shanhix1 · Mar 4, 2021
diff --git a/‎articles/firewall-manager/media/secure-hybrid-network/firewall-peering.png
157 KB b/‎articles/firewall-manager/media/secure-hybrid-network/firewall-peering.png
157 KB
diff --git a/‎articles/firewall-manager/secure-hybrid-network.md
Lines changed: 150 additions & 129 deletions b/‎articles/firewall-manager/secure-hybrid-network.md
Lines changed: 150 additions & 129 deletions
@@ -5,7 +5,7 @@ services: firewall-manager
 author: vhorne
 ms.service: firewall-manager
 ms.topic: tutorial
-ms.date: 06/30/2020
+ms.date: 03/03/2021
 ms.author: victorh
 ---
 
@@ -74,22 +74,24 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 1. Select your subscription, and for Resource group, select **Create new** and create a resource group named **FW-Hybrid-Test**.
 2. For the policy name, type **Pol-Net01**.
 3. For Region, select **East US**.
-4. Select **Next:Rules**.
-5. Select **Add a rule collection**.
-6. For **Name**, type **RCNet01**.
-7. For **Rule collection type**, select **Network**.
-8. For **Priority**, type **100**.
-9. For **Action**, select **Allow**.
-10. Under **Rules**, for **Name**, type **AllowWeb**.
-11. For **Source Addresses**, type **192.168.1.0/24**.
-12. For **Protocol**, select **TCP**.
-13. For **Destination Ports**, type **80**.
-14. For **Destination Type**, select **IP Address**.
-15. For **Destination**, type **10.6.0.0/16**.
-16. On the next rule row, enter the following information:
+1. Select **Next : DNS Settings**.
+1. Select **Next : TLS inspection (preview)**
+1. Select **Next:Rules**.
+1. Select **Add a rule collection**.
+1. For **Name**, type **RCNet01**.
+1. For **Rule collection type**, select **Network**.
+1. For **Priority**, type **100**.
+1. For **Action**, select **Allow**.
+1. Under **Rules**, for **Name**, type **AllowWeb**.
+1. For **Source**, type **192.168.1.0/24**.
+1. For **Protocol**, select **TCP**.
+1. For **Destination Ports**, type **80**.
+1. For **Destination Type**, select **IP Address**.
+1. For **Destination**, type **10.6.0.0/16**.
+1. On the next rule row, enter the following information:
 
     Name: type **AllowRDP**<br>
-    Source IP address: type **192.168.1.0/24**.<br>
+    Source: type **192.168.1.0/24**.<br>
     Protocol, select **TCP**<br>
     Destination Ports, type **3389**<br>
     Destination Type, select **IP Address**<br>
@@ -105,75 +107,81 @@ If you don't have an Azure subscription, create a [free account](https://azure.m
 > The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see [Azure Firewall FAQ](../firewall/firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).
 
 1. From the Azure portal home page, select **Create a resource**.
-2. Under **Networking**, select **Virtual network**.
-4. For **Name**, type **VNet-hub**.
-5. For **Address space**, type **10.5.0.0/16**.
-6. For **Subscription**, select your subscription.
-7. For **Resource group**, select **FW-Hybrid-Test**.
-8. For **Location**, select **East US**.
-9. Under **Subnet**, for **Name** type **AzureFirewallSubnet**. The firewall will be in this subnet, and the subnet name **must** be AzureFirewallSubnet.
-10. For **Address range**, type **10.5.0.0/26**. 
-11. Accept the other default settings, and then select **Create**.
+2. Search for **Virtual network** and then select **Virtual network**.
+1. Select **Create**.
+1. For **Subscription**, select your subscription.
+1. For **Resource group**, select **FW-Hybrid-Test**.
+1. For **Name**, type **VNet-hub**.
+1. For **Region**, select **East US**.
+1. Select **Next : IP Addresses**.
+
+1. For **IPv4 address space**, type **10.5.0.0/16**.
+1. Under **Subnet name**, select **default**.
+1.  Change the **Subnet name** to **AzureFirewallSubnet**. The firewall is in this subnet, and the subnet name **must** be AzureFirewallSubnet.
+1. For **Subnet address range**, type **10.5.0.0/26**. 
+1. Accept the other default settings, and then select **Save**.
+1. Select **Review + create**.
+1. Select **Create**.
 
 ## Create the spoke virtual network
 
 1. From the Azure portal home page, select **Create a resource**.
-2. Under **Networking**, select **Virtual network**.
-4. For **Name**, type **VNet-Spoke**.
-5. For **Address space**, type **10.6.0.0/16**.
-6. For **Subscription**, select your subscription.
-7. For **Resource group**, select **FW-Hybrid-Test**.
-8. For **Location**, select the same location that you used previously.
-9. Under **Subnet**, for **Name** type **SN-Workload**.
-10. For **Address range**, type **10.6.0.0/24**.
-11. Accept the other default settings, and then select **Create**.
+2. Search for **Virtual network** and then select **Virtual network**.
+1. Select **Create**.
+1. For **Subscription**, select your subscription.
+1. For **Resource group**, select **FW-Hybrid-Test**.
+1. For **Name**, type **VNet-Spoke**.
+1. For **Region**, select **East US**.
+1. Select **Next : IP Addresses**.
+
+1. For **IPv4 address space**, type **10.6.0.0/16**.
+1. Under **Subnet name**, select **default**.
+1. Change the **Subnet name** to **SN-Workload**.
+1. For **Subnet address range**, type **10.6.0.0/24**. 
+1. Accept the other default settings, and then select **Save**.
+1. Select **Review + create**.
+1. Select **Create**.
+
 
 ## Create the on-premises virtual network
 
 1. From the Azure portal home page, select **Create a resource**.
-2. Under **Networking**, select **Virtual network**.
-4. For **Name**, type **VNet-OnPrem**.
-5. For **Address space**, type **192.168.0.0/16**.
-6. For **Subscription**, select your subscription.
-7. For **Resource group**, select **FW-Hybrid-Test**.
-8. For **Location**, select the same location that you used previously.
-9. Under **Subnet**, for **Name** type **SN-Corp**.
-10. For **Address range**, type **192.168.1.0/24**.
-11. Accept the other default settings, and then select **Create**.
-
-After the virtual network is deployed, create a second subnet for the gateway.
+2. Search for **Virtual network** and then select **Virtual network**.
+1. Select **Create**.
+1. For **Subscription**, select your subscription.
+1. For **Resource group**, select **FW-Hybrid-Test**.
+1. For **Name**, type **VNet-OnPrem**.
+1. For **Region**, select **East US**.
+1. Select **Next : IP Addresses**.
+
+1. For **IPv4 address space**, type **192.168.0.0/16**.
+1. Under **Subnet name**, select **default**.
+1. Change the **Subnet name** to **SN-Corp**.
+1. For **Subnet address range**, type **192.168.1.0/24**. 
+1. Accept the other default settings, and then select **Save**.
+2. Select **Add Subnet**.
+3. For **Subnet name**, type **GatewaySubnet**.
+4. For **Subnet address range** type **192.168.2.0/24**.
+5. Select **Add**.
+1. Select **Review + create**.
+1. Select **Create**.
 
-1. On the **VNet-Onprem** page, select **Subnets**.
-2. Select **+Subnet**.
-3. For **Name**, type **GatewaySubnet**.
-4. For **Address range (CIDR block)** type **192.168.2.0/24**.
-5. Select **OK**.
 
-### Create a public IP address
 
-This is the public IP address used for the on-premises gateway.
-
-1. From the Azure portal home page, select **Create a resource**.
-2. In the search text box, type **public IP address** and press **Enter**.
-3. Select **Public IP address** and then select **Create**.
-4. For the name, type **VNet-Onprem-GW-pip**.
-5. For the resource group, type **FW-Hybrid-Test**.
-6. For **Location**, select select **East US**.
-7. Accept the other defaults, and then select **Create**.
 
