Virtual Geek

Tales from real IT system administrators world and non-production environment

Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies

In the earlier article I created few Virtual Machines on the Azure. Below are the few screenshots of Virtual Machines networking configuration with location and Private Ip address information which I will require to configure in Azure firewall policies to filter traffic in next few steps.

Microsoft Azure Virtual WAN Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create and convert to secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity

Microsoft Azure portal Virtual Machine vm virtual network vnet networking connect disks size security advisor extensions availibility scaling configuration identity bastion auto shutdown rule firewall policy.png

This is the configuration from another Azure VM.

Virtual machine vm vnet virtual network microsoft azure portal availiability scaling helath state plan agent status host group subnet virtual network public ip address private ip address os disk azure disk encyption.png

To configure Azure Firewall Policies go to the Resource Group and Click on Azure Firewall resource associated with Virtual Hub (VWAN).

Microsoft Azure portal virtual wan vwan azure firewall hub network virtual networking vnet firewall policy virtual machine connectivity vm managed disk os data disk virtual wan vwan connectivity hub peering.png

Once you are inside Azure Firewall resource, and click on Firewall Manager. To visit Azure firewall Manager to configure and manage this firewall, Note down the Public and Private IPs of Azure Firewall. Inside Firewall Manager click Azure Firewall Policies from left side pane and click + Create Azure Firewall Policy.

Microsoft Azure firewall hub azure firewall manager dns public ip configuration properties firewall public ip private ip subnet vnet virtual network azure firewall policy policies virtual hub wan vwan ddos.png

In the Create an Azure Firewall Policy wizard define network and application level rules for traffic filtering across multiple Azure Firewall instances in Secured Virtual Hubs. In the Project details select Subscription and Resource Group. In the Policy details provide name of Policy and Region. 

Parent policy must be in the same region as child policy. Firewall policy can be associated with Firewalls across regions regardless of where they are stored. 
Your new policy will inherit all rule collections from the selected parent policy below. Rule collections inherited from the parent policy are always prioritized above rule collections that are contained within your new policy.

For this demo Standard Policy tier will work for me. Parent Policy is None. Click Next: DNS Settings>.

Microsoft Azure firewall manager azure firewall policy secured virtual hub region parent policy child policy tier standard premium dns settings tls inspection.png

In the DNS Settings and TLS inspection I am keeping features disabled.

Microsoft Azure portal Create an azure firewall policy hub vwan virtual wan tls inspection firewall manager dns setting rules idps treat intelligence tags virtual machine connection vm virtual network vnet.png

On the Rules tab, click + Add a rule collection. In the Add a rule collection, create below three rules.

Rule 1 

Name: App01
Rule collection type: Application
Priority: 100
Rule collection action: Allow
Rule Collection group:  DefaultApplicationRuleCollectionGroup
     Name: allow-microsoft
     Source type: IP Address
     Source: *
     Protocol: http, https
     TLS inspection: not checked
     Destination Type: FQDN
     Destination: *

Rule 2 

Name: dnat-ssh-01
Rule collection type: DNAT
Priority: 100
Rule collection action: Destination Network Action Translation (DNAT)
Rule Collection group:  DefaultDnatRuleCollectionGroup
     Name: allow-ssh
     Source type: IP Address
     Source: *
     Protocol: TCP
     Destination Ports: 22
     Destination Type: IP Address
     Translated Address:
     Translated Port: 22

Rule 3 

Name: vnet-ssh
Rule collection type: Network
Priority: 100
Rule collection action: Allow
Rule Collection group:  DefaultNetworkRuleCollectionGroup
     Name: allow-ssh
     Source type: IP Address
     Source: *
     Protocol: TCP
     Destination Ports: 22
     Destination Type: IP Address

After adding all the above rules one by one, click Next: IDPS>.

Microsoft Azure portal Create an azure firewall policy add a rule collection import rules azure firewall manager application snat dnat priority protocol destination fqdn http https.png

Microsoft Azure portal azure firewall policy rule idps treat intelligence add a rule collections network application dnat priority action group translated ip port destination source ip address.png

Since I selected standard firewall, IDPS is available only for premium policies, click Next: Treat intelligence >

Filtering based on Threat intelligence can be enabled for your firewall to alert and block traffic to/from known malicious IP addresses and domains. The threat intelligence mode set on a parent policy is inherited by default, but can be overridden with a stricter setting if desired. For example, if the parent policy is set to Alert only. You can set this policy to alert and deny, but you can't turn threat intelligence off. 

Click Next: Tags >.

 Microsoft Azure create an azure firewall policy firewall manager collection rule idps mode ipaddresses allow deny rule collection virtual network seucured hub virtual wan vwan tls insepction dns settings.png

Click Review + Create button. Validation passed, Verify settings. Click Create button.

Microsoft azure portal create an azure firewall policy dns settings tls inspction rules idps treate intelligence tags subscription region policy tier.png

Azure Firewall Policy is created, Select the policy and click Manage associations drop down box and select Associate hubs. As you can see from below screenshot the association created.

Microsoft Azure portal firewall manager azure firewall policies manage associations associate hubs vnets vwan virtual wan security partner providers virtual hubs virtual networks vnet.png

You can select the Secure hub when associating Azure Firewall Policy, The operation will deploy Azure Firewall in the selected hub if it doesn't have one deployed and will have an immediate billing impact.

Microsoft azure portal secure hub with azure firewall policy azure firewall polcies security partner providers virtual network vnet no policy firewall tier subscription resource group hub vwan virtual wan.png

Using the same steps I created one more firewall policy for another region (West Europe) and associated with other respected region (West Europe) hub/firewall.

Microsoft Azure Firewall Manager policies virtual wan vwan virtual hub virtual network association rule collection group default deny policy dnat rules network application rules parent policy.png

Useful Articles
Get Azure virtual machine backup reports using Powershell
Why is my Azure recovery services vault not getting deleted?
Create an Azure virtual machine scale set and load balancer using Terraform
Azure Terraform fixed Availibility Zones on Virtual Machine Scale Set
Writing and Using Terraform modules
Terraform Using one module variable in another module
Hashicorp Terraform dynamic block with example
Terraform for_each loop on map example
How to create a Storage Account in Microsoft Azure
Host static website on Azure Storage Account
10 Useful Tips to Save Money as an Azure User

Go Back


Blog Search

Page Views


Follow me on Blogarama