Azure Firewall

Azure Firewall is a Microsoft’s fully managed, highly scalable, highly available firewall-as-a-service offering. In this blog post, we will discuss, how to deploy and configure Azure Firewall. An Azure firewall helps to filter the outgoing and Incoming traffic from and to the Azure network.

Azure Firewall

Azure Firewall provides Following features: 

  • Stateful firewall As-a-Service
  • Built-in high availability with unrestricted cloud scalability
  • Ability to centrally create, enforce, and log application and network connectivity policies
  • Outbound source network address translation (SNAT) support
  • Inbound destination network address translation (DNAT) support
  • Fully integrated with Azure Monitor for logging and analytics
  • Supports Hybrid connectivity with Express Route and VPN

Azure Firewall Pricing 

  • Fixed fee: $1.25/firewall/hour
  • Variable fee: $0.03/GB processed by the firewall (ingress or egress).

Azure Firewall supports following rules

Application and network rules are stored in a rule collection. A rule collection is a list of rules that share the same action and priority i.e Allow or Deny, you can’t mix both Allow and Deny rules in a single rule collection. Network rule collections are always processed before application rule collections.

  • Application FQDN Filtering rules – this rule will help you limit the outbound traffic to a specific set of FQDNs
  • Network traffic filtering rules – Centrally create allow/Deny network filtering rules
  • FQDN Tags – Allow traffic to well known Microsoft online services, like Windows updates
  • Outbound SNAT Support – All outbound traffic can be NAT through the firewall’s Public IP
  • Inbound DNAT Support – All inbound traffic can be filtered to the private IP

Following configurations are used in this Lab 

  • A VNET configured with two Subnets – One Subnet named as AzureFirewallSubnet for Azure Firewall and another Subnet named as Corp subnet for workloads like VMs
  • A Windows 2016 VM connected with Corp Subnet – VM IP 172.16.1.5
  • A Route Table  connected with Corp Subnet and forwarding all traffic to Azure Firewall IP

How to create an Azure Firewall

creation of  an Azure Firewall is very straightforward, log on to the Azure portal and search Firewall – All Services > Firewalls > Add

In this example we are also creating a VNET along with the firewall, however, you can use an existing VNET with a subnet named – AzureFirewallSubnet

Creation of an Azure Firewall

Once the firewall is created, you will find a Public and and Private IP assigned to it

Firewall IP addressess – Private and Public

Now we will configure a DNAT rule to allow RDP access to a VM behind the firewall (VM doesn’t have Public IP address) and with this rule, we will connect to Firewall’s public IP and connect to Private IP of VM –
Firewall > Rules 

Configured a Route Table to forward all the traffic from Corp Subnet to Azure firewall’s private IP – 172.16.0.4

Configured a Route Table to Forward all traffic from Corp Subnet to Azure Firewall’s IP

Once the route table is attached to the VM Subnet, the Firewall rules will kick in and  there wont be any outbound internet access

Access Denied 

To allow internet access, Application rules needs to be configured

Configure Application rules to allow access to specefic URLS and windows Updates Select Rules >Application Rule Collection > Add Application Rule Collection

These rules will only allow access to – Windows updates websites, Microsoft.com, Google.com and Github.com

Network rule collection can help allow and deny traffic between two different networks. In this example, I have enabled the AD traffic between all the networks.

Cheers!!