 ## Configure and deploy the firewall
 
-When security policies are associated with a hub, it is referred to as a *hub virtual network*.
+When security policies are associated with a hub, it's referred to as a *hub virtual network*.
 
 Convert the **VNet-Hub** virtual network into a *hub virtual network* and secure it with Azure Firewall.
 
 1. In the Azure portal search bar, type **Firewall Manager** and press **Enter**.
 3. On the Azure Firewall Manager page, under **Add security to virtual networks**, select **View hub virtual networks**.
-4. Select **Convert virtual networks**.
-5. Select **VNet-hub** and then select **Next : Azure Firewall**.
-6. For the **Firewall Policy**, select **Pol-Net01**.
-7. Select **Next " Review + confirm**
-8. Review the details and then select **Confirm**.
+1. Under **Virtual Networks**, select the check box for **VNet-hub**.
+1. Select **Manage Security**, and then select **Deploy a Firewall with Firewall Policy**.
+1. On the **Convert virtual networks** page, under **Firewall Policy**, select the check box for **Pol-Net01**.
+1. Select **Next : Review + confirm**
+1. Review the details and then select **Confirm**.
 
 
    This takes a few minutes to deploy.
@@ -214,20 +222,20 @@ Now create the VPN gateway for the on-premises virtual network. Network-to-netwo
 7. For **VPN type**, select **Route-based**.
 8. For **SKU**, select **Basic**.
 9. For **Virtual network**, select **VNet-Onprem**.
-10. For **Public IP address**, select **Use existing*, and select **VNet-Onprem-GW-pip** for the name.
+10. For **Public IP address**, select **Create new**, and type **VNet-Onprem-GW-pip** for the name.
 11. Accept the remaining defaults and then select **Review + create**.
 12. Review the configuration, then select **Create**.
 
 ### Create the VPN connections
 
 Now you can create the VPN connections between the hub and on-premises gateways.
 
-In this step, you create the connection from the hub virtual network to the on-premises virtual network. You'll see a shared key referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.
+In this step, you create the connection from the hub virtual network to the on-premises virtual network. You'll see a shared key referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. It takes some time to create the connection.
 
 1. Open the **FW-Hybrid-Test** resource group and select the **GW-hub** gateway.
 2. Select **Connections** in the left column.
 3. Select **Add**.
-4. The the connection name, type **Hub-to-Onprem**.
+4. For the connection name, type **Hub-to-Onprem**.
 5. Select **VNet-to-VNet** for **Connection type**.
 6. For the **Second virtual network gateway**, select **GW-Onprem**.
 7. For **Shared key (PSK)**, type **AzureA1b2C3**.
@@ -258,21 +266,31 @@ Now peer the hub and spoke virtual networks.
 1. Open the **FW-Hybrid-Test** resource group and select the **VNet-hub** virtual network.
 2. In the left column, select **Peerings**.
 3. Select **Add**.
-4. For **Name**, type **HubtoSpoke**.
-5. For the **Virtual network**, select **VNet-spoke**
-6. For the name of the peering from VNetSpoke to VNet-hub, type **SpoketoHub**.
-7. Select **Allow gateway transit**.
-8. Select **OK**.
-
-### Configure additional settings for the SpoketoHub peering
-
-You'll need to enable the **Allow forwarded traffic** on the SpoketoHub peering.
-
-1. Open the **FW-Hybrid-Test** resource group and select the **VNet-Spoke** virtual network.
-2. In the left column, select **Peerings**.
-3. Select the **SpoketoHub** peering.
-4. Under **Allow forwarded traffic from VNet-hub to VNet-Spoke**, select **Enabled**.
-5. Select **Save**.
+4. Under **This virtual network**:
+ 
+   
+   |Setting name  |Value  |
+   |---------|---------|
+   |Peering link name| HubtoSpoke|
+   |Traffic to remote virtual network|   Allow (default)      |
+   |Traffic forwarded from remote virtual network    |   Allow (default)      |
+   |Virtual network gateway or route server    |  Use this virtual network's gateway       |
+    
+5. Under **Remote virtual network**:
+
+   |Setting name  |Value  |
+   |---------|---------|
+   |Peering link name | SpoketoHub|
+   |Virtual network deployment model| Resource Manager|
+   |Subscription|\<your subscription\>|
+   |Virtual network| VNet-Spoke
+   |Traffic to remote virtual network     |   Allow (default)      |
+   |Traffic forwarded from remote virtual network    |   Allow (default)      |
+   |Virtual network gateway     |  Use the remote virtual network's gateway       |
+
+5. Select **Add**.
+
+   :::image type="content" source="media/secure-hybrid-network/firewall-peering.png" alt-text="Vnet peering":::
 
