Your company needs to restrict outgoing traffic from their server using a firewall. They want you to block users from visiting anything besides `https://www.microsoft.com` and they don’t want to allow port 53 outbound from the server. You will create a firewall and connect it to your virtual network as a solution.
Learning Objectives
Successfully complete this lab by achieving the following learning objectives:
- Create a Firewall
- Log in to the Azure portal with the credentials provided.
- Create a new Azure firewall named fw-1.
- Use the existing virtual network provisioned with this lab.
- Create a new public IP for the firewall.
- Match the region of the firewall to the same region as the lab provided resource group.
- Create a Route Table
- Create a new route table named routetable1.
- Create a route named route1 that routes all traffic (0.0.0.0/0) to a virtual appliance with a next hop address of your Azure firewall’s private IP.
- Associate routetable1 with the lab-VM-VNET virtual network and the default subnet.
- Configure Rule Collections for Firewall
- Add a NAT rule that will route traffic from the firewall public IP to the private IP of the server over 3389 (RDP). Note: Please use the Classic Rules, otherwise the lab will not grade correctly.
- Name the collection natcollection.
- Name the rule rdp.
- Add a network rule to allow
UDP port 53
outbound to Google public DNS servers (8.8.8.8
and8.8.4.4
).- Name the collection netcollection.
- Name the rule dns.
- Configure an application rule collection to allow
www.microsoft.com
from the default subnet CIDR over the http and https protocols under Target FQDNs- Name the collection appcollection.
- Name the rule microsoftcom.
- Add the public DNS servers to the network interface of the virtual machine.
- Add a NAT rule that will route traffic from the firewall public IP to the private IP of the server over 3389 (RDP). Note: Please use the Classic Rules, otherwise the lab will not grade correctly.
- Test Connectivity
- Log in to the server using the public IP address of the firewall. Success in this validates our NAT (Network Address Translation) rule for RDP.
- Open Internet Explorer and go to
https://www.microsoft.com
. Success in this validates our application rule for HTTP and HTTPS to this website. - Test DNS using
nslookup -type=TXT test.dns.google.com. dns.google.
to find that we are successfully using the Google DNS servers. Success in this validates our network rule for DNS traffic on port 53/UDP.