Introduction
In this project, the primary task is to design and implement centralized network security for an application virtual network (app-vnet) using Azure Firewall. As application usage continues to grow, there is a need for granular filtering, advanced threat protection, and secure continuous integration/continuous deployment (CI/CD) updates through Azure DevOps pipelines. To meet these requirements, an Azure Firewall will be deployed and configured with a firewall policy.
The skilling tasks in this project include:
- Creating an Azure Firewall.
- Creating and configuring a firewall policy.
- Creating an application rule collection to allow the app-vnet secure access to Azure DevOps pipelines.
- Creating a network rule collection to enable DNS resolution.
Additionally, the project involves preparing the AzureFirewallSubnet, deploying the firewall into the virtual network, configuring the required rules, and verifying that the firewall and policy are successfully provisioned.
Step 1 Create Azure Firewall subnet in our existing virtual network
- In the search box at the top of the portal, enter Virtual networks. Select Virtual networks in the search results.
- Select app-vnet.
- Select Subnets.
- Select + Subnet.
- Enter the following information and select Save.
- Name: AzureFirewallSubnet
- Address range: 10.1.63.0/26
- Note: Leave all other settings as default.
Step 2 Create an Azure Firewall
- In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.
- Select + Create.
Create a firewall by using the values in the following table. For any property that is not specified, use the default value.
Note: Azure Firewall can take a few minutes to deploy.
- Resource group: RG1
- Name: app-vnet-firewall
- Firewall SKU: Standard
- Firewall management: Use a Firewall Policy to manage this firewall
- Firewall policy: select Add new
- Policy name: fw-policy
- Region: East US
- Policy Tier: Standard
- Choose a virtual network: Use existing
- Virtual network: app-vnet (RG1)
- Public IP address Add new: fwpip
- Enable Firewall Management NIC uncheck the box
- Select Review + create
- Then select Create.
- Azure Firewall as been created succesfully, Click on go to resources to see the firewall.
Step 3 Update the Firewall Policy
- In the portal, search for and select Firewall Policies.
- Select fw-policy.
Add an application rule
- In the rule blade, select Application rules and then Add a rule collection.
- Configure the application rule collection and then select Add.
- Name: app-vnet-fw-rule-collection
- Rule collection type: Application
- Priority: 200
- Rule collection action: Allow
- Rule collection group DefaultApplicationRuleCollectionGroup
- Name: AllowAzurePipelines
- Source type: IP address
- Source: 10.1.0.0/23
- Protocol: https
- Destination type: FQDN
- Destination dev.azure.com, azure.microsoft.com
- Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.
- Application rule as been added to the firewall policy
Add a network rule
- In the rule blade, select Network rules and then Add a network collection.
Configure the network rule and then select Add.
Name: app-vnet-fw-nrc-dns
Rule collection type: Network
Priority: 200
Rule collection action: Allow
Rule collection group: DefaultNetworkRuleCollectionGroup
Rule: AllowDns
Source: 10.1.0.0/23
Protocol: UDP
Destination ports: 53
Destination addresses: 1.1.1.1, 1.0.0.1
- Network collection rule as been added to the firewall policy
- Verify the firewall and firewall policy status
- In the portal search for and select Firewall.
- View the app-vnet-firewall and ensure the Provisioning state is Succeeded. This may take a few minutes.
- In the portal serach for and select Firewall policies.
- View the fw-policy and ensure the Provisioning state is Succeeded. This may take a few minutes.
*Conclusion
*
By completing this project, a fully functional Azure Firewall has been created and configured within the application’s virtual network, ensuring centralized and robust network security. The skilling tasks were successfully achieved by:
- Deploying the Azure Firewall.
- Configuring and managing a firewall policy.
- Setting up an application rule collection to secure access to Azure DevOps.
- Implementing a network rule collection to allow DNS resolution. This solution enhances the application’s overall security posture by controlling inbound and outbound traffic with precision, while still permitting essential connectivity. It also establishes a scalable and manageable security framework that can evolve with the application’s future requirements. Overall, the project demonstrates the practical application of Azure Firewall in delivering advanced threat protection and centralized security management in a modern cloud environment.
Top comments (0)