Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When you connect your on-premises network to an Azure virtual network to create a hybrid network, the ability to control access to your Azure network resources is an important part of an overall security plan.
Using Azure Firewall Manager, you can create a hub virtual network to secure your hybrid network traffic destined to private IP addresses, Azure PaaS, and the Internet. You can use Azure Firewall Manager to control network access in a hybrid network using policies that define allowed and denied network traffic.
Firewall Manager also supports a secured virtual hub architecture. For a comparison of the secured virtual hub and hub virtual network architecture types, see What are the Azure Firewall Manager architecture options?
For this tutorial, you create three virtual networks:
VNet-Hub - the firewall is in this virtual network.
VNet-Spoke - the spoke virtual network represents the workload located on Azure.
VNet-Onprem - The on-premises virtual network represents an on-premises network. In an actual deployment, it can be connected using either a VPN or ExpressRoute connection. For simplicity, this tutorial uses a VPN gateway connection, and an Azure-located virtual network is used to represent an on-premises network.
In this tutorial, you learn how to:
- Create a firewall policy
- Create the virtual networks
- Configure and deploy the firewall
- Create and connect the VPN gateways
- Peer the hub and spoke virtual networks
- Create the routes
- Create the virtual machines
- Test the firewall
Prerequisites
A hybrid network uses the hub-and-spoke architecture model to route traffic between Azure VNets and on-premises networks. The hub-and-spoke architecture has the following requirements:
To route the spoke subnet traffic through the hub firewall, you need a User Defined route (UDR) that points to the firewall with the Virtual network gateway route propagation setting disabled. This option prevents route distribution to the spoke subnets. This prevents learned routes from conflicting with your UDR.
Configure a UDR on the hub gateway subnet that points to the firewall IP address as the next hop to the spoke networks. No UDR is required on the Azure Firewall subnet, as it learns routes from BGP.
See the Create Routes section in this tutorial to see how these routes are created.
Note
Azure Firewall must have direct Internet connectivity. If your AzureFirewallSubnet learns a default route to your on-premises network via BGP, you must override this with a 0.0.0.0/0 UDR with the NextHopType value set as Internet to maintain direct Internet connectivity.
Azure Firewall can be configured to support forced tunneling. For more information, see Azure Firewall forced tunneling.
Note
Traffic between directly peered VNets is routed directly even if a UDR points to Azure Firewall as the default gateway. To send subnet to subnet traffic to the firewall in this scenario, a UDR must contain the target subnet network prefix explicitly on both subnets.
If you don't have an Azure subscription, create a free account before you begin.
Create a Firewall Policy
Sign in to the Azure portal.
In the Azure portal search bar, enter Firewall Manager. Select Firewall Policies in the search results.
Select + Create.
In Create an Azure Firewall Policy, select your subscription, and for Resource group, select Create new and create a resource group named FW-Hybrid-Test.
For the policy name, enter Pol-Net01.
For Region, select East US.
Select Next : DNS Settings.
Select Next : TLS inspection
Select Next:Rules.
Select Add a rule collection.
For Name, enter RCNet01.
For Rule collection type, select Network.
For Priority, enter 100.
For Action, select Allow.
Under Rules, for Name, enter AllowWeb.
Select IP Address in Source type.
For Source, enter 192.168.1.0/24.
For Protocol, select TCP.
For Destination Ports, enter 80.
For Destination Type, select IP Address.
For Destination, enter 10.6.0.0/16.
Select Add.
Select Review + Create.
Review the details and then select Create.
Create the firewall hub virtual network
Note
The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see Azure Firewall FAQ.
In the search box at the top of the portal, enter Virtual network. Select Virtual network in the search results.
Select Create.
For Subscription, select your subscription.
For Resource group, select FW-Hybrid-Test.
For Name, enter VNet-Hub.
For Region, select East US.
Select Next.
On the Security, select Next.
For IPv4 address space, enter 10.5.0.0/16.
Under Subnets, select default.
For Subnet purpose, select Azure Firewall.
For Starting address, enter 10.5.0.0/26.
Accept the other default settings, and then select Save.
Select Review + create.
Select Create.
Add another subnet with a subnet purpose set to Virtual Network Gateway with a starting address of 10.5.1.0/27. This subnet is used for the VPN gateway.
Create the spoke virtual network
In the search box at the top of the portal, enter Virtual network. Select Virtual network in the search results.
Select Create.
