Edit

Tutorial: Secure your virtual hub using Azure Firewall Manager

  • Article

Using Azure Firewall Manager, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there's no need to create user-defined routes (UDRs).

Firewall Manager also supports a hub virtual network architecture. For a comparison of the secured virtual hub and hub virtual network architecture types, see What are the Azure Firewall Manager architecture options?

In this tutorial, you learn how to:

  • Create the spoke virtual network
  • Create a secured virtual hub
  • Connect the hub and spoke virtual networks
  • Route traffic to your hub
  • Deploy the servers
  • Create a firewall policy and secure your hub
  • Test the firewall

Important

The procedure in this tutorial uses Azure Firewall Manager to create a new Azure Virtual WAN secured hub. You can use Firewall Manager to upgrade an existing hub, but you can't configure Azure Availability Zones for Azure Firewall. It is also possible to convert an existing hub to a secured hub using the Azure portal, as described in Configure Azure Firewall in a Virtual WAN hub. But like Azure Firewall Manager, you can't configure Availability Zones. To upgrade an existing hub and specify Availability Zones for Azure Firewall (recommended) you must follow the upgrade procedure in Tutorial: Secure your virtual hub using Azure PowerShell.

Diagram showing the secure cloud network.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Create a hub and spoke architecture

First, create spoke virtual networks where you can place your servers.

Create two spoke virtual networks and subnets

The two virtual networks each have a workload server in them and are protected by the firewall.

  1. From the Azure portal home page, select Create a resource.
  2. Search for Virtual network, select it, and select Create.
  3. For Subscription, select your subscription.
  4. For Resource group, select Create new, and type fw-manager-rg for the name and select OK.
  5. For Virtual network name, type Spoke-01.
  6. For Region, select East US.
  7. Select Next.
  8. On the Security page, select Next.
  9. Under Add IPv4 address space, accept the default 10.0.0.0/16.
  10. Under Subnets, select default.
  11. For Name, type Workload-01-SN.
  12. For Starting address, type 10.0.1.0/24.
  13. Select Save.
  14. Select Review + create.
  15. Select Create.

Repeat this procedure to create another similar virtual network in the fw-manager-rg resource group:

Name: Spoke-02
Address space: 10.1.0.0/16
Subnet name: Workload-02-SN
Starting address: 10.1.1.0/24

Create the secured virtual hub

Create your secured virtual hub using Firewall Manager.

  1. From the Azure portal home page, select All services.

  2. In the search box, type Firewall Manager and select Firewall Manager.

  3. On the Firewall Manager page under Deployments, select Virtual hubs.

  4. On the Firewall Manager | Virtual hubs page, select Create new secured virtual hub.

    Screenshot of creating a new secured virtual hub.

  5. Select your Subscription.

  6. For Resource group, select fw-manager-rg.

  7. For Region, select East US.

  8. For the Secured virtual hub name, type Hub-01.

  9. For Hub address space, type 10.2.0.0/16.

  10. Select New vWAN.

  11. For the new virtual WAN name, type Vwan-01.

  12. For Type Select Standard.

  13. Leave the Include VPN gateway to enable Trusted Security Partners check box cleared.

    Screenshot of creating a new virtual hub with properties.

  14. Select Next: Azure Firewall.

  15. Accept the default Azure Firewall Enabled setting.

  16. For Azure Firewall tier, select Standard.

  17. Select the desired combination of Availability Zones.

Important

A Virtual WAN is a collection of hubs and services made available inside the hub. You can deploy as many Virtual WANs that you need. In a Virtual WAN hub, there are multiple services like VPN, ExpressRoute, and so on. Each of these services is automatically deployed across Availability Zones except Azure Firewall, if the region supports Availability Zones. To align with Azure Virtual WAN resiliency, you should select all available Availability Zones.

Screenshot of configuring Azure Firewall parameters.

  1. Type 1 in the Specify number of Public IP addressees text box.

  2. Under Firewall Policy ensure the Default Deny Policy is selected. You refine your settings later in this article.

  3. Select Next: Security Partner Provider.

    Screenshot of configuring Trusted Partners parameters.

