Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Migrate Windows & SQL workloads to Azure

Task 05 - Deploy and configure Azure Firewall

Introduction

Tailspin Toys is migrating their on-premises SQL Server database to Azure SQL Managed Instance. In this task, you will implement an Azure Firewall to protect network traffic.

Description

In this task, you will implement an Azure Firewall to protect network traffic.

The key tasks are as follows:

  1. Test network traffic from the Virtual Machine to the Internet. You should have access to bing.com.
  2. Deploy Azure Firewall.
  3. Configure rules to block access to bing.com.
  4. Test network traffic from the Virtual Machine to the Internet. Access to bing.com is now blocked.

Success Criteria

  • Azure Firewall is deployed and fully worked as expected.

Solution

Expand this section to view the solution

  1. Sign in to the Azure Portal.

    If you’re using Azure Gov, sign in to the Azure Gov Portal.

  2. Connect to the tailspin-webapp-vm and using Microsoft Edge navigate to https://www.bing.com. You should be able to access Microsoft Bing.

  3. In the Azure portal, in the Search resources, services, and docs text box at the top of the portal, search for tailspin-hub-vnet, then select the found Virtual Network.

  4. Under Settings, select Subnets and then the + Subnet option.

    A Virtual Network pane is shown, with the Subnets sections selected and with the add subnet option highlighted.

  5. On the Add a subnet pane, enter the following values, then select Add.

    • Subnet purpose: Select Azure Firewall.
    • IPv4 Starting address: 10.1.100.0/24

    The Add a subnet pane is shown, with the values entered in to add the Azure Firewall.

  6. In the Azure portal, in the Search resources, services, and docs text box at the top of the portal, search for Firewalls, then select the Firewalls service.

  7. On the Firewalls page, select + Create.

  8. On the Basics tab, enter the following values, then select Add new on the Firewall policy section.

    • Resource group: Select the Resource Group created for this lab. For example: tailspin-rg.
    • Name: Hub-fw
    • Region: Select Sweden Central.
    • Firewall SKU: Standard
    • Firewall management: Use a Firewall Policy to manage this firewall

    The Basics tab of the Create a Firewall is displayed with values entered.

  9. On the Create a new Firewall Policy popup, enter the following values, then select OK.

    • Name: hub-fw-pol
    • Region: Select Sweden Central.

    The Create a new Firewall Policy popup is shown, with the values entered.

  10. On the Basics tab, enter the following values, then select Add new on the Public IP address section.

    • Choose a virtual network: Use existing
    • Virtual network: tailspin-hub-vnet

    The Basics tab of the Create a Firewall is displayed with further values entered.

  11. On the Add a public IP popup, enter the following values, then select OK.

    • Name: Hub-fw-PIP

    The Add a public IP popup is shown, with the values entered.

  12. On the Basics tab, ensure that the Enable Firewall Management NIC option in Not Checked.

    The Basics tab of the Create a Firewall is displayed with another value entered.

  13. Review the values entered, then select Next : Tags >.

    The Basics tab of the Create a Firewall is displayed with the full set of values entered.

  14. On the Tags tab, select Next : Review + create >.

    The Tags tab of the Create a Firewall is displayed with the values entered.

  15. Once the validation passes, select Create.

    Wait for the deployment to complete. This should take about 5 minutes.

    The validation tab of the Create a Firewall is displayed.

  16. In the Azure portal, in the Search resources, services, and docs text box at the top of the portal, search for Resource groups and press the Enter key.

  17. On the Resource groups blade, in the list of resource group, select tailspin-rg entry.

  18. In the list of resources, select the entry representing the Hub-fw firewall.

  19. On the Hub-fw blade, take note of the Private IP address that was assigned to the firewall.

    The Hub-fw overview page is shown with the Private IP highlighted.

  20. In the Azure portal, in the Search resources, services, and docs text box at the top of the portal, search for Route tables, then select the Route tables service.

  21. On the Route tables blade, select + Create.

    The Route tables list with the Create option highlighted.

  22. On the Create Route table pane, enter the following values, then select Review + create, then select Create.

    • Resource group: Select the Resource Group created for this lab. For example: tailspin-rg.
    • Region: Select Sweden Central.
    • Name: Firewall-route

    The Create Route table pane is shown, with the values entered.

  23. On the Route tables blade, click Refresh and, in the list of route tables, select Firewall-route.

    The Route tables list with the Firewall-route entry highlighted.

  24. On the Firewall-route blade, in the Settings section, select Subnets.

    The Firewall-route Route table pane with the Subnets sub-section highlighted.

  25. On the Firewall-route | Subnets blade, select + Associate.

    The Firewall-route Route table Subnets pane with the Associate option highlighted.

  26. On the Associate subnet pane, enter the following values, then select OK.

    • Virtual network: tailspin-spoke-vnet
    • Subnet: default

    The Associate subnet pane is shown, with the values entered.

  27. On the Firewall-route blade, in the Settings section, select Routes.

    The Firewall-route Route table pane with the Routes sub-section highlighted.

  28. On the Firewall-route | Routes blade, select + Add.

    The Firewall-route Route table Routes pane with the Associate option highlighted.

  29. On the Add route pane, enter the following values, then select Add.

    • Route name: FW-DG
    • Destination type: IP Addresses
    • Destination IP addresses/CIDR ranges: 0.0.0.0/0
    • Next hop type: Virtual appliance
    • Next hop address: The private IP address of the firewall that you identified in the previous when creating the Azure Firewall. For example: 10.1.100.4

    The Add route pane is shown, with the values entered.

    Azure Firewall is actually a managed service, but virtual appliance works in this situation.

  30. Connect to the tailspin-webapp-vm and using Microsoft Edge navigate to https://www.bing.com. You should NOT be able to access Microsoft Bing.

  31. In the Azure portal, navigate back to the Hub-fw firewall.

  32. On the Hub-fw blade, in the Firewall policy section, select hub-fw-pol.

    The Hub-fw overview page is shown with the Firewall policy highlighted.

  33. On the hub-fw-pol Firewall Policy blade, in the Settings section, select Application rules.

    The hub-fw-pol Firewall Policy pane with the Application rules sub-section highlighted.

  34. On the hub-fw-pol | Application rules blade, select + Add a rule collection.

    The hub-fw-pol Firewall Policy pane with the Add a rule collection option highlighted.

  35. On the Add a rule collection pane, enter the following values.

    • Name: App-Coll01
    • Priority: 200
    • Action: Allow

    The Add a rule collection pane is shown, with the values entered.

  36. On the Rules section, create a new entry with the following values, then select Add.

    • Name: AllowBing
    • Source type: IP Address
    • Source: 10.2.0.0/24
    • Protocol: http:80,https:443
    • Destination Type: FQDN
    • Destination: www.bing.com

    The Add a rule collection pane Rules section is shown, with the values entered.

  37. Connect to the tailspin-webapp-vm and using Microsoft Edge navigate to https://www.bing.com. You should be able to access Microsoft Bing.