 ## Create the routes
 
@@ -285,18 +303,19 @@ Next, create a couple routes:
 2. In the search text box, type **route table** and press **Enter**.
 3. Select **Route table**.
 4. Select **Create**.
-5. For the name, type **UDR-Hub-Spoke**.
-6. Select the **FW-Hybrid-Test** for the resource group.
-8. For **Location**, select **(US) East US)**.
-9. Select **Create**.
-10. After the route table is created, select it to open the route table page.
-11. Select **Routes** in the left column.
-12. Select **Add**.
-13. For the route name, type **ToSpoke**.
-14. For the address prefix, type **10.6.0.0/16**.
-15. For next hop type, select **Virtual appliance**.
-16. For next hop address, type the firewall's private IP address that you noted earlier.
-17. Select **OK**.
+1. Select the **FW-Hybrid-Test** for the resource group.
+1. For **Region**, select **East US**.
+1. For the name, type **UDR-Hub-Spoke**.
+1. Select **Review + Create**.
+1. Select **Create**.
+1. After the route table is created, select it to open the route table page.
+1. Select **Routes** in the left column.
+1. Select **Add**.
+1. For the route name, type **ToSpoke**.
+1. For the address prefix, type **10.6.0.0/16**.
+1. For next hop type, select **Virtual appliance**.
+1. For next hop address, type the firewall's private IP address that you noted earlier.
+1. Select **OK**.
 
 Now associate the route to the subnet.
 
@@ -312,19 +331,20 @@ Now create the default route from the spoke subnet.
 2. In the search text box, type **route table** and press **Enter**.
 3. Select **Route table**.
 5. Select **Create**.
-6. For the name, type **UDR-DG**.
 7. Select the **FW-Hybrid-Test** for the resource group.
-8. For **Location**, select **(US) East US)**.
-4. For **Virtual network gateway route propagation**, select **Disabled**.
+8. For **Region**, select **East US**.
+1. For the name, type **UDR-DG**.
+4. For **Propagate gateway routes**, select **No**.
+1. Select **Review + create**.
 1. Select **Create**.
-2. After the route table is created, select it to open the route table page.
-3. Select **Routes** in the left column.
-4. Select **Add**.
-5. For the route name, type **ToHub**.
-6. For the address prefix, type **0.0.0.0/0**.
-7. For next hop type, select **Virtual appliance**.
-8. For next hop address, type the firewall's private IP address that you noted earlier.
-9. Select **OK**.
+1. After the route table is created, select it to open the route table page.
+1. Select **Routes** in the left column.
+1. Select **Add**.
+1. For the route name, type **ToHub**.
+1. For the address prefix, type **0.0.0.0/0**.
+1. For next hop type, select **Virtual appliance**.
+1. For next hop address, type the firewall's private IP address that you noted earlier.
+1. Select **OK**.
 
 Now associate the route to the subnet.
 
