In Part 1 of this series, we explored how to implement a NAT Gateway to manage outbound internet connectivity for Azure VMs. Today, in Part 2, we’ll dive into configuring Azure Firewall, a robust security solution that provides both outbound and inbound network traffic control. Azure Firewall not only offers the required connectivity but also enhances your security posture.
Understanding Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It offers built-in high availability and scalability, as well as features like centralized policy management and dynamic filtering of outbound, inbound, and lateral network traffic.
Key Benefits of Azure Firewall:
- Comprehensive Threat Protection: Intelligent, real-time threat detection and prevention.
- Centralized Policy Management: Manage firewall rules across multiple subscriptions and networks.
- High Availability and Scalability: Automatically scales to meet your network needs.
- Application and Network Rules: Control access based on fully qualified domain names (FQDNs), IP addresses, and port numbers.
- Logging and Analytics: Integrated with Azure Monitor for comprehensive logging and analytics.
Architecting the Network Topology
Designing an effective network layout is crucial. Here’s an illustrative topology:
- Public IP Addresses or Prefixes: Assigns specific public IPs so your outbound connections use predictable and consistent IP addresses.
Implementation Steps
Let’s set up Azure Firewall to provide secure and reliable outbound internet connectivity for your Azure VMs. We’ll cover both the Azure Portal and Bicep approaches.
Implementation Using the Azure Portal
Step 1: Create a Public IP Address
- Navigate to Public IP Addresses:
- In the Azure Portal, search for “Public IP addresses” and select it.
- Create a New Public IP:
- Click "+ Create".
- Basics Tab:
- Subscription: Select your subscription.
- Resource Group: Choose an existing one or create a new one.
- Name: Enter a name, e.g.,
myFirewallPublicIP
. - Region: Choose the region of your VNet.
- IP Version: IPv4.
- SKU: Standard.
- Assignment: Static.
- Click “Review + Create”, then “Create”.
Step 2: Create the Azure Firewall
- Navigate to Firewalls:
- Search for “Firewalls” and select it.
- Create a New Firewall:
- Click "+ Create".
- Basics Tab:
- Subscription: Your subscription.
- Resource Group: Same as above.
- Name:
myAzureFirewall
. - Region: Same as your VNet.
- Firewall Tier: Standard (choose Premium for advanced features if needed).
- Associate Public IP:
- Firewall Management: Select Firewall public IP configuration.
- Add a New Public IP: Use
myFirewallPublicIP
.
- Virtual Network Configuration:
- Virtual Network: Choose or create a VNet.
- Subnets: Ensure you have a subnet named
AzureFirewallSubnet
.
- Review and Create:
- Click “Review + Create”, ensure validation passes.
- Click “Create”.
Step 3: Configure Firewall Rules
- Navigate to Your Firewall:
- Go to Firewalls in the Azure Portal and select
myAzureFirewall
.
- Go to Firewalls in the Azure Portal and select
- Add Application Rules:
- Application Rule Collection: Click on “Rules” > Application Rule Collection.
- Add Rule Collection:
- Name:
AppRuleCollection1
. - Priority: 200.
- Action: Allow.
- Name:
- Add Rule:
- Name:
AllowInternetAccess
. - Source IP Addresses: Add the IP range of your subnet or VMs.
- Target FQDNs: e.g., `` for all internet access.
- Protocol: HTTP, HTTPS.
- Name:
- Click “Add”.
- Add Network Rules:
- Network Rule Collection: Click on “Rules” > Network Rule Collection.
- Add Rule Collection:
- Name:
NetRuleCollection1
. - Priority: 100.
- Action: Allow.
- Name:
- Add Rule:
- Name:
AllowOutboundAccess
. - Source IP Addresses: Add the IP range of your subnet or VMs.
- Destination IP Addresses: Add `` for all internet access or specific IP ranges.
- Destination Ports: Add ports like
80
for HTTP,443
for HTTPS. - Protocol: TCP, UDP.
- Name:
- Click “Add”.
Step 4: Verify Outbound Connectivity
- Connect to a VM in the Subnet:
- Use Remote Desktop Protocol (RDP) or SSH.
- Check Outbound IP Address:
- Open a web browser and navigate to ifconfig.me or ident.me
- Verify that the displayed IP matches
myFirewallPublicIP
.
Implementation Using Bicep
Let’s achieve the same deployment using a Bicep template.
Prerequisites
- Azure CLI: Ensure you have the latest version.
- Bicep CLI: Comes integrated with Azure CLI.
Step 1: Write the Bicep Template
Create a file named azureFirewall.bicep
.
|
|
Step 2: Deploy the Bicep Template
-
Login to Azure:
1
az login
-
Set the Subscription Context:
1
az account set --subscription 'YourSubscriptionID'
-
Deploy the Template:
1 2 3 4 5 6 7 8 9 10
az deployment group create \\ --resource-group 'YourResourceGroup' \\ --template-file azureFirewall.bicep \\ --parameters firewallName='myAzureFirewall' \\ firewallpolicyName='myAzureFirewallPolicy' \\ publicIPName='myFirewallPublicIP' \\ vnetName='myVNet' \\ vnetAddressPrefix='10.0.0.0/16' \\ subnetName='AzureFirewallSubnet' \\ firewallSubnetPrefix='10.0.1.0/24'
Step 3: Verify Deployment
Repeat the verification steps from the portal implementation to confirm that your VMs are using Azure Firewall for outbound traffic.
Wrapping Up
Implementing Azure Firewall provides enhanced security and centralized management for outbound internet access, ensuring your Azure VMs remain securely connected as direct internet access is deprecated.
Key Takeaways:
- Azure Firewall Enhances Security: Comprehensive threat protection and policy management.
- Flexible Implementation Options: Use the Azure Portal for quick setups or Bicep for repeatable, infrastructure-as
Learn More
Here are some additional resources to help you dive deeper into Azure Firewall: