Attach a Firewall to a Virtual Network in Azure

1.25 hours
  • 4 Learning Objectives

About this Hands-on Lab

Your company needs to restrict outgoing traffic from their server using a firewall. They want you to block users from visiting anything besides `` and they don’t want to allow port 53 outbound from the server. You will create a firewall and connect it to your virtual network as a solution.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Firewall
  1. Log in to the Azure portal with the credentials provided.
  2. Create a new Azure firewall named fw-1.
  3. Use the existing virtual network provisioned with this lab.
  4. Create a new public IP for the firewall.
  5. Match the region of the firewall to the same region as the lab provided resource group.
Create a Route Table
  1. Create a new route table named routetable1.
  2. Create a route named route1 that routes all traffic ( to a virtual appliance with a next hop address of your Azure firewall’s private IP.
  3. Associate routetable1 with the lab-VM-VNET virtual network and the default subnet.
Configure Rule Collections for Firewall
  1. Add a NAT rule that will route traffic from the firewall public IP to the private IP of the server over 3389 (RDP). Note: Please use the Classic Rules, otherwise the lab will not grade correctly.
    • Name the collection natcollection.
    • Name the rule rdp.
  2. Add a network rule to allow UDP port 53 outbound to Google public DNS servers ( and
    • Name the collection netcollection.
    • Name the rule dns.
  3. Configure an application rule collection to allow from the default subnet CIDR over the http and https protocols under Target FQDNs
    • Name the collection appcollection.
    • Name the rule microsoftcom.
  4. Add the public DNS servers to the network interface of the virtual machine.
Test Connectivity
  1. Log in to the server using the public IP address of the firewall. Success in this validates our NAT (Network Address Translation) rule for RDP.
  2. Open Internet Explorer and go to Success in this validates our application rule for HTTP and HTTPS to this website.
  3. Test DNS using nslookup -type=TXT to find that we are successfully using the Google DNS servers. Success in this validates our network rule for DNS traffic on port 53/UDP.

Additional Resources

IMPORTANT NOTE: You will need a current RDP client on your local computer for this lab. You can get information for current RDP clients at:

Log in to the Azure portal, where you will see a Windows server is already deployed with this hands-on lab.

First, create a new Azure firewall named fw-1 followed by a route table named routetable1 to route all traffic through the firewall. On the firewall, configure an application rule collection to allow from the network.

Next, add a network rule collection to allow UDP port 53 from the network to and Also, create a network address translation (NAT) rule that will allow you to log in to the server from the firewall public IP.

Finally, add the Google DNS servers to the network interface and test the firewall from the Windows Server. (HINT: Use nslookup -type=TXT to test the network rule.)

Note: When you connect via RDP, use the public IP of FW-1.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?