Integrating Azure Firewall in Azure vWAN

Using bicep to add Azure Firewall into Azure vWAN

Introduction

Azure Virtual WAN is a comprehensive networking service that provides optimized and automated branch connectivity to, and through, Azure. It enables you to connect your branches, remote users, and data centers to Azure and each other using a combination of site-to-site VPN, point-to-site VPN, and ExpressRoute connections. One of the key features of Azure Virtual WAN is its ability to integrate Azure Firewall, including Azure Firewall Premium, to enhance security and connectivity.

Step-by-Step Implementation Guide

Prerequisites

Before you begin, ensure you have the following:

  • An Azure subscription
  • Bicep CLI installed
  • Visual Studio Code with Bicep extension
  • Basic understanding of Azure networking concepts

Using Bicep to Integrate Azure Firewall Premium

Step 1: Define the Bicep File

Create a new Bicep file (e.g., virtual-wan-firewall.bicep) and define the parameters and resources needed for the Virtual WAN and Azure Firewall Premium.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
param location string = resourceGroup().location
param virtualWanName string = 'MyVirtualWAN'
param virtualHubName string = 'MyVirtualHub'
param firewallName string = 'MyAzureFirewall'
param firewallPolicyName string = 'MyFirewallPolicy'
param addressSpace string = '10.0.0.0/16'

resource virtualWan 'Microsoft.Network/virtualWans@2023-02-01' = {
  name: virtualWanName
  location: location
  properties: {
    type: 'Standard'
  }
}

resource virtualHub 'Microsoft.Network/virtualHubs@2023-02-01' = {
  name: virtualHubName
  location: location
  properties: {
    addressPrefix: addressSpace
    virtualWan: {
      id: virtualWan.id
    }
  }
}

resource firewallPolicy 'Microsoft.Network/firewallPolicies@2023-02-01' = {
  name: firewallPolicyName
  location: location
  properties: {
    sku: {
      tier: 'Premium'
    }
  }
}

resource azureFirewall 'Microsoft.Network/azureFirewalls@2023-02-01' = {
  name: firewallName
  location: location
  properties: {
    sku: {
      name: 'AZFW_VNet'
      tier: 'Premium'
    }
    firewallPolicy: {
      id: firewallPolicy.id
    }
    virtualHub: {
      id: virtualHub.id
    }
  }
}

Step 2: Deploy the Bicep File

Use the Azure CLI to deploy the Bicep file to your Azure subscription.

1
az deployment group create --resource-group <Your-Resource-Group> --template-file virtual-wan-firewall.bicep

Step 3: Verify the Resources

After deployment, verify that the Virtual WAN, Azure Firewall Premium, and Firewall Policy resources have been created and are configured as expected. You can do this by navigating to the Azure portal and checking the resources under the Virtual WAN and Virtual Hub sections.

Conclusion

Integrating Azure Firewall Premium with Azure Virtual WAN using Bicep provides a streamlined and efficient way to enhance your network security and connectivity. By defining resources as code, you can ensure consistency, simplify management, and leverage DevOps practices for continuous integration and deployment. Azure Virtual WAN enhances your ability to connect and manage your network resources seamlessly.

Learn More

For more detailed information and tutorials, visit the following Microsoft Learn resources: