RG resource group to remove any firewall-related resources if they are no longer needed.

Go back to home page

Reference documentation – Tutorial: Deploy and configure Azure Firewall using the Azure portal