Microsoft has introduced a new security feature in Azure, in preview, called Azure Firewall.

Azure Firewall is going to help you protect your Azure vNET.

Like with other on-premises firewall solutions, Azure Firewall supports:

  • FQDN filtering
  • Traffic filtering rules
  • SNAT support
  • Integration with Azure Monitor logging

image

(diagram courtesy Microsoft)

 

As this is a preview, there is still few things:

  • If a network security group (NSG) is applied on the firewall subnet, outbound traffic may blocked. As workaround, you need to setup a new inbound rule at the NSG level

Source: VirtualNetwork

Source ports: Any

Destination: Any

Destination Ports: Any

Protocol: All Access: Allow

  • Just in Time access to virtual machine may be conflicting with Azure Firewall. As workaround, you need to isolate the virtual machine to a vNet which does not route through Azure Firewall

Ok, now time to setup Azure Firewall.

Setting up Azure Firewall

Setting up Azure Firewall suppose you already have at least one Azure vNet configured; I’m not going to cover the vNet creation in this post.

  • Register your Azure subscription for Azure Firewall preview using PowerShell

If you don’t register your subscription first, you will get a notification when trying to create your first Azure Firewall

Register your subscription for the Azure Firewall preview to create a firewall

image

Run the following commands to connect to Azure and register your subscription

It is recommended to use the latest version of Azure PowerShell (6.4.0) available here https://github.com/Azure/azure-powershell/releases/tag/v6.4.0-July2018

Connect-AzureRmAccount

Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network

Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network

image

It may take up to 30 minutes to complete

You can check the progress with the commands

Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network

Get-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network

imageimage

Then run the last command

Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network

image

  • Connect to your Azure ARM portal and update your vNet to have a subnet named AzureFirewallSubnet

image

  • Then create a new resource, search for Firewall

imageimageimage

  • Then you have to fill the usual few fields to create your Azure Firewall (name, subscription, resource group…)

image

  • This is it, you have create your Azure Firewall. Now, time to setup your firewall rules.

image

  • Access the Rules configuration blade to setup your firewall rules; you can define network rule or application rule. Both are configured the same way: a rule name, priority and action (allow/deny), source and target addresses and communication ports. The network rule allows to define the protocol (TCP, UDP, ICMP or any)

imageimageimage

If you want to automate/use PowerShell you can take a look at https://docs.microsoft.com/en-us/azure/firewall/scripts/sample-create-firewall-test for a sample PowerShell script.