Create an Azure Firewall test environment
This script sample creates a firewall and a test network environment. The network has one VNet, with three subnets: an AzureFirewallSubnet, and ServersSubnet, and a JumpboxSubnet. The ServersSubnet and JumpboxSubnet each have one 2-core Windows Server in them.
Note
We recommend that you use the Azure Az PowerShell module to interact with Azure. See Install Azure PowerShell to get started. To learn how to migrate to the Az PowerShell module, see Migrate Azure PowerShell from AzureRM to Az.
The firewall is in the AzureFirewallSubnet and is configured with an Application Rule Collection with a single rule that allows access to www.microsoft.com.
A user defined route is created that points the network traffic from the ServersSubnet through the firewall, where the firewall rules are applied.
You can run the script from the Azure Cloud Shell, or from a local PowerShell installation.
If you run PowerShell locally, this script requires Azure PowerShell. To find the installed version, run Get-Module -ListAvailable Az.
You can use PowerShellGet if you need to upgrade, which is built into Windows 10 and Windows Server 2016.
Note
Other Windows version require you to install PowerShellGet before you can use it.
You can run Get-Module -Name PowerShellGet -ListAvailable | Select-Object -Property Name,Version,Path to determine if it is installed on your system. If the output is blank, you need to install the latest Windows Management framework.
For more information, see Install Azure PowerShell
Any existing Azure PowerShell installation done with the Web Platform installer will conflict with the PowerShellGet installation and needs to be removed.
Remember that if you run PowerShell locally, you also need to run Connect-AzAccount to create a connection with Azure.
If you don't have an Azure subscription, create an Azure free account before you begin.
Sample script
#ResourceGroup name and location
$RG="AzfwSampleScriptEastUS"
$Location="East US"
#User credentials for JumpBox and Server VMs
$securePassword = ConvertTo-SecureString 'P@$$W0rd010203' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("AzfwUser", $securePassword)
#Create new RG
New-AzResourceGroup -Name $RG -Location $Location
#Create Vnet
$VnetName=$RG+"Vnet"
New-AzVirtualNetwork -ResourceGroupName $RG -Name $VnetName -AddressPrefix 192.168.0.0/16 -Location $Location
#Configure subnets
$vnet = Get-AzVirtualNetwork -ResourceGroupName $RG -Name $VnetName
Add-AzVirtualNetworkSubnetConfig -Name AzureFirewallSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.1.0/24
Add-AzVirtualNetworkSubnetConfig -Name JumpBoxSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.0.0/24
Add-AzVirtualNetworkSubnetConfig -Name ServersSubnet -VirtualNetwork $vnet -AddressPrefix 192.168.2.0/24
Set-AzVirtualNetwork -VirtualNetwork $vnet
#create Public IP for jumpbox and LB
$LBPipName = $RG + "PublicIP"
$LBPip = New-AzPublicIpAddress -Name $LBPipName -ResourceGroupName $RG -Location $Location -AllocationMethod Static -Sku Standard
$JumpBoxpip = New-AzPublicIpAddress -Name "JumpHostPublicIP" -ResourceGroupName $RG -Location $Location -AllocationMethod Static -Sku Basic
# Create an inbound network security group rule for port 3389
$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name myNetworkSecurityGroupRuleSSH -Protocol Tcp -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow
# Create a network security group
$NsgName = $RG+"NSG"
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RG -Location $Location -Name $NsgName -SecurityRules $nsgRuleRDP
#Create jumpbox
$vnet = Get-AzVirtualNetwork -ResourceGroupName $RG -Name $VnetName
$JumpBoxSubnetId = $vnet.Subnets[1].Id
# Create a virtual network card and associate with jumpbox public IP address
$JumpBoxNic = New-AzNetworkInterface -Name JumpBoxNic -ResourceGroupName $RG -Location $Location -SubnetId $JumpBoxSubnetId -PublicIpAddressId $JumpBoxpip.Id -NetworkSecurityGroupId $nsg.Id
$JumpBoxConfig = New-AzVMConfig -VMName JumpBox -VMSize Standard_DS1_v2 | Set-AzVMOperatingSystem -Windows -ComputerName JumpBox -Credential $cred | Set-AzVMSourceImage -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version latest | Add-AzVMNetworkInterface -Id $JumpBoxNic.Id
New-AzVM -ResourceGroupName $RG -Location $Location -VM $JumpBoxConfig
#Create Server VM
$ServersSubnetId = $vnet.Subnets[2].Id
$ServerVmNic = New-AzNetworkInterface -Name ServerVmNic -ResourceGroupName $RG -Location $Location -SubnetId $ServersSubnetId
$ServerVmConfig = New-AzVMConfig -VMName ServerVm -VMSize Standard_DS1_v2 | Set-AzVMOperatingSystem -Windows -ComputerName ServerVm -Credential $cred | Set-AzVMSourceImage -PublisherName "MicrosoftWindowsServer" -Offer "WindowsServer" -Skus "2012-R2-Datacenter" -Version latest | Add-AzVMNetworkInterface -Id $ServerVmNic.Id
New-AzVM -ResourceGroupName $RG -Location $Location -VM $ServerVmConfig
#Create AZFW
$GatewayName = $RG + "Azfw"
$Azfw = New-AzFirewall -Name $GatewayName -ResourceGroupName $RG -Location $Location -VirtualNetworkName $vnet.Name -PublicIpName $LBPip.Name
#Add a rule to allow *microsoft.com
$Azfw = Get-AzFirewall -ResourceGroupName $RG
$Rule = New-AzFirewallApplicationRule -Name R1 -Protocol "http:80","https:443" -TargetFqdn "*microsoft.com"
$RuleCollection = New-AzFirewallApplicationRuleCollection -Name RC1 -Priority 100 -Rule $Rule -ActionType "Allow"
$Azfw.ApplicationRuleCollections = $RuleCollection
Set-AzFirewall -AzureFirewall $Azfw
#Create UDR rule
$Azfw = Get-AzFirewall -ResourceGroupName $RG
$AzfwRouteName = $RG + "AzfwRoute"
$AzfwRouteTableName = $RG + "AzfwRouteTable"
$IlbCA = $Azfw.IpConfigurations[0].PrivateIPAddress
$AzfwRoute = New-AzRouteConfig -Name $AzfwRouteName -AddressPrefix 0.0.0.0/0 -NextHopType VirtualAppliance -NextHopIpAddress $IlbCA
$AzfwRouteTable = New-AzRouteTable -Name $AzfwRouteTableName -ResourceGroupName $RG -location $Location -Route $AzfwRoute
#associate to Servers Subnet
$vnet.Subnets[2].RouteTable = $AzfwRouteTable
Set-AzVirtualNetwork -VirtualNetwork $vnet
Clean up deployment
Run the following command to remove the resource group, VM, and all related resources:
Remove-AzResourceGroup -Name AzfwSampleScriptEastUS -Force
Script explanation
This script uses the following commands to create a resource group, virtual network, and network security groups. Each command in the following table links to command-specific documentation:
| Command | Notes |
|---|---|
| New-AzResourceGroup | Creates a resource group in which all resources are stored. |
| New-AzVirtualNetworkSubnetConfig | Creates a subnet configuration object |
| New-AzVirtualNetwork | Creates an Azure virtual network and front-end subnet. |
| New-AzNetworkSecurityRuleConfig | Creates security rules to be assigned to a network security group. |
| New-AzNetworkSecurityGroup | Creates NSG rules that allow or block specific ports to specific subnets. |
| Set-AzVirtualNetworkSubnetConfig | Associates NSGs to subnets. |
| New-AzPublicIpAddress | Creates a public IP address to access the VM from the internet. |
| New-AzNetworkInterface | Creates virtual network interfaces and attaches them to the virtual network's front-end and back-end subnets. |
| New-AzVMConfig | Creates a VM configuration. This configuration includes information such as VM name, operating system, and administrative credentials. The configuration is used during VM creation. |
| New-AzVM | Create a virtual machine. |
| Remove-AzResourceGroup | Removes a resource group and all resources contained within. |
| New-AzFirewall | Creates a new Azure Firewall. |
| Get-AzFirewall | Gets an Azure Firewall object. |
| New-AzFirewallApplicationRule | Creates a new Azure Firewall application rule. |
| Set-AzFirewall | Commits changes to the Azure Firewall object. |
Next steps
For more information on the Azure PowerShell, see Azure PowerShell documentation.
Feedback
Submit and view feedback for