How to Create and Configure Azure Firewall

Introduction
This project focuses on designing and implementing centralized network security for an application virtual network (app-vnet) using Azure Firewall. As application demands scale, ensuring secure traffic flow, granular access control, and protected CI/CD operations via Azure DevOps becomes essential. To address these needs, you'll deploy Azure Firewall and configure it with a tailored firewall policy.

What You'll Accomplish
Throughout this project, you'll gain hands-on experience with key security tasks:

• Deploy Azure Firewall to serve as a centralized security gateway.

• Create and Configure a Firewall Policy to define traffic filtering rules.

• Set Up an Application Rule Collection to allow secure access from app-vnet to Azure DevOps services.

• Create a Network Rule Collection to enable DNS resolution for resources within the virtual network.

• Prepare the AzureFirewallSubnet, deploy the firewall, apply the necessary rules, and validate the configuration.

By the end, you'll have a working firewall solution that enforces robust security policies and supports secure application development workflows in Azure.

Step 1 Create Azure Firewall subnet in our existing virtual network

• In the search box at the top of the portal, enter Virtual networks. Select Virtual networks in the search results.
  

• Select app-vnet.
  

• Select Subnets.

• Select + Subnet.

• Enter the following information and select Save.

• Name: AzureFirewallSubnet

• Address range: 10.1.63.0/26

• Note: Leave all other settings as default.
  

Step 2 Create an Azure Firewall

• In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.
  

• Select + Create.
  

Create a firewall by using the values in the following table. For any property that is not specified, use the default value.
Note: Azure Firewall can take a few minutes to deploy.

• Resource group: RG1
• Name: app-vnet-firewall

• Firewall SKU: Standard
  

• Firewall management: Use a Firewall Policy to manage this firewall

• Firewall policy: select Add new

• Policy name: fw-policy

• Region: East US

• Policy Tier: Standard
  

• Choose a virtual network: Use existing

• Virtual network: app-vnet (RG1)

• Public IP address Add new: fwpip

• Enable Firewall Management NIC uncheck the box
  

• Select Review + create
  

• Then select Create.
  

• Azure Firewall as been created succesfully, Click on go to resources to see the firewall.
  

Step 3 Update the Firewall Policy

• In the portal, search for and select Firewall Policies.
  

• Select fw-policy.
  

Add an application rule

• In the rule blade, select Application rules and then Add a rule collection.

• Configure the application rule collection and then select Add.
  

• Name: app-vnet-fw-rule-collection

• Rule collection type: Application

• Priority: 200

• Rule collection action: Allow

• Rule collection group DefaultApplicationRuleCollectionGroup

• Name: AllowAzurePipelines

• Source type: IP address

• Source: 10.1.0.0/23

• Protocol: https

• Destination type: FQDN

• Destination dev.azure.com, azure.microsoft.com

• Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.
  

• Application rule as been added to the firewall policy
  

Add a network rule

• In the rule blade, select Network rules and then Add a network collection.
  

• Configure the network rule and then select Add.

• Name: app-vnet-fw-nrc-dns

• Rule collection type: Network

• Priority: 200

• Rule collection action: Allow

• Rule collection group: DefaultNetworkRuleCollectionGroup

• Rule: AllowDns

• Source: 10.1.0.0/23

• Protocol: UDP

• Destination ports: 53

• Destination addresses: 1.1.1.1, 1.0.0.1
  

• Network collection rule as been added to the firewall policy
  

• Verify the firewall and firewall policy status

• In the portal search for and select Firewall.
  

• View the app-vnet-firewall and ensure the Provisioning state is Succeeded. This may take a few minutes.
  

• In the portal search for and select Firewall policies.
  

• View the fw-policy and ensure the Provisioning state is Succeeded. This may take a few minutes
  

Conclusion
This project successfully delivered a fully operational Azure Firewall within the application’s virtual network, establishing a centralized and resilient security architecture. Key milestones included:

• Deploying Azure Firewall to serve as the core security layer.
• Configuring and managing a custom firewall policy.
• Creating an application rule collection to enable secure access to Azure DevOps services.
• Implementing a network rule collection to support DNS resolution.

Together, these components strengthen the application's security posture by precisely controlling traffic flow while maintaining essential connectivity. The solution also lays the groundwork for a scalable and maintainable security framework that can adapt to future growth and evolving requirements. Ultimately, this project highlights the strategic role of Azure Firewall in delivering advanced threat protection and centralized network governance in modern cloud environments.