Azure Firewall is a cloud-native network security service that can be used to protect your Azure Virtual Network resources. Devices on a Virtual Network, such as Virtual Machines, by default, have access to the Internet (but usually not the other way around). Azure Firewall allows you to control access to the Internet from your Virtual Machines.
In this lab, we will create an application-level rule in an Azure Firewall deployed in a Virtual Network to allow the Virtual Machine(s) to have access to a specific internet site. The preconfigured network will consist of three subnets, one with a jump box that you can remote into, another subnet with an application server, and the third subnet with the Azure Firewall.
We will remote int the jump box, and from there remote into the application server. Once there, we will see that access to the Internet is disabled. We will then open a connection to www.google.com in the firewall and then check that the application server can now access it.
Successfully complete this lab by achieving the following learning objectives:
- Log in to the Azure Portal
Log in to the Azure Portal using the username and password supplied by the lab.
- Open a browser.
- Navigate to the provided Azure Portal URL.
- Use the supplied username and password to authenticate.
- Remote into the Jump VM
When you sign in to the VM with RDP, use the credentials provided on the lab page.
- Remote into the Work VM from the Jump VM
Srv-Jump, remote into
Srv-Workusing Remote Desktop. Use the credentials for the
Srv-workserver provided on the lab page.
- Attempt to Open www.google.com from the Work VM
- Open Internet Explorer.
- When asked, select use default Internet Explorer security options.
- Enter www.google.com in the address bar and press enter.
The browser will display a message that access to the site is denied.
- Configure the Firewall Rule to Allow Access to www.google.com from the Work VM
In the Azure Portal, navigate to the resoure TEST-FW01. In the Settings section of the menu, click Rules. On the page that appears, click Application rule collection, and then + Add application rule collection.
Enter the following into the form:
In the Target FQDNs section, enter:
Target FQDNs*: www.google.com
Then press the Add button.
- Retry Opening www.google.com from the Work VM
In the browser on the Work VM, refresh the page for www.google.com. We can now access the site, although we’ll get a lot of questions from Internet Explorer about allowing access and content being blocked. That’s ok. It’s a response to finally being allowed through the firewall.