For Subscription, select your subscription.
For Resource group, select FW-Hybrid-Test.
For Name, enter VNet-Spoke.
For Region, select East US.
Select Next.
On the Security page, select Next.
Select Next : IP Addresses.
For IPv4 address space, enter 10.6.0.0/16.
Under Subnets, select default.
Change the Name to SN-Workload.
For Starting address, enter 10.6.0.0/24.
Accept the other default settings, and then select Save.
Select Review + create.
Select Create.
Create the on-premises virtual network
In the search box at the top of the portal, enter Virtual network. Select Virtual network in the search results.
Select Create.
For Subscription, select your subscription.
For Resource group, select FW-Hybrid-Test.
For Virtual network name, enter VNet-Onprem.
For Region, select East US.
Select Next.
On the Security page, select Next.
For IPv4 address space, enter 192.168.0.0/16.
Under Subnets, select default.
Change the Name to SN-Corp.
For Starting address, enter 192.168.1.0/24.
Accept the other default settings, and then select Save.
Select Add a subnet.
For Subnet purpose, select Virtual Network Gateway.
For Starting address enter 192.168.2.0/27.
Select Add.
Select Review + create.
Select Create.
Configure and deploy the firewall
When security policies are associated with a hub, it's referred to as a hub virtual network.
Convert the VNet-Hub virtual network into a hub virtual network and secure it with Azure Firewall.
In the Azure portal search bar, enter Firewall Manager and press Enter.
In the right pane, select Overview.
On the Azure Firewall Manager page, under Add security to virtual networks, select View hub virtual networks.
Under Virtual Networks, select the check box for VNet-Hub.
Select Manage Security, and then select Deploy a Firewall with Firewall Policy.
On the Convert virtual networks page, under Azure Firewall tier, select Premium. Under Firewall Policy, select the check box for Pol-Net01.
Select Next : Review + confirm
Review the details and then select Confirm.
This takes a few minutes to deploy.
After deployment completes, go to the FW-Hybrid-Test resource group, and select the firewall.
Note the firewall Private IP address on the Overview page. You use it later when you create the default route.
Deploy Azure Bastion
Deploy Azure Bastion Developer edition to securely connect to the virtual machines for testing.
In the search box at the top of the portal, enter Bastion. Select Bastions from the search results.
Select Create.
On the Create a Bastion page, enter or select the following values:
Setting Value Project details Subscription Select your Azure subscription. Resource group Select FW-Hybrid-Test. Instance details Name Enter Bastion-Hub. Region Select East US. Tier Select Developer. Virtual network Select VNet-Hub. Subnet The AzureBastionSubnet is created automatically with address space 10.5.2.0/26. Select Review + create.
Review the settings and select Create.
The deployment takes a few minutes to complete.
Create and connect the VPN gateways
The hub and on-premises virtual networks are connected via VPN gateways.
Create a VPN gateway for the hub virtual network
Now create the VPN gateway for the hub virtual network. Network-to-network configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
In the search box at the top of the portal, enter virtual network gateway. Select Virtual network gateways in the search results.
Select Virtual network gateway, and select Create.
For Name, enter GW-hub.
For Region, select (US) East US.
For Gateway type, select VPN.
For SKU, select VpnGw2.
For Generation, select Generation2.
For Virtual network, select VNet-Hub.
For Public IP address, select Create new, and enter VNet-Hub-GW-pip for the name.
For Enable active-active mode, select Disabled.
Accept the remaining defaults and then select Review + create.
Review the configuration, then select Create.
Create a VPN gateway for the on-premises virtual network
Now create the VPN gateway for the on-premises virtual network. Network-to-network configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
In the search box at the top of the portal, enter virtual network gateway. Select Virtual network gateways in the search results.
Select Virtual network gateway, and select Create.
For Name, enter GW-Onprem.
For Region, select (US) East US.
For Gateway type, select VPN.
For SKU, select VpnGw2.
For Generation, select Generation2.
For Virtual network, select VNet-Onprem.
For Public IP address, select Create new, and enter VNet-Onprem-GW-pip for the name.
For Enable active-active mode, select Disabled.
Accept the remaining defaults and then select Review + create.
Review the configuration, then select Create.
Create the VPN connections
Now you can create the VPN connections between the hub and on-premises gateways.
In this step, you create the connection from the hub virtual network to the on-premises virtual network. A shared key is referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. It takes some time to create the connection.
