Azure firewall is hosted cloud-based Internet security service that protects Azure virtual network resources. It is a service in the form of fully stateful firewall, and having a built-in high-availability cloud unlimited scalability.
Use Azure Firewall and virtual network across subscribe to centrally create, implement and document applications and networking policies. Azure firewall using static public IP address of the virtual network resources, external traffic from the firewall to identify your virtual network. The service and Azure Monitor for logging and analysis of fully integrated
Microsoft Azure firewall provides description of the following functions:
- Built-in high availability: no additional load balancer
- Cloud limited scalability: Azure firewall can be expanded as needed
- FQDN application filtering rules: You can restrict outbound Web traffic
- Network traffic filtering rules: You can press the source and destination IP address, port and protocol filtering rules to allow or deny network
- FQDN mark: You can easily use tags to allow or deny traffic
- SNAT support outbound: Outbound IP addresses into public IP firewall Azure
- Inbound DNAT support: Inbound traffic firewall public IP address into an internal IP address.
- Azure Monitor log: All events are integrated with Azure Monitor
In this article, we will explore the following steps:
- Create a resource group
- Create a vNet
- Creating three subnets
- Creating two virtual machines
- Deploy firewalls
- Configuring the default route
- Create an application rule
- Firewall test
The following is an overview of the architecture:
Create a resource group
First we need to create a resource group, the resource group is used to carry all the resources of this experiment. Open Azure Portal, then click on the "Resource Group" - "New Resource Group"
subscription: select Azure Subscribe to our use of
the resource group name: Resource Group Enter the name you want to use
area: the option to create location of the resource
and then click Create: 
create a virtual network
that we We need to create a virtual network of three subnets, as follows:
- Name: Type a friendly name for this virtual network
- Address Space: Enter the desired address space
- Subscribe: Choose your Azure subscription
- Resource Group: select RG we created earlier
- Location: Select the location of the resources
- Subnet: This step is very important because you must use a fixed name called "AzureFirewallSubnet" of.
After creating the virtual network, we also need to create a second subnetwork (SRV-VNet 10.1.2.0/24) and third subnet (Jump 10.1.3.0/24), created after the completion as shown below:
creating a virtual machine
in front of the steps we have created a resource group and a virtual network consists of three subnets. Now, we need to create two virtual machines. The first is used to connect to a second server Jump virtual machines. Jump machine called "JUMP01"
use Azure Wizard to create a virtual machine:
In the "Network" area, select "Jump-VNet" and create a new "public IP address" in order to access the Jump servers from the Internet. In addition, we need to allow the RDP protocol:
Use the same steps with the steps above to create a virtual machine 16SRV01:
this virtual machine must be in "SRV-VNet" subnet, we do not need to open any public inbound port.
Deploy Azure Firewall
We need to start to deploy Azure Firewall below. Click the "all services" in the Azure Portal, search for "Firewalls":
Click "Add" to create Aazure Firewall we need and enter the following information: - Choose your Azure subscription
- Select the previously created resource group
- Enter the name of the firewall friendly
- Select the previously created virtual network
- And do not forget to create a public IP address
is created as shown in the following figure, we need to record this private IP firewall in order to use the subsequent configuration:
创建路由表
在Azure Portal中搜索“路由表“:
创建一个名为“Go-To-Firewall”的新路由表。此路由表将包含服务器将选择路由流量的默认路由
创建路由表后,必须将服务器子网关联到此路由表。转到“ 子网 ”部分,然后单击“ 关联 ”
选择“虚拟网络“和”子网“:
配置完成后如下图所示:
现在,我们必须向虚拟设备添加默认路由。转到“ 路线 ”部分,然后单击“ 添加 ”:
输入以下信息:
- 路由名称:它是默认路由的友好名称
- 地址前缀:要指示默认路由,必须输入0.0.0.0/0
- 下一跳类型:选择“虚拟设备”
- Next hop address: Enter the private IP address previously copied
the configuration is complete, as shown below:
Create an application rule set of
the firewall has been deployed, so we can add the application rules to filter outbound Web traffic. Go to the "rules" section, then click the "Add a set of application rules":
Enter a friendly name for this rule, and then set priorities and select the operation (allow or deny). Next, you must specify the source address, protocol and destination FQDN.
In my case, I want to allow network traffic from virtual machines to www.mspcloud.club of 16SRV01.
To resolve the FQDN, the computer must be able to contact the DNS server. In this article, I created a network rule that allows DNS requests from the server subnet to OpenDNS servers.
Test firewall
First, we need to connect from the public IP address of the server to Jump, then I can start a new MSTSC window, using the private IP address to connect to SRV01 machine.
The final step is to check the application rules created earlier in Azure firewall. I just need to open a Web browser and enter the website URL.
In my case, I can confirm that my blog is to reply, but if you try to browse Google, an error message is displayed. I should create a rule to allow the application of www.google.com.
With Azure firewall, you can very quickly and easily protect the Azure resources. You can also automate tasks using Azure PowerShell.
Azure allows you to create firewall rules and network application rules to control inbound and outbound network traffic.