Attach a Firewall to a Virtual Network in Azure

1.25 hours
  • 4 Learning Objectives

About this Hands-on Lab

Your company needs to restrict outgoing traffic from their server using a firewall. They want you to block users from visiting anything besides `https://www.microsoft.com` and they don’t want to allow port 53 outbound from the server. You will create a firewall and connect it to your virtual network as a solution.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Firewall
  1. Log in to the Azure portal with the credentials provided.
  2. Create a new Azure firewall named fw-1.
  3. Use the existing virtual network provisioned with this lab.
  4. Create a new public IP for the firewall.
  5. Match the region of the firewall to the region of the deployed resources in your hands-on-lab.
Create a Route Table
  1. Create a new route table name routetable1
  2. Create a route named route1 that routes all traffic (0.0.0.0/0) to a virtual appliance with a next hop address of your Azure firewall’s private IP.
Configure Rule Collections for Firewall
  1. Add a NAT rule that will route traffic from the firewall public IP to the private IP of the server over 3389 (RDP).
  2. Add a network rule to allow UDP port 53 outbound to Google public DNS servers (8.8.8.8 and 8.8.4.4).
  3. Configure an application rule collection to allow www.microsoft.com.
  4. Add the public DNS servers to the network interface of the virtual machine.
Test Connectivity
  1. Log in to the server using the public IP address of the firewall. Success in this validates our NAT (Network Address Translation) rule for RDP
  2. Open Internet Explorer and go to https://www.microsoft.com. Success in this validates our application rule for HTTP and HTTPS to this website.
  3. Test DNS using nslookup -type=TXT test.dns.google.com. dns.google. to find that we are successfully using the Google DNS servers. Success in this validates our network rule for DNS traffic on port 53/UDP.

Additional Resources

Log in to the Azure portal, where you will see a Windows server is already deployed with this hands-on lab.

First, create a new Azure firewall named fw-1 followed by a route table named routetable1 to route all traffic through the firewall. On the firewall, configure an application rule collection to allow www.microsoft.com from the network.

Next, add a network rule collection to allow UDP port 53 from the network to 8.8.8.8 and 8.8.4.4. Also, create a network address translation (NAT) rule that will allow you to log in to the server from the firewall public IP.

Finally, add the Google DNS servers to the network interface and test the firewall from the Windows Server. (HINT: Use nslookup -type=TXT test.dns.google.com. dns.google. to test the network rule.)

Note: When you connect via RDP, use the public IP of FW-1.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?