I have a web server running in my on-premises network. I like to allow access to it from the internet via TCP port 443. To do that, I need to create two types of rules in my edge firewall. I need a NAT (Network Address Translation) rule to map a public IP address to the private IP address of the webserver. I also need an ACL rule to allow only relevant traffic (TCP 443). This ensures the traffic to web server from the public is protecting via edge firewall. In Azure, we can use the same topology to filter inbound internet traffic. For that, we have to use Azure Firewall Destination Network Address Translation (Azure Firewall DNAT). This is doing the same thing what NAT rule does but Microsoft calls it as DNAT. In this demo, I am going to demonstrate how to set up Azure Firewall and how to use it to filter incoming internet traffic.
In my demo environment, I have two virtual networks.
• EUSFWVnet1 – This network hosts the Azure firewall.
• EUSWorkVnet1 – This virtual network is the production network. This is where I create VMs.
The above two networks are connected using Azure VNet Peering method. With VNet peering, virtual networks are connected via the Azure backbone network. If we compare this with on-premises network, it is similar to the connection between your local network and edge firewall.
So, in this setup, I am going to allow RDP access to a virtual machine in EUSWorkVnet1 over the internet via Azure Firewall.
For the configuration process, I will be using PowerShell. Therefore, please make sure you have an Azure PowerShell module installed. More info about it can find under https://docs.microsoft.com/en-us/powershell/azure/install-az-ps?view=azps-3.8.0
Setup Resource Group
The first step of the configuration is to create a new resource group. Both virtual networks and other services will be using the same resource group.
To do that,
1. Launch PowerShell console and connect to Azure using Connect-AzAccount
2. Create a new resource group using New-AzResourceGroup -Name REBELRG1 -Location “East US”. Here REBELRG1 is the resource group name and East US is the location.
Setup Azure Firewall Network
The next step is to create a new virtual network for Azure Firewall under REBELRG1 resource group.
$fwsubn1 = New-AzVirtualNetworkSubnetConfig -Name “AzureFirewallSubnet” -AddressPrefix 10.0.0.0/24
$eusfwvnet = New-AzVirtualNetwork -Name EUSFWVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.0.0.0/16 -Subnet $fwsubn1
EUSFWVnet1’s address space is 10.0.0.0/16. It is a class B IP address range. We have one subnet under it. AzureFirewallSubnet (10.0.0.0/24) will be used by Azure Firewall. Azure firewall only can be created in a subnet with name ‘AzureFirewallSubnet’
Setup Production Network
The next step of the configuration is to set up a virtual network for production workloads.
$worksubn1 = New-AzVirtualNetworkSubnetConfig -Name WorkSubnet -AddressPrefix 10.2.0.0/24
$workvnet = New-AzVirtualNetwork -Name EUSWorkVnet1 -ResourceGroupName REBELRG1 -Location “East US” -AddressPrefix 10.2.0.0/16 -Subnet $worksubn1
EUSWorkVnet1’s address space is 10.2.0.0/16. We have one subnet under it called WorkSubnet. This is the subnet we will use for the virtual machine.