Azure Firewall Automation

Deploy Azure Firewall Policy Premium with Bicep

Creating and Deploying a Premium Firewall Policy with Bicep and DevOps

Introduction

Azure Firewall Policy is a central management solution for your Azure Firewall instances, allowing you to define and enforce network security policies across multiple firewalls. The Premium SKU offers advanced features such as TLS inspection, IDPS (Intrusion Detection and Prevention System), and URL filtering, providing enhanced security for your cloud environment.

Detailed Step-by-Step Implementation Guide

  1. Prerequisites

    • Azure subscription
    • Azure CLI installed
    • Bicep CLI installed
    • Azure DevOps account

  2. Create a Bicep File for Azure Firewall Policy

     1
 2
 3
 4
 5
 6
 7
 8
 9
10

    resource firewallPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
  name: 'myFirewallPolicy'
  location: 'australiaeast'
  properties: {
    sku: {
      tier: 'Premium'
    }
    threatIntelMode: 'Alert'
  }
}

  3. Add Premium Features

    • TLS Inspection

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

      resource tlsPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
  name: 'myFirewallPolicy'
  properties: {
   transportSecurity: {
     certificateAuthority: {
     name: 'afw-certificate'
     keyVaultSecretId: 'https://vaultname.vault.azure.net/secrets/afw-certificate/certificateid'
     }
   }
  }
}

    • IDPS

      1
2
3
4
5
6
7

      resource idpsPolicy 'Microsoft.Network/firewallPolicies@2021-02-01' = {
  name: 'myFirewallPolicy'
  properties: {
    mode: 'Alert'
    signatureOverrides: []
  }
}

    • URL Filtering

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

      resource urlFilter 'Microsoft.Network/firewallPolicies/ruleCollectionGroups@2021-02-01' = {
  name: 'myUrlFilter'
  parent: firewallPolicy
  properties: {
    priority: 100
    ruleCollections: [
      {
        name: 'urlFilterRule'
        rules: [
          {
            name: 'allowRule'
            ruleType: 'ApplicationRule'
            action: {
              type: 'Allow'
            }
            sourceAddresses: ['*']
            destinationUrls: ['www.microsoft.com']
            protocols: [
              {
                protocolType: 'Https'
                port: 443
              }
            ]
          }
        ]
      }
    ]
  }
}

  4. Deploy the Bicep File Using Azure DevOps

    • Create a new pipeline in Azure DevOps

    • Add a task to deploy the Bicep file

       1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

      trigger:
- main

pool:
  vmImage: 'ubuntu-latest'

steps:
- task: AzureCLI@2
  inputs:
    azureSubscription: '<Your Azure Subscription>'
    scriptType: 'bash'
    scriptLocation: 'inlineScript'
    inlineScript: |
      az deployment group create --resource-group <Your Resource Group> --template-file <Path to Bicep File>

Conclusion

By following this guide, you have successfully created and deployed an Azure Firewall Policy Premium with all the premium features using Bicep and Azure DevOps. This setup enhances your network security with advanced features like TLS inspection, IDPS, and URL filtering, ensuring a robust security posture for your cloud environment.

Learn More