Step-by-Step Guide: Azure Firewall to control access in Azure VNet-to-VNet connection (PowerShell Guide)

When we connect two networks via VPN connection, we only allow certain traffic to pass through (In most scenarios). This is the normal security best practice. We normally use a firewall to do this.

When it comes to Azure, we may also need to connect virtual networks,

• Between Azure and on-premises networks
• Between Azure regions (using VNet-to-VNet)
• Between subscriptions

By using Azure Firewall (https://docs.microsoft.com/en-us/azure/firewall/overview), we can control the traffic between virtual networks. More info about Azure firewall also can find in one of my previous posts http://www.rebeladmin.com/2018/07/step-step-guide-azure-firewall-preview/
In this post, I am going to demonstrate how we can control the traffic between two virtual networks in two regions by using Azure Firewall. This same method can use to control traffic between Azure and on-premises or between subscriptions.

In the demo setup, I am using three virtual networks across two Azure regions.

Azure Firewall – This network is purely to host the Azure firewall and VPN gateway. The gateway in this network will use to perform VNet-to-VNet connectivity with Remote network.

Workloads – This network is the back-end network that will hold the VM workloads. Remote network and workloads network will communicate via the Azure Firewall.

Remote network – This virtual network is in UK South region. It is just to represent the “other” network. This can be your on-premises network, virtual network in the same azure subscription, or virtual network in another azure subscription.

Connectivity

In the above two types of connection been used between virtual networks.

VNet-to-VNet via Azure VPN Gateways – In this method, virtual networks are connected through public internet. In the demo, we are using the same method to connect Azure firewall network and Remote network.

VNet Peering – With VNet peering, virtual networks are connected via the Azure network backbone. In our scenarios, we are using this method to connect Azure firewall network with workloads network. If we compare this with on-premises network, it is similar to the connection between your local network and edge firewall.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0

Setup Azure Firewall Network

The first step of the configuration is to create a new resource group in East US.

To do that,

1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Create a new resource group using New-AzResourceGroup -Name REBELRG1 -Location “East US”. Here REBELRG1 is RG group name and East US is the location.

3. The next step is to create a new virtual network under REBELRG1 resource group.

$fwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “AzureFirewallSubnet” -AddressPrefix 10.0.0.0/24

$gwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.0.1.0/24

$eusfwvnet = New-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $fwsubn1,$gwsubn1

EUSFWVnet1‘s address space is 10.0.0.0/16. It is a class B IP address range. We have two subnets under it.

AzureFirewallSubnet (10.0.0.0/24) – This subnet will be used by Azure Firewall. Azure firewall only can be created in a subnet with name ‘AzureFirewallSubnet
GatewaySubnet (10.0.1.0/24) – This subnet is going to be used by Azure VPN Gateway. The subnet must be named as ‘GatewaySubnet‘ to support the configuration.

Setup Azure VPN Gateway in Azure Firewall network

1. The next step of the configuration is to create public IP address to use with Azure VPN gateway. To do that,

$gatewayip1 = New-AzPublicIpAddress -Name EUSFWVnet1GW1 -ResourceGroupName REBELRG1 -Location “East US” -AllocationMethod Dynamic

In the above, EUSFWVnet1GW1 is the name for the new public IP address. VPN Gateway only supports Dynamic Public IP address allocation. So, it is been set using -AllocationMethod.
2. Before we create the gateway, we need to create ip configuration.

$fwvnet1 = Get-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1
$fwgwsubnet1 = Get-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $eusfwvnet
$eusfwgw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name eusfwgw1ipconf1 -Subnet $fwgwsubnet1 -PublicIpAddress $gatewayip1

In above, New-AzVirtualNetworkGatewayIpConfig command used to create an IP configuration for gateway (using previously created gateway subnet & public IP addresses)

3. Finally, we can create the gateway using,

New-AzVirtualNetworkGateway -Name EUSFWGW1 -ResourceGroupName REBELRG1 -Location “East US” -IpConfigurations $eusfwgw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

In the above, the new VPN gateway is called EUSFWGW1. Its SKU is set to VpnGw1.

Setup Azure Firewall

The next step of the configuration is to set up Azure Firewall.

1. The first step of the firewall configuration process is to set up public IP address for it. We can do it using,

$fwip1 = New-AzPublicIpAddress -Name EUSFWIP1 -ResourceGroupName REBELRG1 -Location “East US” -AllocationMethod Static -Sku Standard

In the above, the public IP allocation method is static and SKU is set to standard.