Open the FW-Hybrid-Test resource group and select the GW-hub gateway.
In the left column, under Settings, select Connections.
Select Add.
For the connection name, enter Hub-to-Onprem.
Select VNet-to-VNet for Connection type.
Select Next : Settings.
For the First virtual network gateway, select GW-hub.
For the Second virtual network gateway, select GW-Onprem.
For Shared key (PSK), enter AzureA1b2C3.
Select Review + create.
Select Create.
Create the on-premises to hub virtual network connection. This step is similar to the previous one, except you create the connection from VNet-Onprem to VNet-Hub. Make sure the shared keys match. The connection will be established after a few minutes.
Open the FW-Hybrid-Test resource group and select the GW-Onprem gateway.
Select Connections in the left column.
Select Add.
For the connection name, enter Onprem-to-Hub.
Select VNet-to-VNet for Connection type.
Select Next : Settings.
For the First virtual network gateway, select GW-Onprem.
For the Second virtual network gateway, select GW-hub.
For Shared key (PSK), enter AzureA1b2C3.
Select OK.
Verify the connection
After about five minutes or so after the second network connection is deployed, the status of both connections should be Connected.
Peer the hub and spoke virtual networks
Now peer the hub and spoke virtual networks.
Open the FW-Hybrid-Test resource group and select the VNet-Hub virtual network.
In the left column, select Peerings.
Select Add.
Under Remote virtual network summary:
Setting name Value Peering link name SpoketoHub Virtual network deployment model Resource Manager Subscription <your subscription> Virtual network VNet-Spoke Allow 'VNet-Spoke' to access 'VNet-Hub' selected Allow 'VNet-Spoke' to receive forwarded traffic from 'VNet-Hub' selected Allow gateway or route server in 'VNet-Spoke' to forward traffic to 'VNet-Hub' not selected Enable 'VNet-Spoke' to use 'VNet-Hub's' remote gateway or route server selected Under Local virtual network summary:
Setting name Value Peering link name HubtoSpoke Allow 'VNet-Hub' to access 'VNet-Spoke' selected Allow 'VNet-Hub' to receive forwarded traffic from 'VNet-Spoke' selected Allow gateway or route server in 'VNet-Hub' to forward traffic to 'VNet-Spoke' selected Enable 'VNet-Hub' to use 'VNet-Spoke's' remote gateway or route server not selected Select Add.
Create the routes
Next, create a couple routes:
A route from the hub gateway subnet to the spoke subnet through the firewall IP address
A default route from the spoke subnet through the firewall IP address
From the Azure portal home page, select Create a resource.
In the search text box, enter route table and press Enter.
Select Route table.
Select Create.
Select the FW-Hybrid-Test for the resource group.
For Region, select East US.
For the name, enter UDR-Hub-Spoke.
Select Review + Create.
Select Create.
After the route table is created, select it to open the route table page.
Select Routes in the left column.
Select Add.
For the route name, enter ToSpoke.
For Destination type, select IP addresses.
For Destination IP addresses/CIDR ranges, enter 10.6.0.0/16.
For next hop type, select Virtual appliance.
For next hop address, enter the firewall's private IP address that you noted earlier.
Select Add.
Now associate the route to the subnet.
On the UDR-Hub-Spoke - Routes page, select Subnets.
Select Associate.
Under Virtual network, select VNet-Hub.
Under Subnet, select GatewaySubnet.
Select OK.
Now create the default route from the spoke subnet.
From the Azure portal home page, select Create a resource.
In the search text box, enter route table and press Enter.
Select Route table.
Select Create.
Select the FW-Hybrid-Test for the resource group.
For Region, select East US.
For the name, enter UDR-DG.
For Propagate gateway routes, select No.
Select Review + create.
Select Create.
After the route table is created, select it to open the route table page.
Select Routes in the left column.
Select Add.
For the route name, enter ToHub.
For Destination type, select IP addresses
For Destination IP addresses/CIDR ranges, enter 0.0.0.0/0.
For next hop type, select Virtual appliance.
For next hop address, enter the firewall's private IP address that you noted earlier.
Select Add.
Now associate the route to the subnet.
On the UDR-DG - Routes page, select Subnets.
Select Associate.
Under Virtual network, select VNet-spoke.
Under Subnet, select SN-Workload.
Select OK.
Create virtual machines
Now create the spoke workload and on-premises virtual machines, and place them in the appropriate subnets.
