Creating and Configuring Azure Firewall: A Step-by-Step Guide

Introduction

As applications scale and attract more users, ensuring secure and controlled network access becomes a critical requirement. Azure Firewall is a fully managed, cloud-native network security service that provides centralized control, advanced filtering, and protection against threats. It enables organizations to apply consistent security policies across workloads while allowing essential communication such as application updates and DNS resolution.

In this guide, you will learn how to create and configure Azure Firewall, build a firewall policy, and add both application and network rules that secure your application virtual network (app-vnet).

Skilling Objectives

By following this walkthrough, you will learn how to:

• Deploy an Azure Firewall into an existing virtual network.
• Configure a firewall policy for centralized management.
• Create an application rule that allows outbound access to Azure DevOps for continuous updates.
• Create a network rule that supports DNS resolution.

Architecture Overview

The solution uses a single application virtual network (app-vnet) that hosts workloads. Azure Firewall is deployed inside a dedicated subnet called AzureFirewallSubnet, where it inspects and filters traffic. A firewall policy defines the security rules:

• An application rule grants the application access to Azure DevOps services.
• A network rule allows DNS resolution.

This design ensures secure outbound communication while maintaining centralized security management.

Step 1: Create Azure Firewall Subnet

Azure Firewall requires a dedicated subnet named AzureFirewallSubnet.

1. In the Azure portal, search for Virtual networks
   and open your application virtual network (app-vnet).
   
   

2. Select Subnets and then choose + Subnet.

3. Name the subnet AzureFirewallSubnet and assign the address range 10.1.63.0/26.

4. Leave other settings as default and save.
   

Step 2: Deploy Azure Firewall

1. In the Azure portal, search for Firewall and select + Create.
   
   

2. Use resource group RG1 and name the firewall app-vnet-firewall.

3. Choose the Standard SKU and configure it to use a new firewall policy named fw-policy.

4. Select East US as the region, attach it to the existing virtual network app-vnet
   

5. Create a new Firewall Policy called fw-policy and a new public IP address called fwpip
   
   

6. Complete the wizard by selecting Review + create and then Create.
   
   

Note: Deployment may take several minutes.

Step 3: Configure Firewall Policy

Add an Application Rule

1. In the Azure portal, search for Firewall Policies and open fw-policy.
   
   

2. Go to Application rules and add a new rule collection.
   

3. Name it app-vnet-fw-rule-collection, set the priority to 200, and the action to Allow.

4. Add a rule called AllowAzurePipelines that allows HTTPS traffic from the source address range 10.1.0.0/23 to the fully qualified domain names (FQDNs) dev.azure.com and azure.microsoft.com.
   

This rule ensures that your application can securely communicate with Azure DevOps for updates.

Add a Network Rule

1. In fw-policy, open Network rules and add a new rule collection.
   

2. Name it app-vnet-fw-nrc-dns, set the priority to 200, and the action to Allow.

3. Add a rule called AllowDns that permits UDP traffic on port 53 from the source address range 10.1.0.0/23 to the IP addresses 1.1.1.1 and 1.0.0.1.
   

This rule ensures that DNS queries from the application workloads are resolved successfully.

Step 4: Verify the Deployment

1. In the Azure portal, search for Firewall and open app-vnet-firewall. Confirm that the provisioning state shows Succeeded.
2. Next, search for Firewall policies and open fw-policy. Ensure that its provisioning state also shows Succeeded.

Conclusion

In this walkthrough, you created and configured Azure Firewall to secure an application virtual network. You deployed the firewall into a dedicated subnet, created a centralized firewall policy, and added both application and network rules.

With this setup, your application is now protected by a managed firewall service while still maintaining necessary outbound access for updates and DNS resolution. This approach centralizes network security and prepares your environment for future scaling and advanced protection needs.