Scenario
In this exercise, I needed to implement centralized network security for an application hosted in Azure. The application required a firewall for application-level filtering and advanced threat protection. Given the need for continuous updates from Azure DevOps pipelines, I also needed to ensure that the firewall allowed seamless access to Azure DevOps while providing DNS resolution for other critical services.
The task required:
- Setting up Azure Firewall for enhanced security in the app-vnet.
- Configuring a firewall policy to manage application access.
- Setting up application rules to allow access to Azure DevOps.
- Creating network rules to enable DNS resolution.
Skilling Tasks
- ✅ Create an Azure Firewall.
- ✅ Create and configure a firewall policy.
- ✅ Create an application rule collection.
- ✅ Create a network rule collection.
Exercise Instructions
Step 1: Create the Azure Firewall Subnet
To begin, I had to create a dedicated subnet within my virtual network for Azure Firewall. Here’s what I did:
1️⃣ Navigate to Virtual Networks:
- I searched for Virtual Networks in the Azure portal and selected app-vnet.
2️⃣ Add a New Subnet:
- I selected Subnets and clicked + Subnet.
- I entered the following information for the new subnet:
| Property | Value |
|---|---|
| Name | AzureFirewallSubnet |
| Address range | 10.1.63.0/26 |
- I saved the changes to create the AzureFirewallSubnet.
Step 2: Create an Azure Firewall
Next, I created the Azure Firewall using the following steps:
1️⃣ Navigate to Firewall:
- In the Azure portal, I searched for Firewall and selected + Create.
2️⃣ Configure Firewall Settings:
- I filled in the configuration settings as follows:
| Property | Value |
|---|---|
| Resource group | RG1 |
| Name | app-vnet-firewall |
| Firewall SKU | Standard |
| Firewall management | Use a Firewall Policy |
| Firewall policy | Add new (fw-policy) |
| Region | East US |
| Policy Tier | Standard |
| Virtual network | app-vnet (RG1) |
| Public IP address | Add new (fwpip) |
3️⃣ Troubleshooting:
- When attempting to use the virtual network app-vnet, I encountered the error: "Force Tunneling requires this virtual network have a subnet named AzureFirewallManagementSubnet."
- After realizing the issue, I added the required AzureFirewallManagementSubnet to the app-vnet with the address range
10.1.64.0/26.
4️⃣ Deploy the Firewall:
- After resolving the subnet issue, I clicked Review + Create and Create to deploy the firewall.
- The deployment took a few minutes to complete.
Step 3: Update the Firewall Policy
Once the firewall was created, I moved on to configure the firewall policy to manage application-level access and network-level rules.
1️⃣ Create the Firewall Policy:
- I navigated to Firewall Policies in the Azure portal and selected fw-policy.
2️⃣ Add Application Rule:
- I clicked Application Rules and added a new rule collection for AllowAzurePipelines:
| Property | Value |
|---|---|
| Name | app-vnet-fw-rule-collection |
| Rule collection type | Application |
| Priority | 200 |
| Rule collection action | Allow |
| Rule collection group | DefaultApplicationRuleCollectionGroup |
| Name | AllowAzurePipelines |
| Source type | IP address |
| Source | 10.1.0.0/23 |
| Protocol | https |
| Destination type | FQDN |
| Destination | dev.azure.com, azure.microsoft.com |
- This rule allowed the web application to access Azure DevOps for continuous integration and updates.
3️⃣ Add Network Rule:
- I then added a network rule to allow DNS resolution:
| Property | Value |
|---|---|
| Name | app-vnet-fw-nrc-dns |
| Rule collection type | Network |
| Priority | 200 |
| Rule collection action | Allow |
| Rule collection group | DefaultNetworkRuleCollectionGroup |
| Rule | AllowDns |
| Source | 10.1.0.0/23 |
| Protocol | UDP |
| Destination ports | 53 |
| Destination addresses | 1.1.1.1, 1.0.0.1 |
Step 4: Troubleshooting Firewall Rule Addition
While attempting to add the network rule, I encountered an error message:
"Failed to add the rule collection. Rule Collection Group DefaultNetworkRuleCollectionGroup cannot be updated because Parent Firewall Policy fw-policy is in Updating state."
📌 Solution:
I waited until the firewall policy finished its provisioning and the Provisioning State was marked as Succeeded. Once the status was updated, I successfully added the rule.
Step 5: Verify Firewall and Firewall Policy Status
To ensure everything was set up correctly, I checked the status of both the firewall and the firewall policy:
1️⃣ Verify Firewall:
- In the portal, I navigated to Firewall and verified that the Provisioning State of app-vnet-firewall was Succeeded.
2️⃣ Verify Firewall Policy:
- I also checked the fw-policy firewall policy to ensure its Provisioning State was Succeeded.
Key Takeaways
1️⃣ Azure Firewall
Azure Firewall provides a robust solution to protect your Azure virtual network resources from incoming and outgoing threats. It's a fully managed, cloud-native firewall that offers stateful packet inspection and threat intelligence.
2️⃣ Firewall Policies
A firewall policy is an essential component that allows you to group and manage rules for traffic control. Azure Firewall policies can contain NAT, application, and network rules to specify what traffic is allowed or denied.
3️⃣ Application Rules and Network Rules
- Application rules allow traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.
- Network rules allow or deny traffic based on IP addresses, ports, and protocols.
4️⃣ Force Tunneling and Subnet Requirements
For Force Tunneling, Azure requires a specific subnet named AzureFirewallManagementSubnet. This subnet is used for the firewall’s internal management tasks, ensuring secure and controlled traffic routing.
Conclusion
In this exercise, I successfully created and configured Azure Firewall for centralized network security in the app-vnet. I configured both application and network rule collections to allow access to Azure DevOps and DNS resolution. The process also involved troubleshooting and configuring the AzureFirewallManagementSubnet for Force Tunneling, ensuring seamless outbound traffic routing.
🚀 Stay tuned for more as I continue my journey with Azure and deepen my knowledge of network security and firewall management!
Top comments (0)