Create the workload virtual machine
Create a virtual machine in the spoke virtual network with a web server, with no public IP address.
From the Azure portal home page, select Create a resource.
In the search box at the top of the portal enter Virtual machine, select Virtual machines in the search results.
Select Create > Virtual machine.
Enter or select these values for the virtual machine:
Setting Value Project details Subscription Select your Azure subscription. Resource group Select FW-Hybrid-Test. Instance details Virtual machine name Enter VM-Spoke-01. Region Select East US. Availability options Select No infrastructure redundancy required. Security type Select Standard. Image Select Ubuntu Server 24.04 LTS -x64 Gen2 Size Select a size for the virtual machine. Administrator account Username Enter azureuser. SSH public key source Select Generate new key pair. Key pair name Enter VM-Spoke-01_key. Under Inbound port rules, Public inbound ports, select None.
Select Next: Disks.
Accept the defaults and select Next: Networking.
Select VNet-Spoke for the virtual network and the subnet is SN-Workload.
For Public IP, select None.
Select Review + create.
Review the settings on the summary page, and then select Create.
When prompted, select Download private key and create resource. Save the private key file to your computer.
After the deployment completes, note the private IP address for later use.
Install a web server
Connect to the virtual machine and install a web server for testing.
On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Select the FW-Hybrid-Test resource group.
Select the VM-Spoke-01 virtual machine.
Select Operations > Run command > RunShellScript.
In the script box, enter the following commands:
sudo apt-get update sudo apt-get install -y nginx echo "<html><body><h1>VM-Spoke-01</h1><p>Hybrid network test page</p></body></html>" | sudo tee /var/www/html/index.htmlSelect Run.
Wait for the script to complete successfully.
Create the on-premises virtual machine
This is a virtual machine that you use to connect through Azure Bastion to test the firewall.
From the Azure portal home page, select Create a resource.
In the search box at the top of the portal enter Virtual machine, select Virtual machines in the search results.
Select Create > Virtual machine.
Enter or select these values for the virtual machine:
Setting Value Project details Subscription Select your Azure subscription. Resource group Select FW-Hybrid-Test. Instance details Virtual machine name Enter VM-Onprem. Region Select East US. Availability options Select No infrastructure redundancy required. Security type Select Standard. Image Select Ubuntu Server 24.04 LTS -x64 Gen2 Size Select a size for the virtual machine. Administrator account Username Enter azureuser. SSH public key source Select Generate new key pair. Key pair name Enter VM-Onprem_key. Under Inbound port rules, Public inbound ports, select None.
Select Next: Disks.
Accept the defaults and select Next: Networking.
Select VNet-Onprem for the virtual network and verify the subnet is SN-Corp.
For Public IP, select None.
Select Review + create.
Review the settings on the summary page, and then select Create.
When prompted, select Download private key and create resource. Save the private key file to your computer.
After the deployment completes, note the private IP address for later use.
Test the firewall
Now, test the firewall to confirm that it works as expected.
Connect to VM-Onprem virtual machine using Azure Bastion and the SSH key you downloaded:
- From the Azure portal, select the VM-Onprem virtual machine.
- Select Connect > Connect > Connect via Bastion.
- For Authentication Type, select SSH Private Key from Local File.
- For Username, enter azureuser.
- For Local File, select Upload a file and browse to the VM-Onprem_key.pem file you downloaded earlier.
- Select Connect.
From the SSH session, test the web server on VM-Spoke-01 using its private IP address (you can find this on the VM-Spoke-01 Overview page):
curl http://10.0.1.4You should see the HTML response from the VM-Spoke-01 web page:
<html><body><h1>VM-Spoke-01</h1><p>Hybrid network test page</p></body></html>Close the Bastion SSH session.
So now you verified that the firewall rules are working:
- You can browse the web server on the spoke virtual network.
Next, change the firewall network rule collection action to Deny to verify that the firewall rules work as expected.
Open the FW-Hybrid-Test resource group and select the Pol-Net01 firewall policy.
Under Settings, select Rule Collections.
Select the RCNet01 rule collection.
For Rule collection action, select Deny.
Select Save.
Close any existing remote desktops and browsers on VM-Onprem before testing the changed rules. After the rule collection update is complete, run the tests again. They should all fail to connect this time.
Clean up resources
You can keep your firewall resources for further investigation, or if no longer needed, delete the FW-Hybrid-Test resource group to delete all firewall-related resources.