Securing Azure Workloads with Azure Firewall: A Step-by-Step Implementation Guide

Introduction

As cloud applications scale, so do the threats they face. From unauthorized access to data exfiltration, the need for centralized, intelligent network security becomes non-negotiable. Enter Azure Firewall—a robust, cloud-native solution that offers deep packet inspection, application-level filtering, and threat intelligence.

In this guide, we walk through the deployment and configuration of Azure Firewall to protect an application virtual network (app-vnet). Each step is explained with its technical purpose and strategic value, so you can build not just a secure network—but a resilient one.

Scenario Overview

Your organization is preparing for increased application usage and continuous integration via Azure DevOps. To meet these demands securely, you’ve identified the following requirements:

• Deploy Azure Firewall in app-vnet for centralized security.
• Create a Firewall Policy to manage access rules.
• Add an Application Rule to allow access to Azure DevOps.
• Add a Network Rule to enable DNS resolution.

Step 1: Create Azure Firewall subnet in our existing virtual network

1. In the search box at the top of the portal, enter Virtual networks. Select Virtual networks in the search results.
2. Select app-vnet.
3. Select Subnets.
4. Select + Subnet.
5. Enter the following information and select Save.

**Property                      Value**
Name                                AzureFirewallSubnet
Address range                       10.1.63.0/26

Note: Leave all other settings as default.

Step 2: Create an Azure Firewall

1. In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.
2. Select + Create.

3. Create a firewall by using the values in the following table. For any property that is not specified, use the default value.

Note: Azure Firewall can take a few minutes to deploy.

**Property              Value**
Resource group              RG1
Name                        app-vnet-firewall
Firewall SKU                Standard
Firewall management     Use a Firewall Policy to manage this firewall
Firewall policy             select Add new
Policy name             fw-policy
Region                      West US 3
Policy Tier             Standard
Choose a virtual network     Use existing
Virtual network              app-vnet (RG1)
Public IP address        Add new: fwpip
Enable Firewall Management NIC  uncheck the box

4. Select Review + create and then select Create.

Step 3: Configure the Firewall Policy

1. In the portal, search for and select Firewall Policies.
2. Select fw-policy.

Step 3a: Add an Application Rule

1. In the Settings blade, select Application rules and then Add a rule collection.
2. Configure the application rule collection and then select Add.

Property                   Value
Name                            app-vnet-fw-rule-collection
Rule collection type             Application
Priority                     200
Rule collection action           Allow
Rule collection group            DefaultApplicationRuleCollectionGroup
Name                             AllowAzurePipelines
Source type                  IP address
Source                           10.1.0.0/23
Protocol                     https
Destination type             FQDN
Destination                  dev.azure.com, azure.microsoft.com

Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.

Why It Matters:
This rule allows your application servers to securely connect to Azure DevOps for continuous updates. Using FQDN filtering, Azure Firewall can inspect outbound traffic and allow only specific domains—critical for reducing exposure to malicious sites.

Step 3b: Add a Network Rule

1. In the Settings blade, select Network rules and then Add a network collection.
2. Configure the network rule and then select Add.

Property                Value
Name                        app-vnet-fw-nrc-dns
Rule collection type        Network
Priority                200
Rule collection action      Allow
Rule collection group       DefaultNetworkRuleCollectionGroup
Rule                        AllowDns
Source                      10.1.0.0/23
Protocol                    UDP
Destination ports           53
Destination addresses       1.1.1.1, 1.0.0.1

DNS is the backbone of internet communication. Without it, your servers can’t resolve domain names. This rule ensures that your workloads can reach Cloudflare’s DNS servers securely, enabling name resolution for outbound traffic.

Step 4: Verify Deployment Status

1. In the portal search for and select Firewall.
2. View the app-vnet-firewall and ensure the Provisioning state is Succeeded. This may take a few minutes.

1. In the portal serach for and select Firewall policies.
2. View the fw-policy and ensure the Provisioning state is Succeeded. This may take a few minutes.

Successful provisioning confirms that your firewall is active and ready to enforce rules. This step ensures that your security posture is operational before workloads begin communicating.

Congratulations on completing the exercise. Here are the main takeaways:

Key takeaways

• Azure Firewall is a cloud-based security service that protects your Azure virtual network resources from incoming and outgoing threats.
• An Azure firewall policy is a resource that contains one or more collections of NAT, network, and application rules.
• Network rules allow or deny traffic based on IP addresses, ports, and protocols.
• Application rules allow or deny traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.