@@ -345,20 +365,21 @@ Create a virtual machine in the spoke virtual network, running IIS, with no publ
 1. From the Azure portal home page, select **Create a resource**.
 2. Under **Popular**, select **Windows Server 2016 Datacenter**.
 3. Enter these values for the virtual machine:
-    - **Resource group** - Select **FW-Hybrid-Test**.
-    - **Virtual machine name**: *VM-Spoke-01*.
-    - **Region** - *(US) East US)*.
-    - **User name**: *azureuser*.
-    - **Password**: type your password
+    - **Resource group** - Select **FW-Hybrid-Test**
+    - **Virtual machine name**: *VM-Spoke-01*
+    - **Region** - *(US) East US*
+    - **User name**: type a user name
+    - **Password**: type a password
 
 4. Select **Next:Disks**.
 5. Accept the defaults and select **Next: Networking**.
 6. Select **VNet-Spoke** for the virtual network and the subnet is **SN-Workload**.
-7. For **Public IP**, select **None**.
 8. For **Public inbound ports**, select **Allow selected ports**, and then select **HTTP (80)**, and **RDP (3389)**
-9. Select **Next:Management**.
-10. For **Boot diagnostics**, Select **Off**.
-11. Select **Review+Create**, review the settings on the summary page, and then select **Create**.
+1. Select **Next : Disks**.
+1. Select **Next : Networking**.
+1. Select **Next:Management**.
+1. For **Boot diagnostics**, Select **Disable**.
+1. Select **Review + Create**, review the settings on the summary page, and then select **Create**.
 
 ### Install IIS
 
@@ -384,19 +405,19 @@ This is a virtual machine that you use to connect using Remote Desktop to the pu
 1. From the Azure portal home page, select **Create a resource**.
 2. Under **Popular**, select **Windows Server 2016 Datacenter**.
 3. Enter these values for the virtual machine:
-    - **Resource group** - Select existing, and then select **FW-Hybrid-Test**.
-    - **Virtual machine name** - *VM-Onprem*.
-    - **Region** - *(US) East US)*.
-    - **User name**: *azureuser*.
-    - **Password**: type your password.
+    - **Resource group** - Select existing, and then select **FW-Hybrid-Test**
+    - **Virtual machine name** - *VM-Onprem*
+    - **Region** - *(US) East US*
+    - **User name**: type a user name
+    - **Password**: type your password
 
 4. Select **Next:Disks**.
 5. Accept the defaults and select **Next:Networking**.
 6. Select **VNet-Onprem** for virtual network and verify the subnet is **SN-Corp**.
 7. For **Public inbound ports**, select **Allow selected ports**, and then select **RDP (3389)**
 8. Select **Next:Management**.
-9. For **Boot diagnostics**, select **Off**.
-10. Select **Review+Create**, review the settings on the summary page, and then select **Create**.
+9. For **Boot diagnostics**, select **Disable**.
+10. Select **Review + Create**, review the settings on the summary page, and then select **Create**.
 
 ## Test the firewall
 
@@ -423,17 +444,17 @@ So now you've verified that the firewall rules are working:
 
 Next, change the firewall network rule collection action to **Deny** to verify that the firewall rules work as expected.
 
-1. Open the **FW-Hybrid-Test** resource group and select the **Pol-Net01**firewall policy.
-2. Under **Settings**, select **Rules**.
-3. Under **Network rules**, select the **RCNet01** rule collection, select the ellipses (...), and select **Edit**.
-4. For **Rule collection action**, select **Deny**.
-5. Select **Save**.
+1. Open the **FW-Hybrid-Test** resource group and select the **Pol-Net01** firewall policy.
+2. Under **Settings**, select **Rule Collections**.
+1. Select the **RCNet01** rule collection.
+1. For **Rule collection action**, select **Deny**.
+1. Select **Save**.
 
-Close any existing remote desktops and browsers on **VM-Onprem** before testing the changed rules. After the rule collection update is complete, run the tests again. They should all fail this time.
+Close any existing remote desktops and browsers on **VM-Onprem** before testing the changed rules. After the rule collection update is complete, run the tests again. They should all fail to connect this time.
 
 ## Clean up resources
 
-You can keep your firewall resources for the next tutorial, or if no longer needed, delete the **FW-Hybrid-Test** resource group to delete all firewall-related resources.
+You can keep your firewall resources for further investigation, or if no longer needed, delete the **FW-Hybrid-Test** resource group to delete all firewall-related resources.
 
 ## Next steps