Tutorial: Secure your virtual hub using Azure Firewall Manager

  • Article
  • 05/16/2025

Using Azure Firewall Manager, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there's no need to create user-defined routes (UDRs).

Firewall Manager also supports a hub virtual network architecture. For a comparison of the secured virtual hub and hub virtual network architecture types, see What are the Azure Firewall Manager architecture options?

In this tutorial, you learn how to:

  • Create the spoke virtual network
  • Create a secured virtual hub
  • Connect the hub and spoke virtual networks
  • Route traffic to your hub
  • Deploy the servers
  • Create a firewall policy and secure your hub
  • Test the firewall

Important

The procedure in this tutorial uses Azure Firewall Manager to create a new Azure Virtual WAN secured hub. You can use Firewall Manager to upgrade an existing hub, but you can't configure Azure Availability Zones for Azure Firewall. It's also possible to convert an existing hub to a secured hub using the Azure portal, as described in Configure Azure Firewall in a Virtual WAN hub. But like Azure Firewall Manager, you can't configure Availability Zones. To upgrade an existing hub and specify Availability Zones for Azure Firewall (recommended), you must follow the upgrade procedure in Tutorial: Secure your virtual hub using Azure PowerShell.

Diagram showing the secure cloud network.

Prerequisites

If you don't have an Azure subscription, create a trial subscription before you begin.

Create a hub and spoke architecture

First, create spoke virtual networks where you can place your servers.

Create two spoke virtual networks and subnets

The two virtual networks each have a workload server in them and are protected by the firewall.

  1. From the Azure portal home page, select Create a resource.

  2. Search for Virtual network, select it, and select Create.

  3. Create a virtual network with the following settings:

    Setting Value
    Subscription Select your subscription
    Resource group Select Create new, and type fw-manager-rg for the name and select OK
    Virtual network name Spoke-01
    Region China East

  4. Select Next, then select Next.

  5. In the Networking tab, create a subnet with the following settings:

    Setting Value
    Add IPv4 address space 10.0.0.0/16 (default)
    Subnets default
    Name Workload-01-SN
    Starting address 10.0.1.0/24

  6. Select Save, Review + create, then select Create.

Repeat this procedure to create another similar virtual network in the fw-manager-rg resource group:

Setting Value
Name Spoke-02
Address space 10.1.0.0/16
Subnet name Workload-02-SN
Starting address 10.1.1.0/24

Create the secured virtual hub

Create your secured virtual hub using Firewall Manager.

  1. From the Azure portal home page, select All services.

  2. In the search box, type Firewall Manager and select Firewall Manager.

  3. On the Firewall Manager page under Deployments, select Virtual hubs.

  4. On the Firewall Manager | Virtual hubs page, select Create new secured virtual hub.

  5. On the Create new secured virtual hub page, enter the following information:

    Setting Value
    Subscription Select your subscription.
    Resource group Select fw-manager-rg
    Region China East
    Secured virtual hub name Hub-01
    Hub address space 10.2.0.0/16

  6. Select New vWAN.

    Setting Value
    New virtual WAN name Vwan-01
    Type Standard
    Include VPN gateway to enable Trusted Security Partners Leave the check box cleared.

  7. Select Next: Azure Firewall.

  8. Accept the default Azure Firewall Enabled setting.

  9. For Azure Firewall tier, select Standard.

  10. Select the desired combination of Availability Zones.

    Important

    A Virtual WAN is a collection of hubs and services made available inside the hub. You can deploy as many Virtual WANs as you need. In a Virtual WAN hub, there are multiple services like VPN, ExpressRoute, and so on. Each of these services is automatically deployed across Availability Zones except Azure Firewall, if the region supports Availability Zones. To align with Azure Virtual WAN resiliency, you should select all available Availability Zones.

  11. Type 1 in the Specify number of Public IP addresses text box or associate an existing public IP address (preview) with this firewall.

  12. Under Firewall Policy ensure the Default Deny Policy is selected. You refine your settings later in this article.

  13. Select Next: Security Partner Provider.

  14. Accept the default Trusted Security Partner Disabled setting, and select Next: Review + create.

  15. Select Create.

Note

It may take up to 30 minutes to create a secured virtual hub.

You can find the firewall public IP address after the deployment completes.

  1. Open Firewall Manager.
  2. Select Virtual hubs.
  3. Select hub-01.
  4. Select AzureFirewall_Hub-01.
  5. Note the public IP address to use later.

Connect the hub and spoke virtual networks

Now you can peer the hub and spoke virtual networks.

