Skip to content

Files

Latest commit

vhornevhorne
acro fixes
Jan 26, 2022
8dde890 · Jan 26, 2022

History

History
270 lines (203 loc) · 10.8 KB

secure-cloud-network.md

File metadata and controls

270 lines (203 loc) · 10.8 KB
title description services author ms.service ms.topic ms.date ms.author
Tutorial: Secure your virtual hub using Azure Firewall Manager
In this tutorial, you learn how to secure your virtual hub with Azure Firewall Manager using the Azure portal.
firewall-manager
vhorne
firewall-manager
tutorial
01/26/2022
victorh

Tutorial: Secure your virtual hub using Azure Firewall Manager

Using Azure Firewall Manager, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there's no need to create user-defined routes (UDRs).

secure the cloud network

Firewall Manager also supports a hub virtual network architecture. For a comparison of the secured virtual hub and hub virtual network architecture types, see What are the Azure Firewall Manager architecture options?

In this tutorial, you learn how to:

[!div class="checklist"]

  • Create the spoke virtual network
  • Create a secured virtual hub
  • Connect the hub and spoke virtual networks
  • Route traffic to your hub
  • Deploy the servers
  • Create a firewall policy and secure your hub
  • Test the firewall

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Create a hub and spoke architecture

First, create spoke virtual networks where you can place your servers.

Create two spoke virtual networks and subnets

The two virtual networks will each have a workload server in them and will be protected by the firewall.

  1. From the Azure portal home page, select Create a resource.
  2. Search for Virtual network, and select Create.
  3. For Subscription, select your subscription.
  4. For Resource group, select Create new, and type fw-manager-rg for the name and select OK.
  5. For Name, type Spoke-01.
  6. For Region, select (US) East US.
  7. Select Next: IP Addresses.
  8. For Address space, type 10.0.0.0/16.
  9. Select Add subnet.
  10. For Subnet name, type Workload-01-SN.
  11. For Subnet address range, type 10.0.1.0/24.
  12. Select Add.
  13. Select Review + create.
  14. Select Create.

Repeat this procedure to create another similar virtual network:

Name: Spoke-02
Address space: 10.1.0.0/16
Subnet name: Workload-02-SN
Subnet address range: 10.1.1.0/24

Create the secured virtual hub

Create your secured virtual hub using Firewall Manager.

  1. From the Azure portal home page, select All services.

  2. In the search box, type Firewall Manager and select Firewall Manager.

  3. On the Firewall Manager page under Deployments, select Virtual hubs.

  4. On the Firewall Manager | Virtual hubs page, select Create new secured virtual hub.

  5. For Resource group, select fw-manager-rg.

  6. For Region, select East US.

  7. For the Secured virtual hub name, type Hub-01.

  8. For Hub address space, type 10.2.0.0/16.

  9. For the new virtual WAN name, type Vwan-01.

  10. Leave the Include VPN gateway to enable Trusted Security Partners check box cleared.

  11. Select Next: Azure Firewall.

  12. Accept the default Azure Firewall Enabled setting.

  13. For Azure Firewall tier, select Standard.

  14. Select Next: Trusted Security Partner.

  15. Accept the default Trusted Security Partner Disabled setting, and select Next: Review + create.

  16. Select Create.

    It takes about 30 minutes to deploy.

You can get the firewall public IP address after the deployment completes.

  1. Open Firewall Manager.
  2. Select Virtual hubs.
  3. Select hub-01.
  4. Select Public IP configuration.
  5. Note the public IP address to use later.

Connect the hub and spoke virtual networks

Now you can peer the hub and spoke virtual networks.

  1. Select the fw-manager-rg resource group, then select the Vwan-01 virtual WAN.
  2. Under Connectivity, select Virtual network connections.
  3. Select Add connection.
  4. For Connection name, type hub-spoke-01.
  5. For Hubs, select Hub-01.
  6. For Resource group, select fw-manager-rg.
  7. For Virtual network, select Spoke-01.
  8. Select Create.

Repeat to connect the Spoke-02 virtual network: connection name - hub-spoke-02

Deploy the servers

  1. On the Azure portal, select Create a resource.

  2. Select Windows Server 2019 Datacenter in the Popular list.

  3. Enter these values for the virtual machine:

    Setting Value
    Resource group fw-manager-rg
    Virtual machine name Srv-workload-01
    Region (US) East US)
    Administrator user name type a user name
    Password type a password

  4. Under Inbound port rules, for Public inbound ports, select None.

  5. Accept the other defaults and select Next: Disks.

  6. Accept the disk defaults and select Next: Networking.

  7. Select Spoke-01 for the virtual network and select Workload-01-SN for the subnet.

  8. For Public IP, select None.

  9. Accept the other defaults and select Next: Management.

  10. Select Disable to disable boot diagnostics. Accept the other defaults and select Review + create.

  11. Review the settings on the summary page, and then select Create.

Use the information in the following table to configure another virtual machine named Srv-Workload-02. The rest of the configuration is the same as the Srv-workload-01 virtual machine.

