AZ-700 Microsoft Azure Networking Solutions- Azure Firewall

1. Overview of Azure Firewall

So we’re moving on to the next section that says Secure Monitor Networks, and it’s worth 15% to 20%. Now, obviously in the modern era, security of networks has to be top of mind for everyone. We all have heard of these terrible hacker incidents where data has been stolen, companies have been embarrassed, and so a lot of money is spent in security. If you decide when data specialize in security, you’re going to have a good career. But in this section of the course, we’re going to talk about a couple of four different topics. First one is going to be about Azure Firewall, which we’ll talk about in this section. Then we’ll talk about network security groups. Obviously very critical to have a set of basic rules to who can get on your network and who can’t.

We talked briefly about the Web application firewall within the application gateway in front door, so we might not need to get too deep into here. And finally, the monitoring aspect where it’s like using connection monitor, azure Monitor, checking the traffic network watcher that travels over the Internet. As you can imagine in a cloud world, when millions of customers are using the same physical hardware and the wiring, it’s probably difficult for Microsoft to provide individual packets to each customer that does not involve other customers data. But we’re going to get into here and see what we can see from a cloud perspective in terms of monitoring. So first up, we’re going to talk about Azure Firewall.

So Firewall is basically a cloud based network security service that actually stands before your virtual networks and protects them from threats. So in this diagram we can see that basically all traffic that comes out of Azure comes in and out of Azure, passes through the Firewall, whether it’s Internet traffic, whether it’s on premises traffic, and then you have a certain amount of control. This is a managed service, but it’s also an intelligent device and so we can sort of control the various rules. So incidentally, Firewall does include a Nat, and so we don’t need a Nat service. When you have traffic leaving a network through a firewall, it’s going to hit the Internet using a static public IP address.

2. Create an Azure Firewall

In this video, we’re going to add a firewall to our virtual network that we’ve been playing with in this course. In my case, a Z 700 course virtual network. Now the firewall actually lives on its own subnet, similar to the application gateway, similar to the virtual private network gateway. So what we do need to do is we need to add a subnet for it under plus subnet. This one has to be called Azure Firewall subnet. You have no choice. It has to be now. It doesn’t need to be very big. So this 251 addresses might be a bit excessive since I’ve already expanded the address space. We’re moving on to the 100 one address space. But it’s all part of the same virtual network. So I’m I’m going to leave only a Slash 26 for this subnet, which is 64 addresses minus the five reserved addresses. We’re not going to need to add any other things.

We’re just going to create the Azure Firewall subnet. Now, as we already know, we already have virtual machines that can be protected with this firewall. So we won’t need to add any additional subnets or VMs that already exist. If you don’t have this and you’re creating a VNet from scratch, you may want to create another subnet plus add some kind of resources to it so you can configure your firewall. So now we need to sort of deploy a firewall to this subnet, go back to the home page, create a resource, and what we’re looking for is the Azure Firewall. Of course, there are lots of other firewall services, but the one we’re looking for is from Microsoft. And so we can just say Create firewall again. It’s very simple. The wizard only has a basics tab. So we’re going to put this into our course resource group. We do have to give it a name and we can call it whatever we want, I guess. So call it test firewall. I’m going to put this in the same region as the other resources, which is West US.

Again, there’s no availability zones in that region. Now, Microsoft does have standard and premium firewalls. We’re going to just do the standard firewall for now. We are going to use the new firewall policy technique. We do have to create a firewall policy. So I’m going to put this in West US. And I’ll call this FW policy one. Now we’re going to put this on an existing virtual Network AZ 700 course. And we have our So AZ 700 course. This is the IP address. We’re going to create a new IP address for it. Those are all the settings we need for now. And we can just say review and create. And if we’re happy with this, it’ll just allow this to create. Now we’re deploying ourselves first firewall. When we come back, we will have the firewall deployed and then we can start to configure it to basically force traffic to come across it for traffic coming into our Virtual Network.

3. Setup an Azure Firewall Policy

All right, so the firewall did deploy. Now, the thing is, we haven’t actually done anything to the network. We haven’t created a route table and tried to reroute traffic. So just simply deploying the firewall itself does not actually change how traffic is handled within this network. So maybe what we need to do is we need to basically force let’s let’s look at the Virtual Network for a second. We’re going to force the traffic from the mid tier and the data tier to go through the firewall. So the mid tier and data tier are these two sets force that traffic to go through the firewall to go outbound, just as very similar to how we were basically setting up routes in the early part of this course. We’re dealing with express route or a VPN gateway. And we were forcing traffic to travel out through the VPN gateway onto the corporate network, making it go through the firewall and then from the firewall to the public Internet.

A very similar concept, except, of course, you’re not dealing with the hybrid network. You’re dealing through a firewall here within Azure. So we’re going to go and create ourselves a route table. So I’m going to go into the marketplace and I’m going to pick route table, say create, and we’re going to put this into our existing subscription, make sure it’s in the same region, route table one, and leave the default review and create and click Create. So we’re going to go to the resource under subnet. We are going to associate this new route table with our Virtual Network, and we’re going to do this, let’s say, with the mid tier subnet. And so now the mid tier subnet is going to have to basically use this route table in addition to the default routes when it’s looking at moving traffic around the network.

So now we need to add a route to this route table. And what we want to say is that this is a firewall route and we want all traffic. So basically, whenever the machine on the mid tier wants to communicate with anything else, this default zero means everything. And we want it not to go to the Virtual Network gateway, but it’s called a Virtual Appliance. The virtual appliance is actually the firewall. We are going to have to get the private IP address of the firewall in order to fill this part out. So I can actually just open a new tab here and navigate to the firewall and copy its private IP address. And this is where we want the mid tier VMs to send their traffic outbound. So now we’ve got the traffic being forced through the firewall.

What we don’t have is any policies on our firewall. So if I go back into the resource group, remember, we did have to create this FW policy, which is the policies associated with the firewall. So I’m going to go into there and what I’m going to do in this particular case is I’m going to create, we have a number of policies we can create. The one I’m going to be interested in is application rules. So we have collections and we have rules. We’re going to add a new collection. We can call this app Collection One and it’s an application rule that does have a priority system much like a lot of the other rules within Azure I’ll leave the number to be 200. This is going to indicate we want to allow the traffic. Now we have to add a rule to this collection.

So in this particular case we can basically allow various domain names because we’re dealing with this based on the destination fully qualified domain name. So let’s just say we want to allow Microsoft as one of the rules. Now it’s going to basically say from what source to what destination. We can certainly say we want to allow Microsoft from any source. Or we could go to that mid tier virtual machine and add the VM. We happen to know that it’s zero dot, zero dot 68 if I recall. We want to allow you see how the protocol can be port numbers and even text strings. So http and Https traffic, we want to allow this to the fully qualified domain name and it’s going to be star Microsoft. com, right? So allow traffic to any Microsoft. com domain. So if I was to say add, then we’ve just basically made an exception for traffic traveling over the firewall for Microsoft’s domain.

Now we’ve added it, it doesn’t have a refresh button here. I’m going to have to leave and then come back and we can see our rule here. Now one thing we know about the domain name system is simply just if the only thing you allow is traffic to Microsoft. com, probably not going to work because just to get Microsoft. com there needs to be a DNS lookup into various DNS servers and that is not hosted by a domain name. So we’re going to have to go into network rules and we’re going to have to allow the DNS lookup operation in order for this to work. So I’m going to say allow DNS this is network collection. Actually it’s a network rule.

We can set the priority and this is default network rule collection group and we’re going to say allow DNS. And what we’re going to do is basically allow any traffic from, again from the mid tier we need for the DNS. It’s a UDP traffic port 53. And I happen to know what DNS servers that these Microsoft VMs use and so I’m going to paste it by IP address in there. We’ll say add. So we have a couple of more things to set up here in order to test this. And so we’re going to pause the video and then when we come back we will set up the last two things and then we’ll be able to test that this firewall is actually allowing traffic to Microsoft. com, blocking all the others.

4. Test an Azure Firewall

Now another thing that we can do is to allow remote desktop traffic through the firewall to that midtier server on the private network. So instead of having to remote into the public server and then further remote into the private server like that we’ve been doing in this course, we can actually add a rule. It’s called DNA rule. And by, by doing this, we can basically poke a hole and allow the RDP into this private server. So I’m going to go into DNA rules, add rule collection, give it a name. So this is our RDP rule. This is a DNA rule, obviously, and give it a priority. We’re going to put this on the default DNA rule group. And this is the DNA rule. So we’re going to allow any source I could put my own IP address in here, but we’re going to allow any source through TCP port 3389 to go to.

Now what’s the destination here? This is the public address and the private address. So the public address here is the firewall. So we’re going to allow traffic to go to the firewall’s public IP address. Once again, we have to go to the other tab here. And I’ve got the firewall here. I’m going to go into public IP and I can see the public IP address of my firewall. So I have to copy that and that’s that. Now what’s the destination? The destination is that mid tier 1068 server, and that’s also going to be port 3389. So this rule is going to allow me, hopefully to RDP right into the mid tier server using the firewalls IP address. This just makes it easier for us to test this. Now maybe the last thing we’re going to do is we’re going to you said earlier we made this collection that allowed DNS.

