Azure firewall is the latest addition to Azure security
features portfolio. It was announced in preview last week along with Azure virtual
WAN. Along with other features such as NSG and WAF , Azure Firewall enables
additional protection for your applications hosted in Azure. We know that NSG offers
network level protection(L3) and helps in implementing restrictions on incoming
and outgoing traffic at network layer. WAF enables inbound security for web
applications at Layer 7.Azure Network firewall provides outbound network
layer(L3-L4) and application level (L7) protection for Http and Https traffic.
There are two types of rules that can be created in Azure
Firewall. Application rule and Network rule. As name indicates Network rule can
be used to allow/deny traffic at network layer by defining the source IP &
protocol + Destination IP& protocol. Application rules can be created to
allow or restrict outbound traffic to specific FQDNs.
If you want to play around with Azure Firewall, Refer this
document for a step by step approach. It
outlines the process of accessing a VM in a network protected using Azure
firewall.
Image courtesy:Microsoft
Few pointers here that will help you understand the
configuration:
- Workload VM(Srv-Work) is created in the subnet Workload-SN
- The workload VM is accessed using a JumpBox server(Srv-Jump) as the workload VM does not have a public IP associated with it
- Workload-SN had a default rule applied that redirects all outbound traffic to the Firewall. If you review the effective rules of Workload VM NIC card, the default route will be listed that routes the outbound traffic to Azure Firewall.
- In the firewall, Network and application rules are created allowing only required traffic from the Workload VM. In the example, DNS resolution is allowed using network rules and access to GitHub is allowed using application rule.
- DNS resolution is restricted to specific DNS servers and the DNS server IPs are hard coded in the workload VM NIC as custom DNS
PS: The document has instructions for creating a network
rule in Firewall to allow DNS using protocol TCP. However, I couldn’t get it
working without adding UDP. I have provided feedback in the document to check
on this.
Other than that, the instructions work like a charm and I
could get the set up working without any other glitches. Since internet access
is restricted to specific FQDN, access to any other website will be denied. If
you try accessing a website whose FQDN is not defined in the rule, you will get
the following message
Viola.. that’s your Azure firewall in Action!! You can also
create and connect Azure Firewall to existing VNets from VNet -> Settings. However,
do keep in mind that this service is currently in preview.
