In the earlier article I created few Virtual Machines on the Azure. Below are the few screenshots of Virtual Machines networking configuration with location and Private Ip address information which I will require to configure in Azure firewall policies to filter traffic in next few steps.
Microsoft Azure Virtual WAN Part 1 - Create Virtual Network and subnets
Part 2 Create a Virtual WAN (VWAN) on Azure Portal
Microsoft Azure Virtual WAN Part 3 - Create and convert to secured virtual hub inside VWAN
Microsoft Azure Virtual WAN Part 3.1 - Create secured virtual hub inside Azure Firewall Manager
Microsoft Azure Virtual WAN Part 4 - Add Virtual Network connection | Hub vNet Peering
Microsoft Azure Virtual WAN Part 5 - Create Azure Virtual Machine (VM)
Microsoft Azure Virtual WAN Part 6 - Creating and configuring Azure Firewall Policies
Microsoft Azure Virtual WAN Part 7 - Configure security configuration | Route traffic to your secured hub | Test connectivity
This is the configuration from another Azure VM.
To configure Azure Firewall Policies go to the Resource Group and Click on Azure Firewall resource associated with Virtual Hub (VWAN).
Once you are inside Azure Firewall resource, and click on Firewall Manager. To visit Azure firewall Manager to configure and manage this firewall, Note down the Public and Private IPs of Azure Firewall. Inside Firewall Manager click Azure Firewall Policies from left side pane and click + Create Azure Firewall Policy.
In the Create an Azure Firewall Policy wizard define network and application level rules for traffic filtering across multiple Azure Firewall instances in Secured Virtual Hubs. In the Project details select Subscription and Resource Group. In the Policy details provide name of Policy and Region.
Parent policy must be in the same region as child policy. Firewall policy can be associated with Firewalls across regions regardless of where they are stored.
Your new policy will inherit all rule collections from the selected parent policy below. Rule collections inherited from the parent policy are always prioritized above rule collections that are contained within your new policy.
For this demo Standard Policy tier will work for me. Parent Policy is None. Click Next: DNS Settings>.
In the DNS Settings and TLS inspection I am keeping features disabled.
On the Rules tab, click + Add a rule collection. In the Add a rule collection, create below three rules.
Rule 1
Name: App01
Rule collection type: Application
Priority: 100
Rule collection action: Allow
Rule Collection group: DefaultApplicationRuleCollectionGroup
Rules
Name: allow-microsoft
Source type: IP Address
Source: *
Protocol: http, https
TLS inspection: not checked
Destination Type: FQDN
Destination: *.microsoft.com
Rule 2
Name: dnat-ssh-01
Rule collection type: DNAT
Priority: 100
Rule collection action: Destination Network Action Translation (DNAT)
Rule Collection group: DefaultDnatRuleCollectionGroup
Rules
Name: allow-ssh
Source type: IP Address
Source: *
Protocol: TCP
Destination Ports: 22
Destination Type: IP Address
Destination: 104.40.30.132
Translated Address: 10.0.0.4
Translated Port: 22
Rule 3
Name: vnet-ssh
Rule collection type: Network
Priority: 100
Rule collection action: Allow
Rule Collection group: DefaultNetworkRuleCollectionGroup
Rules
Name: allow-ssh
Source type: IP Address
Source: *
Protocol: TCP
Destination Ports: 22
Destination Type: IP Address
Destination: 10.1.0.4
After adding all the above rules one by one, click Next: IDPS>.
Since I selected standard firewall, IDPS is available only for premium policies, click Next: Treat intelligence >.
Filtering based on Threat intelligence can be enabled for your firewall to alert and block traffic to/from known malicious IP addresses and domains. The threat intelligence mode set on a parent policy is inherited by default, but can be overridden with a stricter setting if desired. For example, if the parent policy is set to Alert only. You can set this policy to alert and deny, but you can't turn threat intelligence off.
Click Next: Tags >.
Click Review + Create button. Validation passed, Verify settings. Click Create button.
Azure Firewall Policy is created, Select the policy and click Manage associations drop down box and select Associate hubs. As you can see from below screenshot the association created.
You can select the Secure hub when associating Azure Firewall Policy, The operation will deploy Azure Firewall in the selected hub if it doesn't have one deployed and will have an immediate billing impact.
Using the same steps I created one more firewall policy for another region (West Europe) and associated with other respected region (West Europe) hub/firewall.
Useful Articles
Get Azure virtual machine backup reports using Powershell
Why is my Azure recovery services vault not getting deleted?
Create an Azure virtual machine scale set and load balancer using Terraform
Azure Terraform fixed Availibility Zones on Virtual Machine Scale Set
Writing and Using Terraform modules
Terraform Using one module variable in another module
Hashicorp Terraform dynamic block with example
Terraform for_each loop on map example
How to create a Storage Account in Microsoft Azure
Host static website on Azure Storage Account
10 Useful Tips to Save Money as an Azure User