Virtual Geek

Tales from real IT system administrators world and non-production environment

Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager

Although I had shown how to create Virtual Hub under VWAN and convert it to secured hub in my earlier article. Still there is another way to create secured hub with different steps using Azure Firewall Manager. Azure Firewall Manager is a security management and administration service that offers central security policy and route management for cloud-based security boundaries. Firewall Manager can deliver security management for two network architecture types: Secured virtual hub and Hub virtual network.

Microsoft Azure Virtual WAN Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create and convert to secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity

To start creating and configuring Virtual Hub in using Firewall Manager, search Firewall Manager in search bar and click on it.

Microsoft azure firewall manager firwalls policies network managers managed databases group secured hub virtual wan virtual networks managed identities management cloud.png

In the Firewall Manager, I am on the Getting Started view page. You can view overall security coverage of firewall with different networking resources here.

Microsoft Azure Firewall Manager Virtual Hubs Virtual networks Azure fireall policies security partner privders ddos protection plans secuurity coverage virtual wan central security cloud.png

From left side pane in the Deployments, click Virtual Hubs and hit + Create new secured virtual hub. From the earlier part i created hub, you can see it is listed already.

microsoft azure cloud firewall manager virtual hubs virtual networks Azure Firewall Policies security partner providers create new secured virtual hub azurefirewall ddos protection plans.png

Next on the Create new secured virtual hub wizard under Firewall Manager, provide Project details likewise Subscription and Resource Group, choose the Region of new Secured virtual hub details (You can't have more than one hub per virtual wan per region. But you can add multiple virtual WANs in the region to achieve this). Provide Secured virtual hub name and Hub address space (You can't have overlapping IP spaces for hubs in a vWAN). Choose an already created existing vWAN. Select vWAN name. I am keeping include VPN gateway to enable Security Partner Providers unchecked (VPN gateway is required for Security Partner Provider integration), Click Next: Firewall > button.

Microsoft Azure Create new secured virtual hub subscription resource group region hub address space overlapping IP spaces for hubs vwan existing virtual wan security partner vpn gateway.png

On the Azure Firewall tab, Secured virtual hubs must have at least one and can have at most two security providers. You may use two security providers to secure different types of connections. You can choose to enable Azure Firewall for this virtual hub and associate a policy. You can also select "None" and associate a policy later.

Keep Azure Firewall toggle button to Enabled. Azure firewall tier I am keeping Standard, I don't need premium features (as discussed in earlier article) for this lab. Availability zone I am keeping None, Enabling Azure Firewall will create an Azure Firewall resource as part of this hub creation process. This action will have an immediate billing impact. Specify number of Public IP addresses and subscription is the default 1. There is a Default Deny Policy is selected, Click Next: Security Partner Provider

Microsoft Azure create new secured virtual hub firewall manager azure firewall enabled tier availibility zone billing impact public ip address subscription policy subscription.png

I am not using any Security Partner provider, this is another way to use third party firewall tools to filter internet traffic. Note: VPN Gateway is required for Security Partner Provider integration. Click Next: Review + Create.

Microsoft Azure create new secured virtual hub security partner provider zscaler check point iboss firewall manager central policy virtual wan vwan.png

On the Review + create of Firewall manager (Secured virtual hub creation) validation will pass, verify the settings, and click Create button.

Microsoft Azure Firewall Manager create new secured virtual hub virtual wan vwan subscription resource group vpn gateway scale units firewall tier public ip addresses sones security partner provider.png

Deployment will take some time approx 30 min.

Microsoft Azure portal resources group deployment nested firewall hub virtual hub virtual wan vwan inputs outputs template virtual hub with security center manager vnet virtual network.png

Once deployment is completed you can verify new Azure firewall resource is created inside Resource Group.

Microsoft Azure Firewall manager virtual hub integration security firewall virtual wan vwan virtual network azure networking watcher default directory location type.png

Next verify hub is created successfully inside Virtual WAN.

Microsoft Azure portal upgrade pay as you go virtual wan vwan virtual hub address space region location virtual network vnet peering azure firewall expressroute circuits point to site.png

Useful Articles
Powershell Azure Az module Install-Package cannot convert value 2.0.0-preview to type system.version

Azure web apps, app service plan, paas platform as a service, domain name ssl website hosting microsoft iis nginx windows apache httpd.PNG

Part 1: Create and deploy a website with Microsoft Azure web app service plan
Part 3: Uploading to Azure Web Apps Using FTP
Part 4: Add and manage TLS SSL certificates on Azure Web App

AzCopy copy transfer fails with 403 This request is not authorized to perform this operation using this permission
Azure azcopy login error Selected user account does not exist in tenant 'Microsoft Services' and cannot access the application '579a7132-0e58-4d80-b1e1-7a1e2d337859'

Go Back


Blog Search

Page Views


Follow me on Blogarama