2. Then we can set up Azure firewall using,

$EUSFW = New-AzFirewall -Name EUSFW01 -ResourceGroupName REBELRG1 -Location “East US” -VirtualNetworkName EUSFWVnet1 -PublicIpName EUSFWIP1

In the above firewall is using the EUSFWVnet1 virtual network.

3. Once the firewall is up, we need to gather its private IP information to use later in this configuration.

$EUSFWPrivateIP = $EUSFW.IpConfigurations.privateipaddress
$EUSFWPrivateIP

Setup Azure Firewall Rules

Now we have Azure firewall in place. The next step is to create a firewall rule for testing.

1. In this setup, I like to allow RDP access from the Remote network to virtual machines in workloads network. To do that, I am going to use the following firewall rule.

$fwrule1 = New-AzFirewallNetworkRule -Name “AllowRDP” -Protocol TCP -SourceAddress 10.1.0.0/24 -DestinationAddress 10.2.0.0/16 -DestinationPort 3389

In the above, the source address is VM subnet of the remote network. The destination address is the address space of the workloads network.

2. Once the rule is created, we need to associate it to rule collection.

$fwrulecollection = New-AzFirewallNetworkRuleCollection -Name RDPAccess -Priority 100 -Rule $fwrule1 -ActionType “Allow”

$EUSFW.NetworkRuleCollections = $fwrulecollection

3. Then write the configuration to the firewall using,

Set-AzFirewall -AzureFirewall $EUSFW

Setup Remote Network

1. Let’s go ahead and create a new resource group in UK South region before we go ahead with the network configuration.

New-AzResourceGroup -Name REBELRG2 -Location “UK South”

In the above, REBELRG2 is the resource group names and it is created in UK South region.

2. The next step of the configuration is to create the new virtual network UKSVnet1. This VNet contains two subnets.

VM Network – 10.1.0.0/24
Gateway subnet – 10.1.1.0/24

In the above, VM network is going to use for virtual machines and Gateway Subnet is going to use for the VPN gateway setup.

$subn2 = New-AzVirtualNetworkSubnetConfig -Name VMNet1 -AddressPrefix 10.1.0.0/24

$gwsubn2 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.1.1.0/24

$uksouthvnet = New-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName REBELRG2 -Location “UK South” -AddressPrefix 10.1.0.0/16 -Subnet $subn2,$gwsubn2

Setup Azure VPN gateway in Remote Network

1. Before we create a gateway, first we need to create public IP address for it.

$gatewayip2 = New-AzPublicIpAddress -Name UKSVnet1GW1 -ResourceGroupName REBELRG2 -Location “UK South” -AllocationMethod Dynamic

In the above, UKSVnet1GW1 is the name for the new public IP address. VPN Gateway only supports Dynamic Public IP address allocation. So, it is been set using -AllocationMethod.

2. Then we need to create IP configuration,

$vnet2 = Get-AzVirtualNetwork -Name UKSVnet1 -ResourceGroupName REBELRG2
$gwsubnet2 = Get-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet2
$uksgw1ipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name uksgw1ipconf1 -Subnet $gwsubnet2 -PublicIpAddress $gatewayip2

In above, New-AzVirtualNetworkGatewayIpConfig command used to create an IP configuration for gateway (using previously created gateway subnet & public IP addresses)

3. After, we can create VPN gateway using,

New-AzVirtualNetworkGateway -Name UKSGW1 -ResourceGroupName REBELRG2 -Location “UK South” -IpConfigurations $uksgw1ipconf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

In the above, the new VPN gateway is called UKSGW1. Its SKU is set to VpnGw1.

Setup Workloads Network

1. The next step of the configuration is to set up a virtual network for workloads. Let’s start by setting up a new resource group.

New-AzResourceGroup -Name REBELRG3 -Location “East US”

In the above, REBELRG3 is the resource group names and it is created in East US region.

2. The new virtual network EUSFVnet1 contains two subnets.

VM Network – 10.2.0.0/24
Gateway subnet – 10.2.1.0/24

$subn3 = New-AzVirtualNetworkSubnetConfig -Name VMNet2 -AddressPrefix 10.2.0.0/24

$gwsubn3 = New-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.2.1.0/24

$workloadvnet = New-AzVirtualNetwork -Name EUSFVnet1 -ResourceGroupName REBELRG3 -Location “East US” -AddressPrefix 10.2.0.0/16 -Subnet $subn3,$gwsubn3

Create VPN Gateway connections

According to the plan, we need to initiate VNet-to-VNet connection between Azure Firewall network and Remote network. To do that we can use,

$fwgw = Get-AzVirtualNetworkGateway -Name EUSFWGW1 -ResourceGroupName REBELRG1
$uksgw = Get-AzVirtualNetworkGateway -Name UKSGW1 -ResourceGroupName REBELRG2

New-AzVirtualNetworkGatewayConnection -Name fwgwtouksgw -ResourceGroupName REBELRG1 -VirtualNetworkGateway1 $fwgw -VirtualNetworkGateway2 $uksgw -Location “East US” -ConnectionType Vnet2Vnet -SharedKey ‘Rebel123’

New-AzVirtualNetworkGatewayConnection -Name uksgwtofwgw -ResourceGroupName REBELRG2 -VirtualNetworkGateway1 $uksgw -VirtualNetworkGateway2 $fwgw -Location “UK South” -ConnectionType Vnet2Vnet -SharedKey ‘Rebel123’

In the above, I am using the Vnet2Vnet connection type. I am also using pre-shared key ‘Rebel123’ to authenticate. This can be changed to a value you want.

To verify the connection from EUSFWVnet1 to EUSFVnet1, we can use the following command,

Get-AzVirtualNetworkGatewayConnection -Name fwgwtouksgw -ResourceGroupName REBELRG1

To verify the connection from EUSFVnet1 to EUSFWVnet1 we can use,

Get-AzVirtualNetworkGatewayConnection -Name uksgwtofwgw -ResourceGroupName REBELRG2

As we can see the connections are established successfully.

Create VNet Peering between Azure Firewall virtual network and Workloads network

Azure VNET peering allows connecting virtual networks seamlessly via Azure backbone infrastructure. This is similar to inter-VLAN routing in on-premises networks. We can initiate VNet peering between Azure Firewall virtual network and Workloads network by using,

Add-AzVirtualNetworkPeering -Name FWtoWorkloads -VirtualNetwork $eusfwvnet -RemoteVirtualNetworkId $workloadvnet.Id -AllowGatewayTransit
Add-AzVirtualNetworkPeering -Name WorkloadstoFW -VirtualNetwork $workloadvnet -RemoteVirtualNetworkId $eusfwvnet.Id -AllowForwardedTraffic -UseRemoteGateways

When initiate peering from firewall network to workloads, we have to use -AllowGatewayTransit parameter to allow gatewayLinks to be used in workload virtual network’s link.
Peering from workloads network to firewall network uses -AllowForwardedTraffic parameter to allows the forwarded traffic. -UseRemoteGateways parameter is also in use to allow remote gateways.

Create Routes

Workloads network sits behind the firewall network. To control traffic, we need to process incoming and outgoing traffic to workloads network through Azure firewall.
To do that,
1. Let’s go ahead and create a new route table.

$routetable1 = New-AzRouteTable -Name REBELRouteTable1 -ResourceGroupName REBELRG1 -Location “East US”

In the above, we created a new route table called REBELRouteTable1 in the Azure firewall resource group.

2. The next step is to create a route to process traffic to workloads network via Azure firewall private IP.

Get-AzRouteTable -ResourceGroupName REBELRG1 -Name REBELRouteTable1 | Add-AzRouteConfig -Name routetoworkloads -AddressPrefix 10.2.0.0/16 -NextHopType “VirtualAppliance” -NextHopIpAddress $EUSFWPrivateIP | Set-AzRouteTable

3. Then we need to associate it with firewall network’s subnet gateway.

Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $eusfwvnet -Name “GatewaySubnet” -AddressPrefix 10.0.1.0/24 -RouteTable $routetable1 | Set-AzVirtualNetwork

4. We also need to create a new route table for the default route.

$routetable2 = New-AzRouteTable -Name REBELdefaultroute -ResourceGroupName REBELRG1 -Location “East US” -DisableBgpRoutePropagation

Here we are using -DisableBgpRoutePropagation parameter to disable BGP route auto propagation.

5. Then let’s go ahead and create default route for workloads VM subnet to process traffic via Azure firewall private IP.

