Deploy Azure Firewall using Bicep

Introduction

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It offers high availability and scalability, and it allows you to centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. This guide will walk you through deploying an Azure Firewall with application and network rulesets using Bicep and Azure DevOps, ensuring a streamlined and automated setup process.

Step-by-Step Implementation Guide

Set Up Your Azure Environment
- Ensure you have an active Azure subscription and the necessary permissions to create resources.

Install Azure CLI and Bicep

Install Azure CLI:

1

curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash

Install Bicep:
1

az bicep install

Create a Bicep Template for Azure Firewall

Define the Bicep template (azureFirewall.bicep) to create the Azure Firewall and configure rules:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118


param location string = resourceGroup().location
param firewallName string = 'myAzureFirewall'
param vnetName string = 'myVNet'
param subnetName string = 'AzureFirewallSubnet'
param firewallPolicyName string = 'myFirewallPolicy'

resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' existing = {
  name: vnetName
}

resource firewall 'Microsoft.Network/azureFirewalls@2021-02-01' = {
  name: firewallName
  location: location
  properties: {
    sku: {
      name: 'AZFW_VNet'
      tier: 'Standard'
    }
    ipConfigurations: [
      {
        name: 'azureFirewallIpConfig'
        properties: {
          subnet: {
            id: resourceId('Microsoft.Network/virtualNetworks/subnets', vnetName, subnetName)
          }
          publicIPAddress: {
            id: publicIP.id
          }
        }
      }
    ]
    firewallPolicy: {
      id: firewallPolicy.id
    }
  }
}

resource publicIP 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
  name: 'myPublicIP'
  location: location
  properties: {
    publicIPAllocationMethod: 'Static'
  }
}

resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
  name: firewallPolicyName
  location: location
  properties: {
    sku: {
      tier: 'Standard'
    }
    ruleCollectionGroups: [
      {
        name: 'appRuleCollectionGroup'
        properties: {
          priority: 100
          ruleCollections: [
            {
              name: 'appRuleCollection'
              properties: {
                ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
                action: {
                  type: 'Allow'
                }
                rules: [
                  {
                    name: 'allowWeb'
                    properties: {
                      ruleType: 'ApplicationRule'
                      sourceAddresses: ['*']
                      protocols: [
                        {
                          protocolType: 'Http'
                          port: 80
                        }
                      ]
                      targetFqdns: ['www.microsoft.com']
                    }
                  }
                ]
              }
            }
          ]
        }
      },
      {
        name: 'netRuleCollectionGroup'
        properties: {
          priority: 200
          ruleCollections: [
            {
              name: 'netRuleCollection'
              properties: {
                ruleCollectionType: 'FirewallPolicyFilterRuleCollection'
                action: {
                  type: 'Allow'
                }
                rules: [
                  {
                    name: 'allowDns'
                    properties: {
                      ruleType: 'NetworkRule'
                      sourceAddresses: ['*']
                      destinationAddresses: ['8.8.8.8']
                      destinationPorts: ['53']
                      protocols: ['UDP']
                    }
                  }
                ]
              }
            }
          ]
        }
      }
    ]
  }
}

Deploy the Bicep Template Using Azure CLI
- Deploy the Bicep template to create the Azure Firewall and configure rules:
  1
  
  az deployment group create --resource-group myResourceGroup --template-file azureFirewall.bicep

Set Up Azure DevOps Pipeline

Create a New Pipeline: In Azure DevOps, create a new pipeline and connect it to your repository containing the Bicep template.

Define Pipeline YAML: Add a YAML file (azure-pipelines.yml) to automate the deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


trigger:
  - main

pool:
  vmImage: 'ubuntu-latest'

steps:
  - task: AzureCLI@2
    inputs:
      azureSubscription: 'your-azure-subscription'
      scriptType: 'bash'
      scriptLocation: 'inlineScript'
      inlineScript: |
        az deployment group create --resource-group myResourceGroup --template-file azureFirewall.bicep        
      addSpnToEnvironment: true

Run the Pipeline
- Commit the changes and run the pipeline to deploy the Azure Firewall automatically.

Conclusion

Deploying an Azure Firewall with application and network rulesets using Bicep and Azure DevOps streamlines the process, ensuring a consistent and automated setup. This approach not only saves time but also reduces the potential for manual errors, providing a robust and secure network security solution.

Learn More

For more detailed information, refer to the following Microsoft Learn articles: