Previous

Next

Exercise - Route network traffic through Azure Firewall

Completed

In the previous exercise, you deployed Azure Firewall. Now you need to route all network traffic through the firewall, and filter the traffic by using firewall rules. When you're done, Azure Firewall will protect outbound network traffic for Azure Virtual Desktop.

Route all traffic through the firewall

For the subnet the host pool uses, configure the outbound default route to go through the firewall. You'll complete the following three steps:

1. Create a route table in the same resource group as your host pool VMs and firewall.
2. Associate the route table to the subnet that your host pool VMs use.
3. On the route table, add the route to the firewall.

After you complete those steps, all traffic will route to Azure Firewall.

Create route table

First, you'll create a route table named firewall-route.

1. In the Azure portal, search for and select Route tables.

2. Select + Create.

3. Use the following values:

   Field	Value
   Subscription	Your subscription
   Resource group	learn-firewall-rg
   Region	Select the same location that you used previously.
   Name	firewall-route

   

4. Select Review + create > Create.

5. After deployment completes, select Go to resource.

Associate route table to the workload's subnet

Now, you'll associate firewall-route to the host pool's subnet.

1. On firewall-route, under Settings, select Subnets.

2. Select + Associate.

3. Select the following values:

   Field	Value
   Virtual network	hostVNet
   Subnet	hostSubnet

4. Select OK and wait until the association is added.

Add route to route table

The last step is to add a route to Azure Firewall on the route table. After you complete this step, all network traffic on the host pool virtual network will route through Azure Firewall.

1. Under Settings, select Routes.

   

2. Select + Add.

3. Enter the following values:

   Field	Value
   Route name	fw-rt
   Destination type	IP Addresses
   Destination IP addresses/CIDR ranges	0.0.0.0/0
   Next hop type	Virtual appliance
   Next hop address	Paste in the Firewall private IP address from the previous exercise unit. This can be found under your Firewall page, listed as Firewall private IP.

   

4. Select Add.

Create an application rule collection

By default, the firewall denies access to everything, so you need to configure conditions under which traffic is allowed through the firewall.

Create an application rule collection with rules to allow Azure Virtual Desktop access to several fully qualified domain names (FQDNs).

1. In the Azure portal, search for and select Firewalls.

2. Select the learn-fw firewall.

3. Under Settings, select Rules (classic).

4. Select the Application rule collection tab, and select Add application rule collection.

5. Enter the following information:

   Field	Value
   Name	app-coll01
   Priority	200
   Action	Allow

6. Under Rules, in the FQDNs tags section, enter the following information:

   Field	Value
   Name	allow-virtual-desktop
   Source type	IP address
   Source	Address space for hostVNet, like 10.0.0.0/16
   FQDN tags	Windows Virtual Desktop

7. Under Rules, in the Target FQDNs section, enter the following information:

   Field	Value
   Name	allow-storage-service-bus-accounts
   Source type	IP address
   Source	Address space for hostVNet, like 10.0.0.0/16
   Protocol:Port	https
   Target FQDNs	*xt.blob.core.windows.net, *eh.servicebus.windows.net, *xt.table.core.windows.net

8. When you're done, the form looks like the following image:

9. Select Add.

Create a network rule collection

Let's say our scenario uses Microsoft Entra Domain Services (Microsoft Entra Domain Services), so you don't need to create a network rule to allow DNS. However, you do need to create a rule to allow traffic from your Azure Virtual Desktop VMs to the Windows activation service. For our network rule to allow Key Management Services (KMS), use the destination IP address of the KMS server for the Azure global cloud.

1. On learn-fw > Rules (classic), select Network rule collection.

2. Select the Network rule collection tab, and then select Add network rule collection.

3. Enter the following information:

   Field	Value
   Name	net-coll01
   Priority	200
   Action	Allow

4. Under Rules, in the IP Addresses section, enter the following information:

   Field	Value
   Name	allow-kms
   Protocol	TCP
   Source type	IP address
   Source	Address space for hostVNet, like 10.0.0.0/16
   Destination type	IP address
   Destination Address	23.102.135.246
   Destination Ports	1688

5. When you're done, the form looks like the following image:

6. Select Add.

Check your work

At this point, you've routed all network traffic for Azure Virtual Desktop through the firewall. Let's make sure the firewall is working as expected. Outbound network traffic from the host pool should filter through the firewall to the Azure Virtual Desktop service. You can verify that the firewall allows traffic through to the service by checking the status of the service components.

1. In Azure Cloud Shell, run the following command:

   "rdgateway", "rdbroker","rdweb"|% `
   {Invoke-RestMethod -Method:Get `
   -Uri https://$_.wvd.microsoft.com/api/health}|ft `
   -Property Health,TimeStamp,ClusterUrl
   

2. You should get something like the following results, where all three component services are listed as healthy:

   Health               TimeStamp           ClusterUrl
   ------               ---------           ----------
   RDGateway is Healthy 7/2/2021 6:00:00 PM https://rdgateway-c101-cac-r1.wvd.microsoft.com/
   RDBroker is Healthy  7/2/2021 6:00:00 PM https://rdbroker-c100-cac-r1.wvd.microsoft.com/
   RDWeb is Healthy     7/2/2021 6:00:00 PM https://rdweb-c100-cac-r1.wvd.microsoft.com/
   

   If one or more components are not healthy, the firewall isn't working as expected.

Continue