Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article helps you create an Azure Firewall with a DDoS protected virtual network. Azure DDoS Protection provides enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your firewall from large scale DDoS attacks.
Important
Azure DDoS Protection incurs a cost when you use the Network Protection SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see Azure DDoS Protection Pricing. For more information about Azure DDoS protection, see What is Azure DDoS Protection?
For this tutorial, you create a simplified single VNet with two subnets for easy deployment. Azure DDoS Network Protection is enabled for the virtual network.
- AzureFirewallSubnet - the firewall is in this subnet.
- Workload-SN - the workload server is in this subnet. This subnet's network traffic goes through the firewall.
For production deployments, use a hub and spoke model, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.
In this tutorial, you learn how to:
- Set up a test network environment
- Deploy a firewall and firewall policy
- Create a default route
- Configure an application rule to allow access to www.google.com
- Configure a network rule to allow access to external DNS servers
- Configure a NAT rule to allow a remote desktop to the test server
- Test the firewall
If you prefer, you can complete this procedure using Azure PowerShell.
Prerequisites
If you don't have an Azure subscription, create a free account before you begin.
Set up the network
First, create a resource group to contain the resources needed to deploy the firewall. Then create a virtual network, subnets, and a test server.
Create a resource group
The resource group contains all the resources for the tutorial.
Sign in to the Azure portal, search for and select Resource groups, and then select Add. Enter or select the following values:
Setting Value Subscription Select your Azure subscription. Resource group Enter Test-FW-RG. Region Select a region. All other resources that you create must be in the same region. Select Review + create, and then select Create.
Create a DDoS protection plan
Search for and select DDoS protection plans. Select + Create, and enter or select the following information:
Setting Value Project details Subscription Select your Azure subscription. Resource group Select Test-FW-RG. Instance details Name Enter myDDoSProtectionPlan. Region Select the region. Select Review + create, and then select Create.
Create a VNet
This VNet has two subnets.
Note
The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see Azure Firewall FAQ.
On the Azure portal menu, select Create a resource.
Select Networking.
Search for Virtual network and select it.
Select Create and enter or select the following values:
Setting Value Subscription Select your Azure subscription. Resource group Select Test-FW-RG. Name Enter Test-FW-VN. Region Select the same location that you used previously. On the IP addresses tab, accept the default 10.1.0.0/16 for IPv4 Address space. Under Subnet, select default and enter the following values, and then select Save:
Setting Value Subnet name AzureFirewallSubnet (the subnet name must be AzureFirewallSubnet) Address range 10.1.1.0/26 Select Add subnet, enter the following values, and then select Add:
Setting Value Subnet name Workload-SN Subnet address range 10.1.2.0/24 On the Security tab, under DDoS Network Protection, select Enable and select myDDoSProtectionPlan for DDoS protection plan.
Select Review + create, and then select Create.
Create a virtual machine
Create the workload virtual machine and place it in the Workload-SN subnet.
On the Azure portal menu, select Create a resource.
Select Windows Server 2019 Datacenter.
Enter or select values for the virtual machine:
Setting Value Subscription Select your Azure subscription. Resource group Select Test-FW-RG. Virtual machine name Enter Srv-Work. Region Select the same location that you used previously. Username Enter a username. Password Enter a password. For Public inbound ports, select None, accept disk defaults, and on the Networking tab ensure Test-FW-VN is the virtual network, the subnet is Workload-SN, and Public IP is None.
On the Management tab, select Disable for boot diagnostics, and then select Review + create and Create.
After the deployment finishes, select the Srv-Work resource and note the private IP address for later use.
Deploy the firewall and policy
Deploy the firewall into the virtual network.
Select Create a resource, search for and select Firewall, and then select Create. Enter or select the following values:
Setting Value Subscription Select your Azure subscription. Resource group Select Test-FW-RG. Name Enter Test-FW01. Region Select the same location that you used previously. Firewall management Select Use a Firewall Policy to manage this firewall. Firewall policy Select Add new, and enter fw-test-pol.
