Configure Application Level Rules within Azure Firewall

45 minutes
  • 6 Learning Objectives

About this Hands-on Lab

Azure Firewall is a cloud-native network security service that can be used to protect your Azure Virtual Network resources. Devices on a Virtual Network, such as Virtual Machines, by default, have access to the Internet (but usually not the other way around). Azure Firewall allows you to control access to the Internet from your Virtual Machines.

In this lab, we will create an application-level rule in an Azure Firewall deployed in a Virtual Network to allow the Virtual Machine(s) to have access to a specific internet site. The preconfigured network will consist of three subnets, one with a jump box that you can remote into, another subnet with an application server, and the third subnet with the Azure Firewall.

We will remote int the jump box, and from there remote into the application server. Once there, we will see that access to the Internet is disabled. We will then open a connection to in the firewall and then check that the application server can now access it.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Log in to the Azure Portal

Log in to the Azure Portal using the username and password supplied by the lab.

  1. Open a browser.
  2. Navigate to the provided Azure Portal URL.
  3. Use the supplied username and password to authenticate.
Remote into the Jump VM

When you sign in to the VM with RDP, use the credentials provided on the lab page.

Remote into the Work VM from the Jump VM

From the Srv-Jump, remote into Srv-Work using Remote Desktop. Use the credentials for the Srv-work server provided on the lab page.

Attempt to Open from the Work VM
  1. Open Internet Explorer.
  2. When asked, select use default Internet Explorer security options.
  3. Enter in the address bar and press enter.

The browser will display a message that access to the site is denied.

Configure the Firewall Rule to Allow Access to from the Work VM

In the Azure Portal, navigate to the resoure TEST-FW01. In the Settings section of the menu, click Rules. On the page that appears, click Application rule collection, and then + Add application rule collection.

Enter the following into the form:
Name: MyRule
Priority: 200

In the Target FQDNs section, enter:
Name: AllowGoogle
Protocol:Port: http,https
Target FQDNs*:

Then press the Add button.

Retry Opening from the Work VM

In the browser on the Work VM, refresh the page for We can now access the site, although we’ll get a lot of questions from Internet Explorer about allowing access and content being blocked. That’s ok. It’s a response to finally being allowed through the firewall.

Additional Resources

Our employer has deployed a secure multi-server architecture in Azure. This consists of a jump server and a work server. The jump server can be reached from the Internet with remote desktop. The work server cannot be reached from the Internet. The work server can also not access the Internet, as the subnet on which it is located is configured to forward all traffic to an Azure Firewall which blocks that access. But it is now identified that access to several websites are required by the work server. To allow this, we need to add a rule to the firewall to allow access to those sites. We're asked to enable access to from the work server for now. We need to configure this rule in the firewall, and this lab demonstrates how to do this.

Note that the credentials for logging into the jump VM are available on the lab page.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?