  4. Accept the default Trusted Security Partner Disabled setting, and select Next: Review + create.

  5. Select Create.

    Screenshot of creating the Firewall instance.

Note

It may take up to 30 minutes to create a secured virtual hub.

You can find the firewall public IP address after the deployment completes.

  1. Open Firewall Manager.
  2. Select Virtual hubs.
  3. Select hub-01.
  4. Select AzureFirewall_Hub-01.
  5. Note the public IP address to use later.

Connect the hub and spoke virtual networks

Now you can peer the hub and spoke virtual networks.

  1. Select the fw-manager-rg resource group, then select the Vwan-01 virtual WAN.

  2. Under Connectivity, select Virtual network connections.

    Screenshot of adding Virtual Network connections.

  3. Select Add connection.

  4. For Connection name, type hub-spoke-01.

  5. For Hubs, select Hub-01.

  6. For Resource group, select fw-manager-rg.

  7. For Virtual network, select Spoke-01.

  8. Select Create.

  9. Repeat to connect the Spoke-02 virtual network: connection name - hub-spoke-02.

Deploy the servers

  1. On the Azure portal, select Create a resource.

  2. Select Windows Server 2019 Datacenter in the Popular list.

  3. Enter these values for the virtual machine:

    Setting Value
    Resource group fw-manager-rg
    Virtual machine name Srv-workload-01
    Region (US) East US)
    Administrator user name type a user name
    Password type a password

  4. Under Inbound port rules, for Public inbound ports, select None.

  5. Accept the other defaults and select Next: Disks.

  6. Accept the disk defaults and select Next: Networking.

  7. Select Spoke-01 for the virtual network and select Workload-01-SN for the subnet.

  8. For Public IP, select None.

  9. Accept the other defaults and select Next: Management.

  10. Select Next:Monitoring.

  11. Select Disable to disable boot diagnostics. Accept the other defaults and select Review + create.

  12. Review the settings on the summary page, and then select Create.

Use the information in the following table to configure another virtual machine named Srv-Workload-02. The rest of the configuration is the same as the Srv-workload-01 virtual machine.

Setting Value
Virtual network Spoke-02
Subnet Workload-02-SN

After the servers are deployed, select a server resource, and in Networking note the private IP address for each server.

Create a firewall policy and secure your hub

A firewall policy defines collections of rules to direct traffic on one or more Secured virtual hubs. You create your firewall policy and then secure your hub.

  1. From Firewall Manager, select Azure Firewall policies.

    Screenshot of creating an Azure Policy with first step.

  2. Select Create Azure Firewall Policy.

    Screenshot of configuring Azure Policy settings in first step.

  3. For Resource group, select fw-manager-rg.

  4. Under Policy details, for the Name type Policy-01 and for Region select East US.

  5. For Policy tier, select Standard.

  6. Select Next: DNS Settings.

    Screenshot of configuring DNS settings.

  7. Select Next: TLS Inspection.

    Screenshot of configuring TLS settings.

  8. Select Next : Rules.

  9. On the Rules tab, select Add a rule collection.

    Screenshot of configuring Rule Collection.

  10. On the Add a rule collection page, type App-RC-01 for the Name.

  11. For Rule collection type, select Application.

  12. For Priority, type 100.

  13. Ensure Rule collection action is Allow.

  14. For the rule Name, type Allow-msft.

  15. For the Source type, select IP address.

  16. For Source, type *.

  17. For Protocol, type http,https.

  18. Ensure Destination type is FQDN.

  19. For Destination, type *.microsoft.com.

  20. Select Add.

  21. Add a DNAT rule so you can connect a remote desktop to the Srv-Workload-01 virtual machine.

    1. Select Add a rule collection.
    2. For Name, type dnat-rdp.
    3. For Rule collection type, select DNAT.
    4. For Priority, type 100.
    5. For the rule Name, type Allow-rdp.
    6. For the Source type, select IP address.
    7. For Source, type *.
    8. For Protocol, select TCP.
    9. For Destination Ports, type 3389.
    10. For Destination, type the firewall public IP address that you noted previously.
    11. For Translated type, select IP Address.
    12. For Translated address, type the private IP address for Srv-Workload-01 that you noted previously.
    13. For Translated port, type 3389.
    14. Select Add.

  22. Add a Network rule so you can connect a remote desktop from Srv-Workload-01 to Srv-Workload-02.

    1. Select Add a rule collection.
    2. For Name, type vnet-rdp.
    3. For Rule collection type, select Network.
    4. For Priority, type 100.
    5. For Rule collection action, select Allow.
    6. For the rule Name type Allow-vnet.
    7. For the Source type, select IP address.
    8. For Source, type *.
    9. For Protocol, select TCP.
    10. For Destination Ports, type 3389.
    11. For Destination Type, select IP Address.
    12. For Destination, type the Srv-Workload-02 private IP address that you noted previously.
    13. Select Add.

  23. Select Next: IDPS.

  24. On the IDPS page, select Next: Threat Intelligence

    Screenshot of configuring IDPS settings.

  25. In the Threat Intelligence page, accept defaults and select Review and Create:

    Screenshot of configuring Threat Intelligence settings.

  26. Review to confirm your selection and then select Create.

Associate policy

Associate the firewall policy with the hub.

  1. From Firewall Manager, select Azure Firewall Policies.

  2. Select the check box for Policy-01.

  3. Select Manage associations, Associate hubs.

    Screenshot of configuring Policy association.

  4. Select hub-01.

  5. Select Add.

    Screenshot of adding Policy and Hub settings.

Route traffic to your hub

Now you must ensure that network traffic gets routed through your firewall.

  1. From Firewall Manager, select Virtual hubs.

  2. Select Hub-01.

  3. Under Settings, select Security configuration.

  4. Under Internet traffic, select Azure Firewall.

  5. Under Private traffic, select Send via Azure Firewall.

    Note

    If you're using public IP address ranges for private networks in a virtual network or an on-premises branch, you need to explicitly specify these IP address prefixes. Select the Private Traffic Prefixes section and then add them alongside the RFC1918 address prefixes.

  6. Under Inter-hub, select Enabled to enable the Virtual WAN routing intent feature. Routing intent is the mechanism through which you can configure Virtual WAN to route branch-to-branch (on-premises to on-premises) traffic via Azure Firewall deployed in the Virtual WAN Hub. For more information regarding prerequisites and considerations associated with the routing intent feature, see Routing Intent documentation.

  7. Select Save.

  8. Select OK on the Warning dialog.

    Screenshot of Secure Connections.

  9. Select OK on the Migrate to use inter-hub dialog.

    Note

    It takes a few minutes to update the route tables.

  10. Verify that the two connections show Azure Firewall secures both Internet and private traffic.

    Screenshot of Secure Connections final status.

Test the firewall

To test the firewall rules, connect a remote desktop using the firewall public IP address, which is NATed to Srv-Workload-01. From there, use a browser to test the application rule and connect a remote desktop to Srv-Workload-02 to test the network rule.

Test the application rule

Now, test the firewall rules to confirm that it works as expected.

  1. Connect a remote desktop to firewall public IP address, and sign in.

  2. Open Internet Explorer and browse to https://www.microsoft.com.

  3. Select OK > Close on the Internet Explorer security alerts.

    You should see the Microsoft home page.

  4. Browse to https://www.google.com.

    The firewall should block this.

So now you verified that the firewall application rule is working:

  • You can browse to the one allowed FQDN, but not to any others.

Test the network rule

Now test the network rule.

  • From Srv-Workload-01, open a remote desktop to the Srv-Workload-02 private IP address.

    A remote desktop should connect to Srv-Workload-02.

So now you verified that the firewall network rule is working:

  • You can connect a remote desktop to a server located in another virtual network.

Clean up resources

When you’re done testing your firewall resources, delete the fw-manager-rg resource group to delete all firewall-related resources.

Next steps

Learn about trusted security partners