In this simple hands-on lab, we'll be practising with the Azure Firewall service by creating an azure firewall, create a route table to route any traffic pointing to the Azure firewall's public IP to our VM in a private subnet, configure DNAT and Application rules on the firewall and test the connectivity.
Azure Firewall
Azure firewall is a cloud-naitve security solution for Azure environments. It provides traffic inspection, filtering, and monitoring. Azure firewall uses rules to control traffic in and out of the firewall and these rules are grouped into rule collection which is a group of firewall rules processed in order, specifying allow or deny actions based on the rule conditions. Azure firewall offers layer 3 and layer 7 filtering.
Azure firewall rule types
Azure firewall provides three rule configuration types:
DNAT rule - allows you to redirect incoming traffic from a specific port or IP address to a different destination within your Azure environment.
Network rule - uses layer 3 and layer 4 information to allow or deny inbound or outbound traffic. These rules are based on IP address, port and protocols.
Application rule - these are layer 7 rules that allow or deny inbound or outbound traffic using Fully Qualified Domain Names (FQDN), URLs and Web protocols.
The rule groups are processed in this order (DNAT>Network>Application) by default. Azure firewall also uses SNAT(Source Network Address Translation) for outbound access so that all public traffic comes from the firewall public IP address.
Azure Firewall requirements
AzureFirewallSubnet - A dedicated subnet that hosts the Azure Firewall, providing network security and traffic filtering.
AzureFirewallManagementSubnet - A separate subnet used for managing the Azure Firewall, including monitoring and logging.
Workload Subnet - A subnet where user workloads and applications are deployed, protected by the Azure Firewall.
Steps
Create a Firewall
Create the firewall policy which will contain the rules
Create a route table
associate the created route table with the subnet containing the VM.
add a DNAT rule collection to the firewall policy. Any RDP connection to the firewall from the internet will be directed to the VMs private IP.
add an application rule collection to the firewall policy. This rule directs the firewall to allow only http or https connection to microsoft.com and block any other layer 7 requests.
testing the DNAT rule
successful RDP connection using the firewall's IP
testing the application rule (firewall denied access to google.com)
firewall allowing connection to microsoft.com
