Microsoft has introduced a new security feature in Azure, in preview, called Azure Firewall.
Azure Firewall is going to help you protect your Azure vNET.
Like with other on-premises firewall solutions, Azure Firewall supports:
- FQDN filtering
- Traffic filtering rules
- SNAT support
- Integration with Azure Monitor logging
(diagram courtesy Microsoft)
As this is a preview, there is still few things:
- If a network security group (NSG) is applied on the firewall subnet, outbound traffic may blocked. As workaround, you need to setup a new inbound rule at the NSG level
Source: VirtualNetwork
Source ports: Any
Destination: Any
Destination Ports: Any
Protocol: All Access: Allow
- Just in Time access to virtual machine may be conflicting with Azure Firewall. As workaround, you need to isolate the virtual machine to a vNet which does not route through Azure Firewall
Ok, now time to setup Azure Firewall.
Setting up Azure Firewall
Setting up Azure Firewall suppose you already have at least one Azure vNet configured; I’m not going to cover the vNet creation in this post.
- Register your Azure subscription for Azure Firewall preview using PowerShell
If you don’t register your subscription first, you will get a notification when trying to create your first Azure Firewall
Register your subscription for the Azure Firewall preview to create a firewall
Run the following commands to connect to Azure and register your subscription
It is recommended to use the latest version of Azure PowerShell (6.4.0) available here https://github.com/Azure/azure-powershell/releases/tag/v6.4.0-July2018
Connect-AzureRmAccount
Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network
Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network
It may take up to 30 minutes to complete
You can check the progress with the commands
Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network
Get-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network
Then run the last command
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.Network
- Connect to your Azure ARM portal and update your vNet to have a subnet named AzureFirewallSubnet
- Then create a new resource, search for Firewall
- Then you have to fill the usual few fields to create your Azure Firewall (name, subscription, resource group…)
- This is it, you have create your Azure Firewall. Now, time to setup your firewall rules.
- Access the Rules configuration blade to setup your firewall rules; you can define network rule or application rule. Both are configured the same way: a rule name, priority and action (allow/deny), source and target addresses and communication ports. The network rule allows to define the protocol (TCP, UDP, ICMP or any)
If you want to automate/use PowerShell you can take a look at https://docs.microsoft.com/en-us/azure/firewall/scripts/sample-create-firewall-test for a sample PowerShell script.