Deploy and configure Azure Firewall Basic (preview) and policy using the Azure portal

Important

Azure Firewall Basic is currently in PREVIEW. See the Supplemental Terms of Use for Microsoft Azure Previews for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.

Azure Firewall Basic provides the essential protection SMB customers need at an affordable price point. This solution is recommended for SMB customer environments with less than 250 Mbps throughput requirements. It is recommended to deploy the Standard SKU for environments with more than 250 Mbps throughput requirements and the Premium SKU for advanced threat protection.

Filtering network and application traffic is an important part of an overall network security plan. For example, you may want to limit access to web sites. Or, you may want to limit the outbound IP addresses and ports that can be accessed.

One way you can control both inbound and outbound network access from an Azure subnet is with Azure Firewall and Firewall Policy. With Azure Firewall and Firewall Policy, you can configure:

  • Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
  • Network rules that define source address, protocol, destination port, and destination address.
  • DNAT rules to translate and filter inbound Internet traffic to your subnets.

Network traffic is subjected to the configured firewall rules when you route your network traffic to the firewall as the subnet default gateway.

For this how-to, you create a simplified single VNet with three subnets for easy deployment. The Firewall Basic Preview has a mandatory requirement to be configured with a management NIC.

  • AzureFirewallSubnet - the firewall is in this subnet.
  • AzureFirewallManagementSubnet - for service management traffic.
  • Workload-SN - the workload server is in this subnet. This subnet's network traffic goes through the firewall.

For production deployments, a hub and spoke model is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.

In this how-to, you learn how to:

  • Set up a test network environment
  • Deploy a basic firewall and basic firewall policy
  • Create a default route
  • Configure an application rule to allow access to www.google.com
  • Configure a network rule to allow access to external DNS servers
  • Configure a NAT rule to allow a remote desktop to the test server
  • Test the firewall

If you prefer, you can complete this procedure using Azure PowerShell.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Enable Firewall Basic

For the preview, you must enable the Firewall Basic feature on your subscription.

Connect-AzAccount
Select-AzSubscription -Subscription "subscription_id or subscription_name"
Register-AzProviderFeature -FeatureName AzureFirewallBasic -ProviderNamespace Microsoft.Network
Register-AzResourceProvider -ProviderNamespace Microsoft.Network

Create a resource group

The resource group contains all the resources for the how-to.

  1. Sign in to the Azure portal at https://portal.azure.com.
  2. On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Then select Create.
  3. For Subscription, select your subscription.
  4. For Resource group name, enter Test-FW-RG.
  5. For Region, select a region. All other resources that you create must be in the same region.
  6. Select Review + create.
  7. Select Create.

Deploy the firewall and policy

Deploy the firewall and create associated network infrastructure.

  1. On the Azure portal menu or from the Home page, select Create a resource.

  2. Type firewall in the search box and press Enter.

  3. Select Firewall and then select Create.

  4. On the Create a Firewall page, use the following table to configure the firewall:

    Setting Value
    Subscription <your subscription>
    Resource group Test-FW-RG
    Name Test-FW01
    Region Select the same location that you used previously
    Firewall Tier Basic (Preview)
    Firewall management Use a Firewall Policy to manage this firewall
    Firewall policy Add new:
    fw-test-pol
    Your selected region
    Policy tier should default to Basic
    Choose a virtual network Create new
    Name: Test-FW-VN
    Address space: 10.0.0.0/16
    Subnet address space: 10.0.0.0/26
    Public IP address Add new:
    Name: fw-pip
    Management - Subnet address space 10.0.1.0/26
    Management public IP address Add new
    fw-mgmt-pip
  5. Accept the other default values, then select Review + create.

  6. Review the summary, and then select Create to create the firewall.

    This will take a few minutes to deploy.

  7. After deployment completes, go to the Test-FW-RG resource group, and select the Test-FW01 firewall.

  8. Note the firewall private and public IP (fw-pip) addresses. You'll use these addresses later.

Create a subnet for the workload server

Next, create a subnet for the workload server.

  1. Go to the Test-FW-RG resource group and select the Test-FW-VN virtual network.
  2. Select Subnets.
  3. Select Subnet.
  4. For Subnet name, type Workload-SN.
  5. For Subnet address range, type 10.0.2.0/24.
  6. Select Save.

Create a virtual machine

Now create the workload virtual machine, and place it in the Workload-SN subnet.

  1. On the Azure portal menu or from the Home page, select Create a resource.

  2. Select Windows Server 2019 Datacenter.

  3. Enter these values for the virtual machine:

    Setting Value
    Resource group Test-FW-RG
    Virtual machine name Srv-Work
    Region Same as previous
    Image Windows Server 2019 Datacenter
    Administrator user name Type a user name
    Password Type a password
  4. Under Inbound port rules, Public inbound ports, select None.

