Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Using Azure Firewall Manager, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there's no need to create user-defined routes (UDRs).
Firewall Manager also supports a hub virtual network architecture. For a comparison of the secured virtual hub and hub virtual network architecture types, see What are the Azure Firewall Manager architecture options?
In this tutorial, you learn how to:
- Create the spoke virtual network
- Create a secured virtual hub
- Connect the hub and spoke virtual networks
- Route traffic to your hub
- Deploy the servers
- Create a firewall policy and secure your hub
- Test the firewall
Important
The procedure in this tutorial uses Azure Firewall Manager to create a new Azure Virtual WAN secured hub. You can use Firewall Manager to upgrade an existing hub, but you can't configure Azure Availability Zones for Azure Firewall. It's also possible to convert an existing hub to a secured hub using the Azure portal, as described in Configure Azure Firewall in a Virtual WAN hub. But like Azure Firewall Manager, you can't configure Availability Zones. To upgrade an existing hub and specify Availability Zones for Azure Firewall (recommended), you must follow the upgrade procedure in Tutorial: Secure your virtual hub using Azure PowerShell.
If you don't have an Azure subscription, create a trial subscription before you begin.
First, create spoke virtual networks where you can place your servers.
The two virtual networks each have a workload server in them and are protected by the firewall.
From the Azure portal home page, select Create a resource.
Search for Virtual network, select it, and select Create.
Create a virtual network with the following settings:
Setting Value Subscription Select your subscription Resource group Select Create new, and type fw-manager-rg for the name and select OK Virtual network name Spoke-01 Region China East Select Next, then select Next.
In the Networking tab, create a subnet with the following settings:
Setting Value Add IPv4 address space 10.0.0.0/16 (default) Subnets default Name Workload-01-SN Starting address 10.0.1.0/24 Select Save, Review + create, then select Create.
Repeat this procedure to create another similar virtual network in the fw-manager-rg resource group:
Setting | Value |
---|---|
Name | Spoke-02 |
Address space | 10.1.0.0/16 |
Subnet name | Workload-02-SN |
Starting address | 10.1.1.0/24 |
Create your secured virtual hub using Firewall Manager.
From the Azure portal home page, select All services.
In the search box, type Firewall Manager and select Firewall Manager.
On the Firewall Manager page under Deployments, select Virtual hubs.
On the Firewall Manager | Virtual hubs page, select Create new secured virtual hub.
On the Create new secured virtual hub page, enter the following information:
Setting Value Subscription Select your subscription. Resource group Select fw-manager-rg Region China East Secured virtual hub name Hub-01 Hub address space 10.2.0.0/16 Select New vWAN.
Setting Value New virtual WAN name Vwan-01 Type Standard Include VPN gateway to enable Trusted Security Partners Leave the check box cleared. Select Next: Azure Firewall.
Accept the default Azure Firewall Enabled setting.
For Azure Firewall tier, select Standard.
Select the desired combination of Availability Zones.
Important
A Virtual WAN is a collection of hubs and services made available inside the hub. You can deploy as many Virtual WANs as you need. In a Virtual WAN hub, there are multiple services like VPN, ExpressRoute, and so on. Each of these services is automatically deployed across Availability Zones except Azure Firewall, if the region supports Availability Zones. To align with Azure Virtual WAN resiliency, you should select all available Availability Zones.
Type 1 in the Specify number of Public IP addresses text box or associate an existing public IP address (preview) with this firewall.
Under Firewall Policy ensure the Default Deny Policy is selected. You refine your settings later in this article.
Select Next: Security Partner Provider.
Accept the default Trusted Security Partner Disabled setting, and select Next: Review + create.
Select Create.
Note
It may take up to 30 minutes to create a secured virtual hub.
You can find the firewall public IP address after the deployment completes.
- Open Firewall Manager.
- Select Virtual hubs.
- Select hub-01.
- Select AzureFirewall_Hub-01.
- Note the public IP address to use later.
Now you can peer the hub and spoke virtual networks.
Select the fw-manager-rg resource group, then select the Vwan-01 virtual WAN.
Under Connectivity, select Virtual network connections.
Setting Value Connection name hub-spoke-01 Hubs Hub-01 Resource group fw-manager-rg Virtual network Spoke-01 Select Create.