Setting Value
Virtual network Spoke-02
Subnet Workload-02-SN

After the servers are deployed, select a server resource, and in Networking note the private IP address for each server.

Create a firewall policy and secure your hub

A firewall policy defines collections of rules to direct traffic on one or more Secured virtual hubs. You'll create your firewall policy and then secure your hub.

  1. From Firewall Manager, select Azure Firewall policies.
  2. Select Create Azure Firewall Policy.
  3. For Resource group, select fw-manager-rg.
  4. Under Policy details, for the Name type Policy-01 and for Region select East US.
  5. For Policy tier, select Standard.
  6. Select Next: DNS Settings.
  7. Select Next: TLS Inspection.
  8. Select Next : Rules.
  9. On the Rules tab, select Add a rule collection.
  10. On the Add a rule collection page, type App-RC-01 for the Name.
  11. For Rule collection type, select Application.
  12. For Priority, type 100.
  13. Ensure Rule collection action is Allow.
  14. For the rule Name type Allow-msft.
  15. For the Source type, select IP address.
  16. For Source, type *.
  17. For Protocol, type http,https.
  18. Ensure Destination type is FQDN.
  19. For Destination, type *.microsoft.com.
  20. Select Add.

Add a DNAT rule so you can connect a remote desktop to the Srv-Workload-01 virtual machine.

  1. Select Add/Rule collection.
  2. For Name, type dnat-rdp.
  3. For Rule collection type, select DNAT.
  4. For Priority, type 100.
  5. For the rule Name type Allow-rdp.
  6. For the Source type, select IP address.
  7. For Source, type *.
  8. For Protocol, select TCP.
  9. For Destination Ports, type 3389.
  10. For Destination Type, select IP Address.
  11. For Destination, type the firewall public IP address that you noted previously.
  12. For Translated address, type the private IP address for Srv-Workload-01 that you noted previously.
  13. For Translated port, type 3389.
  14. Select Add.

Add a network rule so you can connect a remote desktop from Srv-Workload-01 to Srv-Workload-02.

  1. Select Add a rule collection.
  2. For Name, type vnet-rdp.
  3. For Rule collection type, select Network.
  4. For Priority, type 100.
  5. For Rule collection action, select Allow.
  6. For the rule Name type Allow-vnet.
  7. For the Source type, select IP address.
  8. For Source, type *.
  9. For Protocol, select TCP.
  10. For Destination Ports, type 3389.
  11. For Destination Type, select IP Address.
  12. For Destination, type the Srv-Workload-02 private IP address that you noted previously.
  13. Select Add.
  14. Select Review + create.
  15. Select Create.

Associate policy

Associate the firewall policy with the hub.

  1. From Firewall Manager, select Azure Firewall Policies.
  2. Select the check box for Policy-01.
  3. Select Manage associations, Associate hubs.
  4. Select hub-01.
  5. Select Add.

Route traffic to your hub

Now you must ensure that network traffic gets routed through your firewall.

  1. From Firewall Manager, select Virtual hubs.

  2. Select Hub-01.

  3. Under Settings, select Security configuration.

  4. Under Internet traffic, select Azure Firewall.

  5. Under Private traffic, select Send via Azure Firewall.

  6. Select Save.

  7. Select OK on the Warning dialog.

    It takes a few minutes to update the route tables.

  8. Verify that the two connections show Azure Firewall secures both Internet and private traffic.

Test the firewall

To test the firewall rules, you'll connect a remote desktop using the firewall public IP address, which is NATed to Srv-Workload-01. From there you'll use a browser to test the application rule and connect a remote desktop to Srv-Workload-02 to test the network rule.

Test the application rule

Now, test the firewall rules to confirm that it works as expected.

  1. Connect a remote desktop to firewall public IP address, and sign in.

  2. Open Internet Explorer and browse to https://www.microsoft.com.

  3. Select OK > Close on the Internet Explorer security alerts.

    You should see the Microsoft home page.

  4. Browse to https://www.google.com.

    You should be blocked by the firewall.

So now you've verified that the firewall application rule is working:

  • You can browse to the one allowed FQDN, but not to any others.

Test the network rule

Now test the network rule.

  • From Srv-Workload-01, open a remote desktop to the Srv-Workload-02 private IP address.

    A remote desktop should connect to Srv-Workload-02.

So now you've verified that the firewall network rule is working:

  • You can connect a remote desktop to a server located in another virtual network.

Clean up resources

When you’re done testing your firewall resources, delete the fw-manager-rg resource group to delete all firewall-related resources.

Next steps

[!div class="nextstepaction"] Learn about trusted security partners