Skip to main content

Introducing Azure Firewall


Azure firewall is the latest addition to Azure security features portfolio. It was announced in preview last week along with Azure virtual WAN. Along with other features such as NSG and WAF , Azure Firewall enables additional protection for your applications hosted in Azure. We know that NSG offers network level protection(L3) and helps in implementing restrictions on incoming and outgoing traffic at network layer. WAF enables inbound security for web applications at Layer 7.Azure Network firewall provides outbound network layer(L3-L4) and application level (L7) protection for Http and Https traffic.

There are two types of rules that can be created in Azure Firewall. Application rule and Network rule. As name indicates Network rule can be used to allow/deny traffic at network layer by defining the source IP & protocol + Destination IP& protocol. Application rules can be created to allow or restrict outbound traffic to specific FQDNs.

If you want to play around with Azure Firewall, Refer this document for a step by step approach.  It outlines the process of accessing a VM in a network protected using Azure firewall.


 

Image courtesy:Microsoft

Few pointers here that will help you understand the configuration:

  • Workload VM(Srv-Work) is created in the subnet Workload-SN
  • The workload VM is accessed using a JumpBox server(Srv-Jump) as the workload VM does not have a public IP associated with it
  • Workload-SN had a default rule applied that redirects all outbound traffic to the Firewall. If you review the effective rules of Workload VM NIC card, the default route will be listed that routes the outbound traffic to Azure Firewall.


 


  • In the firewall, Network and application rules are created allowing only required traffic from the Workload VM. In the example, DNS resolution is allowed using network rules and access to GitHub is allowed using application rule.
  • DNS resolution is restricted to specific DNS servers and the DNS server IPs are hard coded in the workload VM NIC as custom DNS

 

PS: The document has instructions for creating a network rule in Firewall to allow DNS using protocol TCP. However, I couldn’t get it working without adding UDP. I have provided feedback in the document to check on this.

Other than that, the instructions work like a charm and I could get the set up working without any other glitches. Since internet access is restricted to specific FQDN, access to any other website will be denied. If you try accessing a website whose FQDN is not defined in the rule, you will get the following message

 

S e http://w•wwgoogle.com/ p The world's leading softwared— e google.com request blocked by Azure NO rule matched. proceeding With default action

 

Viola.. that’s your Azure firewall in Action!! You can also create and connect Azure Firewall to existing VNets from VNet -> Settings. However, do keep in mind that this service is currently in preview.

Comments

  1. gps trackerMay 5, 2021 at 6:05 AM

    Gps tracker For more information
    but information is very best

    ReplyDelete
  2. Charlie OscarJune 10, 2021 at 12:55 AM

    Cloud computing

    CLOUD LEARN MORE What is CLOUD Computing? Cloud computing Cloud computing is a general term for anything that involves delivering hosted services over the internet.

    These services are divided into three main categories: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).A cloud…

    Visit to- sunoltech.com for more details

    ReplyDelete
  3. AnonymousSeptember 6, 2021 at 12:21 AM

    Cloud Computing course in Noida

    ReplyDelete
  4. Techbrein.comMarch 12, 2022 at 12:33 AM

    Excellent blog...Thanks for sharing valuable information.. At TechBrein, we boast a team of proficient digital consultants who have successfully helped businesses take the next level in this digital age. With a clear cut understanding of the industry, market conditions and audience, we provide expert advice and a result-oriented strategy for businesses to help them thrive and transform digitally. Please visit our website below…
    https://www.techbrein.com

    ReplyDelete
  5. Daniel VinchiOctober 25, 2022 at 10:02 AM

    AWS cloud migration service Princeton



    ReplyDelete

Post a Comment

Popular posts from this blog

Install nested KVM in VMware ESXi 5.1

In this blog, I will explain the steps required to run a nested KVM hypervisor on  Vmware ESXi. The installation of KVM is done on Ubuntu 13.10(64 bit). Note: It is assumed that you have already installed your Ubuntu 13.10 VM in ESXi, and hence we will not look into the Ubuntu installation part. 1) Upgrade VM Hardware version to 9. In my ESXi server, the default VM hardware version was 8. So I had to shutdown my VM and upgrade the Hardware version to 9 to get the KVM hypervisor working. You can right click the VM and select the Upgrade hardware option to do this. 2)In the ESXi host In /etc/vmware edit the 'config' file and add the following setting vhv.enable = "TRUE" 3)Edit the VM settings and go to VM settings > Options  > CPU/MMU Virtualization . Select the Intel EPT option 4) Go to Options->CPUID mask> Advanced-> Level 1, add the following CPU mask level ECX  ---- ---- ---- ---- ---- ---- --H- ---- 5) Open the vmx...
5 comments
Read more

Virtual fibre channel in Hyper V

Virtual fibre channel option in Hyper V allows the connection to pass through from physical  fibre channel HBA to virtual fibre channel HBA, and still have the flexibilities like live migration. Pre-requisites: VM should be running Windows Server 2008, 2008 R2 or Windows Server 2012 Supported physical HBA with N_Port Virtualization(NPIV) enabled in the HBA. This can be enabled using any management utility provided by the SAN manufacturer. If you need to enable live migration, each host should be having two physical HBAs and each HBA should have two World Wide Names(WWN). WWN is used to established connectivity to FC storage.When you perform migration, the second node can use the second WWN to connect to the storage and then the first node can release its connection. Thereby the storage connectivity is maintained during live migration Configuring virtual fibre channel is a two step process Step 1: Create a Virtual SAN in the Hyper-V host First you need to click on Vir...
2 comments
Read more

Windows server 2012: where is my start button??

If you have been using Windows Server OS for a while, the one thing that will strike you most when you login to a Windows server 2012 is that there is no start button!!.. What??..How am I going to manage it?? Microsoft feels that you really dont need a start button, since you can do almost everything from your server  manager or even remotely from your desktop. After all the initial configurations are done, you could also do away with the GUI and go back to server core option.(In server 2012, there is an option to add and remove GUI). So does that mean, you need to learn to live without a start button. Actually no, the start button is very much there .Lets start looking for it. Option 1: There is "charms" bar on the side of your deskop, where you will find a "start" option. You can use the "Windows +C" shortcut to pop out the charms bar Option 2: There is a hidden "start area"in  the bottom left corner of your desktop...
3 comments
Read more