  1. Select the fw-manager-rg resource group, then select the Vwan-01 virtual WAN.

  2. Under Connectivity, select Virtual network connections.

    Setting Value
    Connection name hub-spoke-01
    Hubs Hub-01
    Resource group fw-manager-rg
    Virtual network Spoke-01

  3. Select Create.

  4. Repeat the previous steps to connect the Spoke-02 virtual network with the following settings:

    Setting Value
    Connection name hub-spoke-02
    Hubs Hub-01
    Resource group fw-manager-rg
    Virtual network Spoke-02

Deploy the servers

  1. On the Azure portal, select Create a resource.

  2. Select Windows Server 2019 Datacenter in the Popular list.

  3. Enter these values for the virtual machine:

    Setting Value
    Resource group fw-manager-rg
    Virtual machine name Srv-workload-01
    Region ** China East**
    Administrator user name type a user name
    Password type a password

  4. Under Inbound port rules, for Public inbound ports, select None.

  5. Accept the other defaults and select Next: Disks.

  6. Accept the disk defaults and select Next: Networking.

  7. Select Spoke-01 for the virtual network and select Workload-01-SN for the subnet.

  8. For Public IP, select None.

  9. Accept the other defaults and select Next: Management.

  10. Select Next:Monitoring.

  11. Select Disable to disable boot diagnostics.

  12. Accept the other defaults and select Review + create.

  13. Review the settings on the summary page, and then select Create.

Use the information in the following table to configure another virtual machine named Srv-Workload-02. The rest of the configuration is the same as the Srv-workload-01 virtual machine.

Setting Value
Virtual network Spoke-02
Subnet Workload-02-SN

After the servers are deployed, select a server resource, and in Networking note the private IP address for each server.

Create a firewall policy and secure your hub

A firewall policy defines collections of rules to direct traffic on one or more Secured virtual hubs. You create your firewall policy and then secure your hub.

  1. From Firewall Manager, select Azure Firewall policies.

  2. Select Create Azure Firewall Policy.

  3. For Resource group, select fw-manager-rg.

  4. Under Policy details, for the Name type Policy-01 and for Region select China East.

  5. For Policy tier, select Standard.

  6. Select Next: DNS Settings.

  7. Select Next: TLS Inspection.

  8. Select Next : Rules.

  9. On the Rules tab, select Add a rule collection.

  10. On the Add a rule collection page, enter the following information.

    Setting Value
    Name App-RC-01
    Rule collection type Application
    Priority 100
    Rule collection action Allow
    Rule Name Allow-msft
    Source type IP address
    Source *
    Protocol http,https
    Destination type FQDN
    Destination *.microsoft.com

  11. Select Add.

  12. Add a DNAT rule so you can connect a remote desktop to the Srv-Workload-01 virtual machine.

  13. Select Add a rule collection and enter the following information.

    Setting Value
    Name dnat-rdp
    Rule collection type DNAT
    Priority 100
    Rule Name Allow-rdp
    Source type IP address
    Source *
    Protocol TCP
    Destination Ports 3389
    Destination The firewall public IP address noted previously.
    Translated type IP Address
    Translated address The private IP address for Srv-Workload-01 noted previously.
    Translated port 3389

  14. Select Add.

  15. Add a Network rule so you can connect a remote desktop from Srv-Workload-01 to Srv-Workload-02.

  16. Select Add a rule collection and enter the following information.

    Setting Value
    Name vnet-rdp
    Rule collection type Network
    Priority 100
    Rule collection action Allow
    Rule Name Allow-vnet
    Source type IP address
    Source *
    Protocol TCP
    Destination Ports 3389
    Destination Type IP Address
    Destination The Srv-Workload-02 private IP address that you noted previously.

  17. Select Add, then select Next: IDPS.

  18. On the IDPS page, select Next: Threat Intelligence

  19. In the Threat Intelligence page, accept defaults and select Review and Create:

  20. Review to confirm your selection and then select Create.

Associate policy

Associate the firewall policy with the hub.

  1. From Firewall Manager, select Azure Firewall Policies.
  2. Select the check box for Policy-01.
  3. Select Manage associations, Associate hubs.
  4. Select hub-01.
  5. Select Add.

Test the firewall

To test the firewall rules, connect a remote desktop using the firewall public IP address, which is NATed to Srv-Workload-01. From there, use a browser to test the application rule and connect a remote desktop to Srv-Workload-02 to test the network rule.

Test the application rule

Now, test the firewall rules to confirm that it works as expected.

  1. Connect a remote desktop to firewall public IP address, and sign in.

  2. Open Internet Explorer and browse to https://www.microsoft.com.

  3. Select OK > Close on the Internet Explorer security alerts.

    You should see the Azure home page.

  4. Browse to https://www.baidu.com.

    The firewall should block this.

So now you verified that the firewall application rule is working:

  • You can browse to the one allowed FQDN, but not to any others.

Test the network rule

Now test the network rule.

  • From Srv-Workload-01, open a remote desktop to the Srv-Workload-02 private IP address.

    A remote desktop should connect to Srv-Workload-02.

So now you verified that the firewall network rule is working:

  • You can connect a remote desktop to a server located in another virtual network.

Clean up resources

When you're done testing your firewall resources, delete the fw-manager-rg resource group to delete all firewall-related resources.

Next steps

Learn about trusted security partners