  5. Accept the other defaults and select Next: Disks.

  6. Accept the disk defaults and select Next: Networking.

  7. Make sure that Test-FW-VN is selected for the virtual network and the subnet is Workload-SN.

  8. For Public IP, select None.

  9. Accept the other defaults and select Next: Management.

  10. Select Next: Monitoring.

  11. Select Disable to disable boot diagnostics. Accept the other defaults and select Review + create.

  12. Review the settings on the summary page, and then select Create.

  13. After the deployment completes, select the Srv-Work resource and note the private IP address for later use.

Create a default route

For the Workload-SN subnet, configure the outbound default route to go through the firewall.

  1. On the Azure portal menu, select All services or search for and select All services from any page.
  2. Under Networking, select Route tables.
  3. Select Create.
  4. For Subscription, select your subscription.
  5. For Resource group, select Test-FW-RG.
  6. For Region, select the same location that you used previously.
  7. For Name, type Firewall-route.
  8. Select Review + create.
  9. Select Create.

After deployment completes, select Go to resource.

  1. On the Firewall-route page, select Subnets and then select Associate.

  2. Select Virtual network > Test-FW-VN.

  3. For Subnet, select Workload-SN. Make sure that you select only the Workload-SN subnet for this route, otherwise your firewall won't work correctly.

  4. Select OK.

  5. Select Routes and then select Add.

  6. For Route name, type fw-dg.

  7. For Address prefix destination, select IP Addresses.

  8. For Destination IP addresses/CIDR ranges, type 0.0.0.0/0.

  9. For Next hop type, select Virtual appliance.

    Azure Firewall is actually a managed service, but virtual appliance works in this situation.

  10. For Next hop address, type the private IP address for the firewall that you noted previously.

  11. Select Add.

Configure an application rule

This is the application rule that allows outbound access to www.google.com.

  1. Open the Test-FW-RG, and select the fw-test-pol firewall policy.
  2. Select Application rules.
  3. Select Add a rule collection.
  4. For Name, type App-Coll01.
  5. For Priority, type 200.
  6. For Rule collection action, select Allow.
  7. Under Rules, for Name, type Allow-Google.
  8. For Source type, select IP address.
  9. For Source, type 10.0.2.0/24.
  10. For Protocol:port, type http, https.
  11. For Destination Type, select FQDN.
  12. For Destination, type www.google.com
  13. Select Add.

Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. For more information, see Infrastructure FQDNs.

Configure a network rule

This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).

  1. Select Network rules.
  2. Select Add a rule collection.
  3. For Name, type Net-Coll01.
  4. For Priority, type 200.
  5. For Rule collection action, select Allow.
  6. For Rule collection group, select DefaultNetworkRuleCollectionGroup.
  7. Under Rules, for Name, type Allow-DNS.
  8. For Source type, select IP Address.
  9. For Source, type 10.0.2.0/24.
  10. For Protocol, select UDP.
  11. For Destination Ports, type 53.
  12. For Destination type select IP address.
  13. For Destination, type 209.244.0.3,209.244.0.4.
    These are public DNS servers operated by Level3.
  14. Select Add.

Configure a DNAT rule

This rule allows you to connect a remote desktop to the Srv-Work virtual machine through the firewall.

  1. Select the DNAT rules.
  2. Select Add a rule collection.
  3. For Name, type rdp.
  4. For Priority, type 200.
  5. For Rule collection group, select DefaultDnatRuleCollectionGroup.
  6. Under Rules, for Name, type rdp-nat.
  7. For Source type, select IP address.
  8. For Source, type *.
  9. For Protocol, select TCP.
  10. For Destination Ports, type 3389.
  11. For Destination Type, select IP Address.
  12. For Destination, type the firewall public IP address (fw-pip).
  13. For Translated address, type the Srv-work private IP address.
  14. For Translated port, type 3389.
  15. Select Add.

Change the primary and secondary DNS address for the Srv-Work network interface

For testing purposes in this how-to, configure the server's primary and secondary DNS addresses. This isn't a general Azure Firewall requirement.

  1. On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Select the Test-FW-RG resource group.
  2. Select the network interface for the Srv-Work virtual machine.
  3. Under Settings, select DNS servers.
  4. Under DNS servers, select Custom.
  5. Type 209.244.0.3 in the Add DNS server text box, and 209.244.0.4 in the next text box.
  6. Select Save.
  7. Restart the Srv-Work virtual machine.

Test the firewall

Now, test the firewall to confirm that it works as expected.

  1. Connect a remote desktop to firewall public IP address (fw-pip) and sign in to the Srv-Work virtual machine.

  2. Open Internet Explorer and browse to https://www.google.com.

  3. Select OK > Close on the Internet Explorer security alerts.

    You should see the Google home page.

  4. Browse to http://www.microsoft.com.

    You should be blocked by the firewall.

So now you've verified that the firewall rules are working:

  • You can connect a remote desktop to the Srv-Work virtual machine.
  • You can browse to the one allowed FQDN, but not to any others.
  • You can resolve DNS names using the configured external DNS server.

Clean up resources

You can keep your firewall resources for further testing, or if no longer needed, delete the Test-FW-RG resource group to delete all firewall-related resources.

Next steps