Securing a Virtual Network with Azure Firewall

1.5 hours
  • 6 Learning Objectives

About this Hands-on Lab

Securing a network’s perimeter is one of the most important aspects of a cloud engineer’s role, and this hands-on lab will demonstrate a common, real-world experience regarding this task. Students will build, in a sandbox, a network topology and then experience configuring and deploying Azure Firewall, before traversing it from the internet using a real-world scenario of network address translation.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Create a Virtual Network and Network Security Group

Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.

  1. Create a virtual network.
    • The name can be anything ("SpokeVnet1" in this example).
    • The primary address space should be 10.10.10.0/24.
    • The subnet address range should be 10.10.10.0/26.
  2. Create a network security group.
    • The name can be anything ("SpokeNSG1" in this example).
    • Associate this NSG with the virtual network just created.
Create a Virtual Machine

Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.

  1. Create a virtual machine.
    • The VM name can be anything ("SpokeServer1" in this example).
    • The VM should be imaged with Windows Server 2019.
    • The VM size should be B2s Standard.
    • Username and password can be anything ("mythicaladmin" and "RUBYmountain135" in this example).
    • The virtual network should be the previously created Vnet ("SpokeVnet1" in this example).
    • IMPORTANT: Set Public IP to None.
    • IMPORTANT: Set Boot Diagnostics to Off.
Create a Second Virtual Network and Azure Firewall

Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.

  1. Create a virtual network.
    • The name can be anything ("HubVnet1" in this example).
    • The primary address space should 10.10.200.0/24.
    • The subnet address range should be 10.10.200.0/26.
    • Enable the Firewall option.
    • The name can be anything ("Firewall1" in this example).
    • The subnet address range should be 10.10.200.64/26.
Peer the Virtual Networks Together and Create a Route Table

Note: Unless otherwise stated, select the default options or, in the case of the subscriptions and resource groups, the only available option.

  1. Peer the virtual networks.
    • The names of both peers can be anything ("SpokeToHubPeer" and "HubToSpokePeer" in this example).
    • IMPORTANT: Enable every peering option except gateway transit.
  2. Create a route table and add a new route.
    • The route name can be anything ("DefaultRoute1" in this example).
    • The address prefix should be 0.0.0.0/0.
    • The Next hop type is Virtual appliance.
    • The Next hop address is 10.10.200.68, and the IP of the Azure Firewall.
  3. Associate the route table to the second Vnet created ("SpokeVnet1" in this example).
Allow Remote Desktop Protocol Traffic through the Azure Firewall and the Network Security Group

Optional: Where indicated, a source public IP may be presented to further demonstrate inbound security filtering. This can be acquired by querying Google or by browsing to one of many websites such as www.ipcow.com.

IMPORTANT: Before creating the firewall rule, take note of the public IP address of the firewall itself.

  1. Add NAT rule collection and create rule.
    • The rule collection name can be anything ("RDPForward" in this example).
    • The priority can be any number between 100 and 50000 (1000 in this example).
    • The rule name can be anything ("RDPtoSpoke" in this example).
    • Protocols allowed should be both TCP and UDP.
    • Source address can be either a wildcard (*) or your public IPv4 address (as described above).
    • The destination IP should be the public IP address of the firewall.
    • The destination port should be 3389.
    • The translated IP address should be the internal IP address of the virtual machine: 10.10.10.4.
    • The translated port should also be 3389.
  2. Create an inbound rule in the network security group.
    • The name can be anything ("RDPtoSpoke" in this example).
    • The source IP range should be the firewall IP range: 10.10.200.64/26.
    • The destination IP range should be 10.10.10.4.
    • The destination port should be 3389.
Test Azure Firewall

To test the Azure Firewall configuration, use the Remote Desktop client (available from Microsoft for Windows clients natively and Mac clients here).

  1. RDP to the public IP address of the Azure Firewall.
    • Assuming all configurations are correct and as stated in the these guides, a standard Windows credential pop-up should be presented.
    • Provide the username and password of the virtual machine ("mythicaladmin"/"RUBYmountain135" in this example).
  2. Once connected, open an Internet Explorer window and browse to Google.com or anywhere. The response should be very similar to: "HTTP request from 10.10.10.4:50626 to www.google.com:80. Action: Deny. No rule matched. Proceeding with default action"

This is exactly what should be expected, as no internet-bound rules were created in the firewall, while the NSG has default rules allowing all internet-bound traffic to pass, proving the firewall is working as intended.

Additional Resources

In this lab, we will take on the role of a Cloud Engineer for the company Mythical Corp. We have been tasked with creating a virtual server placed in a flexible and secure network segment.

To do this, we will create the first portion of a "hub and spoke" network topology: the hub and just one spoke. We will secure our VM and network with a standard NSG, as well as Azure Firewall. Once created, we will test our security, and validate our configuring, by using RDP and an IE browsing test.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?