Select the same region that you used previously.Choose a virtual network Select Use existing, and then select Test-FW-VN. Public IP address Select Add new, and enter fw-pip for the Name. Accept the other default settings, select Review + create, and then select Create. Deployment takes a few minutes.
After deployment finishes, go to the Test-FW-RG resource group, select the Test-FW01 firewall, and note the firewall private and public IP addresses for later use.
Create a default route
For the Workload-SN subnet, configure the outbound default route to go through the firewall.
Search for and select Route tables, and then select Create. Enter or select the following values:
Setting Value Subscription Select your Azure subscription. Resource group Select Test-FW-RG. Region Select the same location that you used previously. Name Enter Firewall-route. Select Review + create, and then select Create. After the deployment finishes, select Go to resource.
Select Subnets > Associate, select Virtual network > Test-FW-VN, and for Subnet select Workload-SN (select only this subnet, otherwise the firewall won't work correctly), and then select OK.
Select Routes > Add and enter or select the following values, and then select OK:
Setting Value Route name fw-dg Address prefix 0.0.0.0/0 Next hop type Virtual appliance (Azure Firewall is a managed service, but virtual appliance works here) Next hop address The firewall private IP address you noted previously
Configure an application rule
This application rule grants outbound access to www.google.com.
Open the Test-FW-RG resource group, select the fw-test-pol firewall policy, and then select Application rules > Add a rule collection. Enter the following values:
Setting Value Name App-Coll01 Priority 200 Rule collection action Allow Rule > Name Allow-Google Rule > Source type IP address Rule > Source 10.0.2.0/24 Rule > Protocol:port http, https Rule > Destination type FQDN Rule > Destination www.google.comSelect Add.
Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific to the platform and you can't use them for other purposes. For more information, see Infrastructure FQDNs.
Configure a network rule
This network rule grants outbound access to two IP addresses at port 53 (DNS).
Select Network rules > Add a rule collection and enter the following values:
Setting Value Name Net-Coll01 Priority 200 Rule collection action Allow Rule collection group DefaultNetworkRuleCollectionGroup Rule > Name Allow-DNS Rule > Source type IP Address Rule > Source 10.0.2.0/24 Rule > Protocol UDP Rule > Destination Ports 53 Rule > Destination type IP address Rule > Destination 209.244.0.3,209.244.0.4 (public DNS servers operated by CenturyLink) Select Add.
Configure a DNAT rule
This rule connects a remote desktop to the Srv-Work virtual machine through the firewall.
Select DNAT rules > Add a rule collection and enter the following values:
Setting Value Name rdp Priority 200 Rule collection group DefaultDnatRuleCollectionGroup Rule > Name rdp-nat Rule > Source type IP address Rule > Source * Rule > Protocol TCP Rule > Destination Ports 3389 Rule > Destination type IP Address Rule > Destination The firewall public IP address Rule > Translated address The Srv-Work private IP address Rule > Translated port 3389 Select Add.
Change the DNS address for the Srv-Work network interface
For testing purposes in this tutorial, configure the server's primary and secondary DNS addresses. This configuration isn't a general Azure Firewall requirement.
- In the Test-FW-RG resource group, select the network interface for the Srv-Work virtual machine.
- Under Settings, select DNS servers > Custom, enter
209.244.0.3and209.244.0.4, and then select Save. - Restart the Srv-Work virtual machine.
Test the firewall
Now, test the firewall to confirm that it works as expected.
Connect a remote desktop to the firewall public IP address and sign in to the Srv-Work virtual machine.
Open a web browser and browse to
https://www.google.com.You see the Google home page.
Browse to
https://www.microsoft.com.The firewall blocks you.
Now you verified that the firewall rules are working:
- You can browse to the one allowed FQDN, but not to any others.
- You can resolve DNS names by using the configured external DNS server.
Clean up resources
You can keep your firewall resources for the next tutorial, or if you no longer need them, delete the Test-FW-RG resource group to delete all firewall-related resources.