Create and configure Azure Firewall

Introduction:
As organizations continue to move applications to the cloud, securing network traffic becomes more important than ever. In this scenario, the organization needs a centralized security solution for its application virtual network to better control and monitor traffic between resources and external services. To achieve this, Azure Firewall is deployed within the app-vnet to provide enterprise-grade network protection and traffic filtering.

As application usage grows, the organization also requires more granular control over outbound access and stronger protection against potential threats. By implementing Azure Firewall policies, administrators can centrally manage and enforce security rules across the environment. Specific application and network rules are configured to allow secure access to Azure DevOps for application updates and DNS services for name resolution, while still maintaining strict traffic control.

This setup demonstrates how Azure Firewall can help secure both north-south and east-west traffic, providing a scalable and manageable security architecture for modern cloud workloads.

Skilling Tasks

• Create an Azure Firewall.
• Create and configure a firewall policy.
• Create an application rule collection.
• Create a network rule collection. This guide provides a step-by-step approach to creating and configuring Azure Firewall within an Azure virtual network environment. It covers the deployment of Azure Firewall, the creation of firewall policies, and the configuration of both application and network rules to secure traffic flow across the environment. The guide also demonstrates how to manage outbound access, enable DNS resolution, and control application connectivity using centralized security policies. By following these steps, you can implement a scalable and secure network architecture that helps protect Azure workloads from unauthorized access and potential threats.

Exercise instructions
Create Azure Firewall subnet in our existing virtual network

1. In the search box at the top of the portal, enter Virtual networks. Select Virtual networks in the search results.
2. Select app-vnet.
3. Select Subnets.
4. Select + Subnet.
5. Enter the following information and select Save. Property Value Name AzureFirewallSubnet Address range 10.1.63.0/26 Note: Leave all other settings as default. Note: Leave all other settings as default. Create an Azure Firewall
6. In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.
7. Select + Create.
8. Create a firewall by using the values in the following table. For any property that is not specified, use the default value. Note: Azure Firewall can take a few minutes to deploy.

Property Value
Resource group RG1
Name app-vnet-firewall
Firewall SKU Standard
Firewall management Use a Firewall Policy to manage this firewall
Firewall policy select Add new
Policy name fw-policy
Region East US
Policy Tier Standard
Choose a virtual network Use existing
Virtual network app-vnet (RG1)
Public IP address Add new: fwpip
Enable Firewall Management NIC uncheck the box

1. Select Review + create and then select Create. Update the Firewall Policy
2. In the portal, search for and select Firewall Policies.
3. Select fw-policy. Add an application rule
4. In the Settings blade, select Application rules and then Add a rule collection.
5. Configure the application rule collection and then select Add. Property Value Name app-vnet-fw-rule-collection Rule collection type Application Priority 200 Rule collection action Allow Rule collection group DefaultApplicationRuleCollectionGroup Name AllowAzurePipelines Source type IP address Source 10.1.0.0/23 Protocol https Destination type FQDN Destination dev.azure.com, azure.microsoft.com Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website. Add a network rule
6. In the Settings blade, select Network rules and then Add a network collection.
7. Configure the network rule and then select Add. Property Value Name app-vnet-fw-nrc-dns Rule collection type Network Priority 200 Rule collection action Allow Rule collection group DefaultNetworkRuleCollectionGroup Rule AllowDns Source 10.1.0.0/23 Protocol UDP Destination ports 53 Destination addresses 1.1.1.1, 1.0.0.1 Verify the firewall and firewall policy status
8. In the portal search for and select Firewall.
9. View the app-vnet-firewall and ensure the Provisioning state is Succeeded. This may take a few minutes.
10. In the portal serach for and select Firewall policies.
11. View the fw-policy and ensure the Provisioning state is Succeeded. This may take a few minutes.

Summary:
In this scenario, Azure Firewall is used to provide centralized network security for the application virtual network. Firewall policies are implemented to simplify rule management and improve control over network traffic. Application rules allow secure communication with Azure DevOps for application updates, while network rules enable DNS resolution required for connectivity and resource access.
However, using the Standard SKU provides support for both application and network rule collections, making it suitable for enterprise environments that require flexible traffic filtering and monitoring. The configuration also helps secure both external and internal traffic flows, improving the organizations overall security posture while maintaining application functionality.

Conclusion:
Implementing Azure Firewall within the application virtual network provides a strong foundation for centralized cloud security. By combining firewall policies with application and network rules, the organization can effectively manage traffic, protect workloads, and maintain secure access to essential services such as Azure DevOps and DNS.
This approach not only improves visibility and control over network communications but also supports future scalability as the application environment grows. Overall, Azure Firewall offers a reliable and flexible solution for protecting modern Azure workloads against evolving security challenges.

*Key Takeaways
Completing this exercise provided practical experience in deploying and managing Azure Firewall to secure resources within an Azure virtual network. Throughout the configuration process, several important concepts became clear:

• Azure Firewall serves as a centralized, cloud-native security solution that helps monitor and control both inbound and outbound network traffic across Azure environments.

• Firewall policies simplify security management by allowing administrators to organize and manage NAT, network, and application rules from a single location.

• Network rules provide granular traffic control by filtering connections based on IP addresses, ports, and protocols, helping secure communication between resources.

• Application rules offer more advanced filtering by allowing or blocking traffic using fully qualified domain names (FQDNs), URLs, and web protocols such as HTTP and HTTPS.

• Implementing Azure Firewall improves visibility, strengthens network security, and provides a scalable foundation for protecting modern cloud workloads.