Lab 3. Azure Firewall - neilhamshaw/azure-security-workshop GitHub Wiki
Azure Firewall is a stateful firewall as a service, with high availability and cloud scalability built-in. The primary use case for the Azure Firewall is to centrally create, enforce and log application and network policies to protect Azure Virtual Network resources. It provides Source Network Address Translation (SNAT) and is integrated with Azure Monitor for logging and analytics.
For an Azure Firewall to work with a Virtual Network, a dedicated subnet called AzureFirewallSubnet must be created within the VNet. This is a fixed requirement.
In addition, the Azure Firewall requires a static Public IP address for the virtual network resources allowing external firewalls to identify traffic originating from your Azure VNet, and as a destination address for incoming traffic to protected resources using Destination Network Address Translation (DNAT).
The subnet and Public IP address can be created as part of the Firewall setup steps in section 3.3 if done via the Azure portal, so feel free to jump to this step if the preferred route is to configure this through the user interface. However, if the firewall creation is handled by code, typically the dependent resources would need to be created first. This is covered in section 3.1 for the subnet, and section 3.2 for the Public IP address.
On the Azure Portal create a new subnet in the production-vnet Virtual Network named AzureFirewallSubnet with the IP address space of 10.0.5.0/24.
Alternatively, running the following CLI command to create the subnet:
Parameters:
- --address-prefix: IPv4 CIDR address range for the required subnet
- --name: This property is the name of the subnet and for Azure Firewall, it must be called AzureFirewallSubnet
- --resource-group: The resource group used throughout this workshop
- --vnet-name: The name of the Virtual Network that the firewall will protect
az network vnet subnet create --address-prefix 10.0.5.0/24 --name AzureFirewallSubnet --resource-group <resource-group-name> --vnet-name production-vnet
Once the command has completed the resource properties will be displayed in the Cloud Shell. In addition, review the subnet list against the production-vnet resource...
Once the subnet has been created in the previous step, the Azure Firewall can be deployed. From the Azure Portal
-
Click Create a resource.
-
Enter Firewall in the Search the Marketplace field and select Firewall from the drop-down options list.
-
Click Create on the next screen.
-
Configure the values for the new Azure Firewall as per the image below.
Please note: The Subscription and Resource group values in the image are for demonstration purposes. Click the Resource group drop-down and select the Resource Group created for the workshop.
Deployment time can typically take about ten minutes. On completion, view the properties of the Firewall and take a note of the Private IP address. This IP address will be used at a later time.
/images/lab3/Lab3-firewall-private-ip.PNG
We will work on the Web VM, and we will set the default route of the web-tier subnet to send all traffic through the firewall.
-
Create a new Route Table
The Azure CLI command to create the route table is:
az network route-table create --name Firewall-Route --resource-group <resource-group-name> --location <location>
-
Create a default route
To create the default route in the Azure Portal follow these steps. (The Azure CLI command follows these steps if you prefer.)
- In the Azure portal, locate and click on the route table resource created in the step above.
- Click Routes in the options on the left.
- Click Add.
- Create the route with the following properties:
- Route name: FW-DG
- Address prefix: 0.0.0.0/0
- Next Hop Type: Select Virtual Appliance. Azure Firewall is actually a managed service, but Virtual Appliance works in this situation.
- Next Hop Address: type the private IP address for the firewall created above.
- Click OK.
The Azure CLI command to create the default route is:
az network route-table route create --resource-group <resource-group-name> --route-table-name Firewall-Route --name FW-DG --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address <firewall-ip-address>
-
Attach the route table to the web subnet
- Click Subnets in the list options for the route table.
- Click Associate.
- Click Virtual network and select ra-ntier-vnet from the list of VNets.
- Choose the web subnet from the list given, and click OK.
To achieve this using the Azure CLI:
az network vnet subnet update --name web --resource-group <resource-group-name> --vnet-name ra-ntier-vnet --route-table Firewall-Route
You may notice that the CLI method attaches the route table to the subnet inside the VNet using the 'network vnet' command subset, rather than setting this as a property on the route table object itself.
We will write a simple rule to enable web traffic to github.com and block anything else. The rule uses the CIDR of the web subnet as the source address, allowing any resources within that tier access to github.com. Therefore existing and future VMs will be allowed to communicate via this rule.
- Click on the firewall resource.
- Under settings, click Rules.
- Click Application rule collection and the click + Add application rule collection.
- Use the following settings for the new collection...
- Name: App-Coll01
- Priority: 200
- Action: Allow
- Add the first rule...
- Name: AllowGH
- Source Addresses: 10.0.1.0/24
- Protocol:Port: http,https
- Target FQDNs: github.com
- Click Add
After a short time the new application rule will appear in the firewall.
Note:Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and cannot be used for other purposes. The allowed infrastructure FQDNs include:
- Compute access to storage Platform Image Repository (PIR).
- Managed disks status storage access.
- Windows Diagnostics.
You can override this build-in infrastructure rule collection by creating a 'deny all' application rule collection which is processed last. It will always be processed before the infrastructure rule collection. Anything not in the infrastructure rule collection is denied by default.
The idea is to permit DNS traffic to our DNS server to go through the Firewall (from a Level3/Level4 perspective).
- On the firewall resource, under Rules, click Network rule collection.
- Click + Add network rule collection.
- Use these setting for the new collection...
- Name: Net-Coll01
- Priority 200
- Action: Allow
- Add the first rule...
- Name: AllowDNS
- Protocol: select UDP
- Source Addresses: type 10.0.1.0/24
- Destination address: type 168.63.129.16, the IP address for internal DNS resolution
- Destination Ports: 53.
- Click Add.
RDP to the JumpBox and from there to the Web VM. Open a browser and try go to github.com.
Try going to another site, this action should be blocked:
For more information on Azure Firewall, please refer to the Microsoft Azure Firewall Documentation available at this address: