Then prepare to write a few of introduction to Azure Firewall, firewall this year has just landed in mooncake, but already for some time in the Global GA, Firewall as a cloud native NVA products will undoubtedly address security in the cloud is a major problem , itself low prices but also adds a unique appeal, hoping for a similar solution, and do not want users to purchase third-party NVA attractive product is great, you can see from the figure below, use Azure Firewall also can realize Azure classic hub spoke network architecture
This time we'll look at how to do it together hub spoke architecture design with Azure Firewall, first of all, let's look at what can be done Azure Firewall
Azure Firewall across subscriptions and virtual network to centrally create, implement and document applications and networking policies. Azure firewall using static public IP address of the virtual network resources, external traffic from the firewall to identify your virtual network. And it can be seamlessly integrated Azure Monitor.
Overall, Azure Firewall has the following advantages:
Built-in high availability
Built-in high availability, and therefore does not require the deployment of additional load balancer does not require any configuration.
Cloud unlimited scalability
In order to adapt to changing network traffic flow, Azure firewall can make the greatest degree of longitudinal expansion, there is no need to make a budget for the peak flow.
Application filtering rules FQDN
May be outbound HTTP / S traffic flow or Azure SQL (preview) is limited to a set of fully qualified domain name specified (the FQDN) (including wildcards). This feature does not require SSL termination.
Network traffic filtering rules
According to the source and destination IP addresses, ports and protocols, centrally create "allow" or "deny" network filtering rules. Azure is fully stateful firewall, so that it can distinguish legitimate packets of different types of connections. The subscriptions and virtual networks across multiple implementation and recording rules.
FQDN mark
FQDN mark so you can easily allow a known Azure service network traffic through the firewall. For example, suppose you want to allow Windows to update the network traffic through the firewall. Create an application rule and including Windows update flag. Now, network traffic from Windows Update will be able to flow through the firewall.
Service marks
Service marks represent a set of IP address prefixes, to help minimize security rules to create complex process. Unable to create their own service marks, you can not specify which IP address is included in the tag. Azure will address prefix management service marks contained, and service marks are automatically updated when the address changes.
weixie intelligence
Intelligent firewall can be enabled based screening to alert and refuse from / to flow known malicious IP addresses and domains. IP addresses and domains from Azure intelligence sources.
Outbound SNAT support
All outbound IP address of the virtual network traffic is converted to Azure firewall public IP (source network address translation). You can identify traffic from your virtual network and allows it to be sent to the remote Internet goals. If the IP is in line with the target range IANA RFC 1918 private IP's, Azure firewall does not perform SNAT. If your organization uses a public IP address range for private networks, Azure firewall will be sent to a private IP address of the firewall in AzureFirewallSubnet by SNAT traffic.
Inbound DNAT support
Conversion to inbound network traffic firewall public IP address (destination network address translation) and screened to a private IP address on the virtual network.
After a brief understanding at Azure Firewall functionality, we look at today's environment
We have three VNET:
1.Hub VNET, VNET china north, as well as our firewall deployment resides
2.spoke VNET1, china north
3.spoke VNET2, china east2
Hub VNET and two spoke VNET VNET Peering were used to open up, the environment is so basic, that is behind our Firewall deployment as well as with the relevant test Firewall