AZ-500 Azure Firewall – Deploy and test an Azure Firewall

source: AZ500-AzureSecurityTechnologies

Lab Scenario:

  • A virtual network with a workload subnet and a jump host subnet.
  • A virtual machine is each subnet.
  • A custom route that ensures all outbound workload traffic from the workload subnet must use the firewall.
  • Firewall Application rules that only allow outbound traffic to www.bing.com.
  • Firewall Network rules that allow external DNS server lookups.
  • Task 1: Use a template to deploy the lab environment.
  • Task 2: Deploy an Azure firewall.
  • Task 3: Create a default route.
  • Task 4: Configure an application rule.
  • Task 5: Configure a network rule.
  • Task 6: Configure DNS servers.
  • Task 7: Test the firewall.

Task 1: Use a template to deploy the lab environment.

Go to search bar and type template, select Deploy a custom template > Build your own template in the editor > and paste the lab template from the lab and click save
AZ500-AzureSecurityTechnologies/Allfiles/Labs/08/template.json

On the Custom Deployment page make sure the following settings are configured (leave any others with their default values):

Subscriptionthe name of the Azure subscription you will be using in this lab
Resource groupclick Create new and type the name AZ500LAB08
Location(US) East US
adminPasswordA secure password of your own choosing for the virtual machines. Remember the password. You will need it later to connect to the VMs.

click review and create

Task 2: Deploy the Azure firewall

On search bar type firewall select firewalls > + Create

We will use the following configuration

Resource groupAZ500LAB08
NameTest-FW01
Region(US) East US
Firewall SKUStandard
Firewall managementUse Firewall rules (classic) to manage this firewall
Choose a virtual networkclick the Use existing option and, in the drop-down list, select Test-FW-VN
Public IP addressclck Add new and type the name TEST-FW-PIP and click OK

Click review and create, go ahead and create

Once the firewall is deployed we need to click go to resource > and copy the Private IP address for future use

Task 3: Create a default route

Now we need to create a default route for the Workload-SN subnet. This route will configure outbound traffic through the firewall.

on the search bar type route and click on route tables > + Create > and use the following configuration

Resource groupAZ500LAB08
RegionEast US
NameFirewall-route

go ahead and create, once created click on go to resource > subnets > + Associate

On the Associate subnet blade, specify the following settings:

SettingValue
Virtual networkTest-FW-VN
SubnetWorkload-SN

Click OK, now click on Routes > + Add

We will use the following configuration:

SettingValue
Route nameFW-DG
Address prefix destinationIP Address
Destination IP addresses/CIDR ranges0.0.0.0/0
Next hop typeVirtual appliance
Next hop addressthe private IP address of the firewall that you identified in the previous task
>**Note**: Azure Firewall is actually a managed service, but virtual appliance works in this situation.

Click add

Task 4: Configure an application rule

In this task you will create an application rule that allows outbound access to www.bing.com

On search bar type firewall, click on Firewalls > open Test-FW01 > Rules (classic) > Application rule collection >

we will use the following configuration and click add once filled out like so:

NameApp-Coll01
Priority200
ActionAllow
nameAllowGH
Source typeIP Address
Source10.0.2.0/24
Protocol porthttp:80, https:443
Target FQDNSwww.bing.com

Task 5: Configure a network rule

Go back to Test-FW01, click Rules (classic) > Network rule collection > + Add network rule collection

In this task, you will create a network rule that allows outbound access to two IP addresses on port 53 (DNS).

 We will use the following settings (leave others with their default values):

NameNet-Coll01
Priority200
ActionAllow
SettingValue
NameAllowDNS
ProtocolUDP
Source typeIP address
Source Addresses10.0.2.0/24
Destination typeIP address
Destination Address209.244.0.3,209.244.0.4
Destination Ports53

Note: The destination addresses used in this case are known public DNS servers.

Click on Add

Task 6: Configure the virtual machine DNS servers

In this task, you will configure the primary and secondary DNS addresses for the virtual machine. This is not a firewall requirement.

Go to resource groups > AZ500LAB08 > Srv-Work > Settings > Networking > Network interface

On the Srv-Work | Networking blade, click the link next to the Network interface entry.

Go to Settings section, click DNS servers, select the Custom option, add the two DNS servers referenced in the network rule: 209.244.0.3 and 209.244.0.4, and click Save to save the change.

Note: Wait for the update to complete.

Note: Updating the DNS servers for a network interface will automatically restart the virtual machine to which that interface is attached, and if applicable, any other virtual machines in the same availability set.

Task 7: Test the firewall

Go to AZ500LAB08 resource group >  Srv-Jump > and copy the public IP address

On your own computer open RDP

Enter the public IP address of Srv-Jump and click connect > enter your credentials previously configured

Once connected to the Srv-Jump, open cmd and run the following command to RDP to the Srv-Work vm, enter the same credentals we had previously setup.

mstsc /v:Srv-Work
  • mstsc: This is the command-line executable for Microsoft Terminal Services Client, which is used to start a Remote Desktop Protocol (RDP) session.
  • /v: This switch specifies the remote computer to which you want to connect.
  • Srv-Work: This is the hostname or IP address of the remote computer.

Within the Remote Desktop session to Srv-Work, in Server Manager, click Local Server and then click IE Enhanced Security Configuration.

In the Internet Explorer Enhanced Security Configuration dialog box, set both options to Off and click OK.

    Within the Remote Desktop session to Srv-Work, start Internet Explorer and browse to https://www.bing.com.

    Note: The website should successfully display. The firewall allows you access.

      Browse to http://www.microsoft.com/

      Note: Within the browser page, you should receive a message with text resembling the following: HTTP request from 10.0.2.4:xxxxx to microsoft.com:80. Action: Deny. No rule matched. Proceeding with default action. This is expected, since the firewall blocks access to this website.

      Result: You have successfully configured and tested the Azure Firewall.

      Clean up resources

      PowerShell session within the Cloud Shell pane, run the following to remove the resource group you created in this lab:

      Remove-AzResourceGroup -Name "AZ500LAB08" -Force -AsJob
      Author: user

      Leave a Reply

      Your email address will not be published. Required fields are marked *