Skip to main content

Securing a Virtual Network with Azure Firewall

Hands-On Lab

 

Photo of Shawn Johnson

Shawn Johnson

Azure Training Architect II in Content

Length

01:00:00

Difficulty

Intermediate

Securing a network’s perimeter is one of the most important aspects of a cloud engineer's role, and this hands-on lab will demonstrate a common, real-world experience regarding this task. Students will build, in a sandbox, a network topology and then experience configuring and deploying Azure Firewall, before traversing it from the internet using a real-world scenario of network address translation.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Securing a Virtual Network with Azure Firewall

Introduction

Securing a network’s perimeter is one of the most important aspects of a cloud engineer's role, and this hands-on lab will demonstrate a common, real-world experience regarding this task. Students will build, in a sandbox, a network topology and then experience configuring and deploying Azure Firewall, before traversing it from the internet using a real-world scenario of network address translation.

Solution

Log in to the Azure Portal using the credentials provided on the lab instructions page.

For the last part of the lab, we'll need to test the Azure Firewall configuration. To do so, use the Remote Desktop client (available from Microsoft for Windows clients natively and Mac clients here).

Create a Virtual Network and Network Security Group

Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.

  1. Navigate to Resource groups in the left-hand menu to verify the region our resource group is located in.
  2. Navigate to Virtual networks in the left-hand menu and click Create virtual network.
  3. Set the following values:
    • Name: SpokeVnet1
    • Address space: 10.10.10.0/24
    • Resource group: Select the one listed in the dropdown
    • Location: The location we just noted
    • Address range: 10.10.10.0/26
  4. Click Create.
  5. Navigate to All services > Network security groups.
  6. Click Create network security group.
  7. Set the following values:
    • Name: Anything you'd like (e.g., "SpokeNSG1")
    • Resource group: Select the one listed in the dropdown
    • Location: The same location as before
  8. Click Create.
  9. Once it's deployed, click the name of the NSG.
  10. Click Subnets
  11. Click Associate.
  12. Click Virtual network and select our listed virtual network.
  13. Click Subnet and select default.
  14. Click OK.

Create a Virtual Machine

Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.

  1. Click Virtual machines in the left-hand menu.
  2. Click Create virtual machine, and set the following values:
    • Resource group: Select the one listed in the dropdown
    • Virtual machine name: Anything you'd like (e.g., "SpokeServer1")
    • Region: Select the one listed in the dropdown
    • Image: Windows Server 2019
    • Size: B2s Standard
    • Username: Anything you'd like (e.g., "mythicaladmin")
    • Password: Anything you'd like (e.g., "RUBYmountain135")
  3. Click Next: Disks.
  4. Leave settings as-is and click Next: Networking.
  5. Set the Virtual network to the one we previously created.
  6. Set Public IP to None.
  7. Click Next: Management.
  8. Set Boot Diagnostics to Off.
  9. Click Next: Advanced > Next: Tags > Next: Review + create.
  10. Click Create.

Create a Second Virtual Network and Azure Firewall

Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.

  1. Navigate to Virtual networks in the left-hand menu and click Create virtual network.
  2. Set the following values:
    • Name: HubVnet1
    • Address space: 10.10.200.0/24
    • Resource group: Select the one listed in the dropdown
    • Location: The same location as before
    • Address range: 10.10.200.0/26
    • Firewall: Enabled
    • Firewall name: Anything you'd like (e.g., "Firewall1")
    • Firewall subnet address space: 10.10.200.64/26
  3. Click Create.

Peer the Virtual Networks Together and Create a Route Table

Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.

  1. Click HubVnet1.
  2. Click Peerings > Add.
  3. Set the following values:
    • Name of the peering from HubVnet1 to remote virtual network: HubToSpokePeer
    • Virtual network: SpokeVnet1
    • Name of the peering from SpokeVnet1 to HubVnet1: SpokeToHubPeer
    • Enable every peering option except gateway transit.
  4. Click OK.
  5. Navigate to All services > Route tables.
  6. Click Create route table, and set the following values:
    • Name: Anything you'd like (e.g., "DefaultRoute")
    • Resource group: Select the one listed in the dropdown
    • Location: The same location as before
  7. Click Create.
  8. Once it's deployed, click its name.
  9. Click Routes > Add.
  10. Set the following values:
    • Route name: Anything you'd like (e.g., "DefaultRoute1")
    • Address prefix: 0.0.0.0/0
    • Next hope type: Virtual appliance
    • Next hop address: 10.10.200.68
  11. Click OK.
  12. Click Subnets.
  13. Click Associate.
  14. Click Virtual network and select SpokeVnet1.
  15. Click Subnet and select default.
  16. Click OK.

Allow Remote Desktop Protocol Traffic through the Azure Firewall and the Network Security Group

  1. Navigate to All services > Firewalls.
  2. Click the firewall we created earlier.
  3. Click Public IP Configuration, and copy and paste its listed public IP address into a text editor since we'll need it in a bit for configuration.
  4. Click Rules.
  5. Click Add NAT rule collection, and set the following values for the rule collection:
    • Name: Anything you'd like (e.g., "RDPForward")
    • Priority: Any number between 100 and 50000
  6. In the Rules section, set the following values:
    • Name: Anything you'd like (e.g., "RDPtoSpoke")
    • Protocol: TCP and UDP
    • Source Addresses: Can be a wildcard (*) or your public IPv4 address (which you can get by querying Google)
    • Destination Addresses: The public IP address of the firewall we copied earlier
    • Destination Ports: 3389
    • Translated Address: 10.10.10.4
    • Translated Port: 3389
  7. Click Add.
  8. Navigate to All services > Network security groups.
  9. Click the network security group we created earlier.
  10. Click Inbound security rules.
  11. Click Add, and set the following values:
    • Source: IP Addresses
    • Source IP addresses/CIDR ranges: 10.10.200.64/26
    • Source port ranges: *
    • Destination: IP Addresses
    • Destination IP addresses/CIDR ranges: 10.10.10.4
    • Destination port ranges: 3389
    • Name: Anything you'd like (e.g., "RDPtoSpoke")
  12. Click Add.

Test Azure Firewall

  1. Open RDP to connect to the public IP address of the Azure Firewall.
  2. If it's working correctly, a standard Windows credential pop-up should be presented.
  3. Provide the username and password of the virtual machine, and then click Continue.
  4. Once connected, open an Internet Explorer window and browse to Google.com. The response should be similar to:

    HTTP request from 10.10.10.4:50626 to www.google.com:80. Action: Deny. No rule matched. Proceeding with default action

This is exactly what should be expected, as no internet-bound rules were created in the firewall, while the NSG has default rules allowing all internet-bound traffic to pass, proving the firewall is working as intended.

Conclusion

Congratulations on successfully completing this hands-on lab!