Deploy and configure Azure Firewall

Create a resource group

1. Sign in to the Azure portal at https://portal.azure.com.
2. On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Then select Create.
3. For Subscription, select your subscription.
4. For Resource group name, type Test-FW-RG.
5. For Resource group location, select a location. All other resources that you create must be in the same location.
6. Select Review + create.
7. Select Create.

Create a VNet

1. On the Azure portal menu or from the Home page, select Create a resource.
2. Select Networking > Virtual network.
3. For Subscription, select your subscription.
4. For Resource group, select Test-FW-RG.
5. For Name, type Test-FW-VN.
6. For Region, select the same location that you used previously.
7. Select Next: IP addresses.
8. For IPv4 Address space, accept the default 10.0.0.0/16.
9. Under Subnet name, select default.
10. For Subnet name change it to AzureFirewallSubnet. The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.
11. For Address range, change it to 10.0.1.0/26.
12. Select Save.Next, create a subnet for the workload server.
13. Select Add subnet.
14. For Subnet name, type Workload-SN.
15. For Subnet address range, type 10.0.2.0/24.
16. Select Add.
17. Select Review + create.
18. Select Create.

Create a virtual machine

1. On the Azure portal menu or from the Home page, select Create a resource.
2. Select Windows Server 2019 Datacenter.
3. Enter these values for the virtual machine:

   Setting	Value
   Resource group	Test-FW-RG
   Virtual machine name	Srv-Work
   Region	Same as previous
   Image	Windows Server 2019 Datacenter
   Administrator user name	Type a user name
   Password	Type a password

4. Under Inbound port rules, Public inbound ports, select None.
5. Accept the other defaults and select Next: Disks.
6. Accept the disk defaults and select Next: Networking.
7. Make sure that Test-FW-VN is selected for the virtual network and the subnet is Workload-SN.
8. For Public IP, select None.
9. Accept the other defaults and select Next: Management.
10. For Boot diagnostics, select Disable to disable boot diagnostics. Accept the other defaults and select Review + create.
11. Review the settings on the summary page, and then select Create.
12. After the deployment is complete, select Srv-Work and note the private IP address that you’ll need to use later.

Deploy the firewall

1. On the Azure portal menu or from the Home page, select Create a resource.
2. Type firewall in the search box and press Enter.
3. Select Firewall and then select Create.
4. On the Create a Firewall page, use the following table to configure the firewall:

   Setting	Value
   Subscription	<your subscription>
   Resource group	Test-FW-RG
   Name	Test-FW01
   Region	Select the same location that you used previously
   Firewall tier	Standard
   Firewall management	Use Firewall rules (classic) to manage this firewall
   Choose a virtual network	Use existing: Test-FW-VN
   Public IP address	Add new Name: fw-pip

5. Accept the other default values, then select Review + create.
6. Review the summary, and then select Create to create the firewall.This will take a few minutes to deploy.
7. After deployment completes, go to the Test-FW-RG resource group, and select the Test-FW01 firewall.
8. Note the firewall private and public IP addresses. You’ll use these addresses later.

Create a default route

When creating a route for outbound and inbound connectivity through the firewall, a default route to 0.0.0.0/0 with the virtual appliance private IP as a next hop is sufficient. This will take care of any outgoing and incoming connections to go through the firewall. As an example, if the firewall is fulfilling a TCP-handshake and responding to an incoming request, then the response is directed to the IP address who sent the traffic. This is by design.

As a result, there is no need create an additional UDR to include the AzureFirewallSubnet IP range. This may result in dropped connections. The original default route is sufficient.

For the Workload-SN subnet, configure the outbound default route to go through the firewall.

1. On the Azure portal menu, select Create a resource.
2. Under Networking, select Route table.
3. For Subscription, select your subscription.
4. For Resource group, select Test-FW-RG.
5. For Region, select the same location that you used previously.
6. For Name, type Firewall-route.
7. Select Review + create.
8. Select Create.

After deployment completes, select Go to resource.

1. On the Firewall-route page, select Subnets and then select Associate.
2. Select Virtual network > Test-FW-VN.
3. For Subnet, select Workload-SN. Make sure that you select only the Workload-SN subnet for this route, otherwise your firewall won’t work correctly.
4. Select OK.
5. Select Routes and then select Add.
6. For Route name, type fw-dg.
7. For Address prefix destination, select IP Addresses.
8. For Destination IP addresses/CIDR ranges, type 0.0.0.0/0.
9. For Next hop type, select Virtual appliance.Azure Firewall is actually a managed service, but virtual appliance works in this situation.
10. For Next hop address, type the private IP address for the firewall that you noted previously.
11. Select Add.

Configure an application rule

1. Open the Test-FW-RG, and select the Test-FW01 firewall.
2. On the Test-FW01 page, under Settings, select Rules (classic).
3. Select the Application rule collection tab.
4. Select Add application rule collection.
5. For Name, type App-Coll01.
6. For Priority, type 200.
7. For Action, select Allow.
8. Under Rules, Target FQDNs, for Name, type Allow-Google.
9. For Source type, select IP address.
10. For Source, type 10.0.2.0/24.
11. For Protocol:port, type http, https.
12. For Target FQDNS, type www.google.com
13. Select Add.

Configure a network rule

1. Select the Network rule collection tab.
2. Select Add network rule collection.
3. For Name, type Net-Coll01.
4. For Priority, type 200.
5. For Action, select Allow.
6. Under Rules, IP addresses, for Name, type Allow-DNS.
7. For Protocol, select UDP.
8. For Source type, select IP address.
9. For Source, type 10.0.2.0/24.
10. For Destination type select IP address.
11. For Destination address, type 209.244.0.3,209.244.0.4These are public DNS servers operated by Level3.
12. For Destination Ports, type 53.
13. Select Add.

Configure a DNAT rule

1. Select the NAT rule collection tab.
2. Select Add NAT rule collection.
3. For Name, type rdp.
4. For Priority, type 200.
5. Under Rules, for Name, type rdp-nat.
6. For Protocol, select TCP.
7. For Source type, select IP address.
8. For Source, type *.
9. For Destination address, type the firewall public IP address.
10. For Destination Ports, type 3389.
11. For Translated address, type the Srv-work private IP address.
12. For Translated port, type 3389.
13. Select Add.

Change the primary and secondary DNS address for the Srv-Work network interface

1. On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Select the Test-FW-RG resource group.
2. Select the network interface for the Srv-Work virtual machine.
3. Under Settings, select DNS servers.
4. Under DNS servers, select Custom.
5. Type 209.244.0.3 in the Add DNS server text box, and 209.244.0.4 in the next text box.
6. Select Save.
7. Restart the Srv-Work virtual machine.

Test the firewall

1. Connect a remote desktop to the firewall public IP address and sign in to the Srv-Work virtual machine.
2. Open Internet Explorer and browse to https://www.google.com.
3. Select OK > Close on the Internet Explorer security alerts.
   You should see the Google home page.
4. Browse to https://www.microsoft.com.
   You should be blocked by the firewall.