Repeat the previous steps to connect the Spoke-02 virtual network with the following settings:
Setting Value Connection name hub-spoke-02 Hubs Hub-01 Resource group fw-manager-rg Virtual network Spoke-02
On the Azure portal, select Create a resource.
Select Windows Server 2019 Datacenter in the Popular list.
Enter these values for the virtual machine:
Setting Value Resource group fw-manager-rg Virtual machine name Srv-workload-01 Region ** China East** Administrator user name type a user name Password type a password Under Inbound port rules, for Public inbound ports, select None.
Accept the other defaults and select Next: Disks.
Accept the disk defaults and select Next: Networking.
Select Spoke-01 for the virtual network and select Workload-01-SN for the subnet.
For Public IP, select None.
Accept the other defaults and select Next: Management.
Select Next:Monitoring.
Select Disable to disable boot diagnostics.
Accept the other defaults and select Review + create.
Review the settings on the summary page, and then select Create.
Use the information in the following table to configure another virtual machine named Srv-Workload-02. The rest of the configuration is the same as the Srv-workload-01 virtual machine.
Setting | Value |
---|---|
Virtual network | Spoke-02 |
Subnet | Workload-02-SN |
After the servers are deployed, select a server resource, and in Networking note the private IP address for each server.
A firewall policy defines collections of rules to direct traffic on one or more Secured virtual hubs. You create your firewall policy and then secure your hub.
From Firewall Manager, select Azure Firewall policies.
Select Create Azure Firewall Policy.
For Resource group, select fw-manager-rg.
Under Policy details, for the Name type Policy-01 and for Region select China East.
For Policy tier, select Standard.
Select Next: DNS Settings.
Select Next: TLS Inspection.
Select Next : Rules.
On the Rules tab, select Add a rule collection.
On the Add a rule collection page, enter the following information.
Setting Value Name App-RC-01 Rule collection type Application Priority 100 Rule collection action Allow Rule Name Allow-msft Source type IP address Source * Protocol http,https Destination type FQDN Destination *.microsoft.com Select Add.
Add a DNAT rule so you can connect a remote desktop to the Srv-Workload-01 virtual machine.
Select Add a rule collection and enter the following information.
Setting Value Name dnat-rdp Rule collection type DNAT Priority 100 Rule Name Allow-rdp Source type IP address Source * Protocol TCP Destination Ports 3389 Destination The firewall public IP address noted previously. Translated type IP Address Translated address The private IP address for Srv-Workload-01 noted previously. Translated port 3389 Select Add.
Add a Network rule so you can connect a remote desktop from Srv-Workload-01 to Srv-Workload-02.
Select Add a rule collection and enter the following information.
Setting Value Name vnet-rdp Rule collection type Network Priority 100 Rule collection action Allow Rule Name Allow-vnet Source type IP address Source * Protocol TCP Destination Ports 3389 Destination Type IP Address Destination The Srv-Workload-02 private IP address that you noted previously. Select Add, then select Next: IDPS.
On the IDPS page, select Next: Threat Intelligence
In the Threat Intelligence page, accept defaults and select Review and Create:
Review to confirm your selection and then select Create.
Associate the firewall policy with the hub.
- From Firewall Manager, select Azure Firewall Policies.
- Select the check box for Policy-01.
- Select Manage associations, Associate hubs.
- Select hub-01.
- Select Add.
To test the firewall rules, connect a remote desktop using the firewall public IP address, which is NATed to Srv-Workload-01. From there, use a browser to test the application rule and connect a remote desktop to Srv-Workload-02 to test the network rule.
Now, test the firewall rules to confirm that it works as expected.
Connect a remote desktop to firewall public IP address, and sign in.
Open Internet Explorer and browse to
https://www.microsoft.com
.Select OK > Close on the Internet Explorer security alerts.
You should see the Azure home page.
Browse to https://www.baidu.com.
The firewall should block this.
So now you verified that the firewall application rule is working:
- You can browse to the one allowed FQDN, but not to any others.
Now test the network rule.
From Srv-Workload-01, open a remote desktop to the Srv-Workload-02 private IP address.
A remote desktop should connect to Srv-Workload-02.
So now you verified that the firewall network rule is working:
- You can connect a remote desktop to a server located in another virtual network.
When you're done testing your firewall resources, delete the fw-manager-rg resource group to delete all firewall-related resources.