Get-AzRouteTable -ResourceGroupName REBELRG1 -Name REBELdefaultroute | Add-AzRouteConfig -Name tofirewall -AddressPrefix 0.0.0.0/0 -NextHopType “VirtualAppliance” -NextHopIpAddress $EUSFWPrivateIP | Set-AzRouteTable

6. Once it is created, we need to associate the route table with the workloads network’s VM subnet.

Set-AzVirtualNetworkSubnetConfig -VirtualNetwork $workloadvnet -Name VMNet2 -AddressPrefix 10.2.0.0/24 -RouteTable $routetable2 | Set-AzVirtualNetwork

This completes the configuration tasks.

Testing

For testing purposes, first I am going to create virtual machine in workloads network.

$mylogin = Get-Credential

New-AzVm -ResourceGroupName REBELRG3 -Name “REBELTVM01” -Location “East US” -VirtualNetworkName “EUSFVnet1” -SubnetName “VMNet2” -addressprefix 10.2.0.0/24 -PublicIpAddressName “REBELVM01IP1” -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, I am creating a virtual machine called REBELTVM01 in workloads VM network. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. For networking, it uses EUSFVnet1 virtual network and subnet 10.2.0.0/24.
In theory, this VM should not need public IP address as we are going to access it via private ip. But I created it to show that we can’t the VM through public IP.

I also need a test VM in a remote network.

New-AzVm -ResourceGroupName REBELRG2 -Name “REBELTVM02” -Location “UK South” -VirtualNetworkName “UKSVnet1” -SubnetName “VMNet1” -addressprefix 10.1.0.0/24 -PublicIpAddressName “REBELVM02IP1” -OpenPorts 3389 -Image win2019datacenter -Size Standard_D2s_v3 -Credential $mylogin

In the above, I am creating a virtual machine called REBELTVM02 in a remote VM network. It is running windows server 2019 data center edition. I have specified it using -Image parameter. It also using Standard_D2s_v3 vm size. For networking, it uses UKSVnet1 virtual network and subnet 10.1.0.0/24.

In the end, we have two virtual machines with the following config.

Virtual Machine Resource Group Virtual Network VM Subnet IP Address
REBELTVM01 REBELRG3 EUSFVnet1 VMNet2 10.2.0.4
REBELTVM02 REBELRG2 UKSVnet1 VMNet1 10.1.0.4

According to firewall rules in place, we only should be able to access the VM in workloads network from remote network 10.2.0.0/16. So, if I try to access the VM via public iP address should fail.

As expected, we can’t initiate the connection.

Then let’s go ahead and test the connectivity from remote network VM (REBELTVM02).

Here we should use the internal IP address of the REBELTVM01.

As expected, the session was initiated.

If we look into firewall rule, we created before, this traffic is only one way.

New-AzFirewallNetworkRule -Name “AllowRDP” -Protocol TCP -SourceAddress 10.1.0.0/24 -DestinationAddress 10.2.0.0/16 -DestinationPort 3389

If I try to initiate RDP connection from REBELTVM01 to REBELTVM02, it fails.

So, let’s try creating a new firewall rule to allow RDP traffic from REBELTVM01 to REBELTVM02.

$fwrule2 = New-AzFirewallNetworkRule -Name “AllowRDPtoRemote” -Protocol TCP -SourceAddress 10.2.0.0/24 -DestinationAddress 10.1.0.0/24 -DestinationPort 3389
$fwrulecollection2 = New-AzFirewallNetworkRuleCollection -Name RDPAccesstoRemote -Priority 200 -Rule $fwrule2 -ActionType “Allow”

$EUSFW.NetworkRuleCollections = $fwrulecollection, $fwrulecollection2

Set-AzFirewall -AzureFirewall $EUSFW

Note: Make sure to mention the rule collection you created with the first firewall rule ($fwrulecollection). Otherwise, it will replace with the new one.

After updating the firewall rules, now I can initiate the RDP connection from REBELTVM01 to REBELTVM02.

As we can see now the traffic between two networks is managed by Azure firewall.

All the commands used in the demo is available as a script under https://github.com/rebeladm/rebeladm/blob/master/AzureFirewallforVNets.ps1

This marks the end of this blog post. I hope now you have a better understanding of how to use Azure firewall to control traffic between Azure VNets. If you have any further questions about this feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.