Lookups, what I’m going to do is I’m going to actually force that mid tier server to use these servers as their DNS servers. So I guess those aren’t the default servers. Those are servers that are available. So I’m going to go back into the virtual machine that’s running. It’s running on the mid tier. Now, the where you set the DNS servers is on the network interface. You go into DNS servers, we can inherit it or we can have our custom DNS servers. So these are the two IP addresses that we already created the rule for to allow outbound traffic to these addresses and I can say save. So changing the DNS servers actually causes the virtual machine to restart and any other virtual machines in the same availability set. Interesting. So I can go back up to the virtual machine, see if we can tell if it’s restarted.

So I just started this machine. Well, it doesn’t say that it’s restarted, so I’m going to actually manually restart it just in case. So with this restarted, we should be able to RDP through the firewall. So I start the remote desktop connection and I’m going to paste here the Firewall address. 100 and 442. Two, five, four. So this is the Firewall’s public IP address. Now at least it’s connected to something, right? So hopefully this is the mid tier server, azvm three. So that is exactly right. So Lisa, our DNA rule worked. Now the outstanding question is whether we can connect to Microsoft. com. So, did our DNS servers take? And our application rule that allows us to connect to Microsoft, all other traffic should be restricted. So I’m going to close this, open up the browser, it will live a bit dangerously. So let’s start with Google. It should be blocked, right? Because Firewall is actually giving us action.

Deny no rule matched. So we actually got a failure trying to connect to Google. Now, I do suspect there will be a lot of failures because of the non Microsoft domains, MSN and other advertising networks, but the coremicrosoft. com should allow us, you see, it’s already redirecting us. I do trust this website. All right? And now we’re going to get the various other advertising websites. So because we didn’t accept a lot of the advertising stuff, we’ve got a bit of a broken site, maybe the images come from a different domain. But we were successfully able to connect to Microsoft. com as opposed to Google. So therefore, through that series of steps, this machine sends all its traffic through the Firewall. And then this machine will not be able to send traffic to unintended sites, hackers websites, things like that.

It basically all has to go through pre approved websites. In fact, in order to connect into the machine, I also have to go through the Firewall as well. So we’ve seen how there’s some steps to it, but it’s relatively easy to create a Firewall and set up some of these rules. And this Azure policy is a relatively new feature. Not only a few months ago, we still had to do go within the Firewall itself to do configuration. Having the policy as being a separate entity has a bit more features. The other thing is that we’re running on the standard policy and there is her whole premium service that provides TLS, inspection, IDPs and other features.

5. Overview of Azure Firewall Manager

Now Microsoft has come out with a service called Azure Firewall Manager, which is a centralized spot to manage policies. So we’ve seen how we create an Azure firewall and then we create policies as a separate resource. And so using Firewall Manager we can basically manage the policies of firewalls across of our network. Now, the Firewall Manager focuses on two main types of network architectures. One is the Virtual Network architecture and this is a hub and spoke model example where you’ve got a virtual network as a hub and it’s connected to multiple Vnets. We saw at the beginning of this course the concept of the Virtual Wan. And the Virtual Wan does connect multiple Vnets along with your on premises and PDP and site to site and things like that. So this is a virtual Wan? A secured V hub.

It’s a virtual Wan hub. So those are the two types of things that are secured with firewall policies. So if you go under Azure and you search for File Manager, you’re going to find the Firewall Manager service. It’s fairly simple. We can sort of see there’s only a few things in the settings we can already look at across of our virtual networks and we can see all the virtual networks that we have deployed, which ones have firewalls, we just created this one and which ones don’t. So first of all, you can highlight which of your networks don’t have firewalls attached to it. If we had the Virtual Wan still set up, which we don’t, we would see the Virtual Wan in this area here under Virtual Hubs. So Firewall policies, now you can see we created a firewall policy for the firewall that we created and it’s now sitting here under Policies.

We can take this policy right now it’s associated with one virtual network and we could associate it with other virtual networks and so we can say this is the same policy. This policy, if you recall, allows me to remote desktop into it. 3389 allows traffic only to go to Microsoft. com. Again, it’s a very specific IP address. So maybe associating this policy with other Vnets is going to break those Vnets. But you could obviously write your policies to be a bit more generic in that sense. So we can take one policy on one network and associate that with Hubs and other Vnets. So basically ferrell managers there to that centralized tool. And again, there’s nothing specifically to create here other than to manage all of your policies in the central location, associating them with your Vnets and your Virtual Hubs.