Azure application has added new functionalities to Microsoft Azure Firewall, and in this post let’s see how can we deploy an Azure Firewall and configure Application rules to block and allow a website access to a subnet. In this post, I have deployed single vnet and three subnets for Azure Firewall, Workload and Public access to the internal workload subnet. The main reason behind creating a public subnet is once we created and configure the Azure Firewall we are not able to directly RDP in to the Workload Virtual Machines.
A simple diagram has created to explain the current topology of my cloud network.
I hope, it is not necessary to show how to create a vnet, subnet and relevant Virtual Machines in the Portal. Let’s start directly with the Azure Firewall.
Just click on the “Create a resource“, Search “Firewall” and select the Firewall listed
Click on “Create” to create the firewall. Make sure to select “Microsoft” as the publisher
Provide the relevant information and deploy the firewall in your vnet, make sure to deploy the firewall in the same location
Create the Firewall
Make sure to create a separate subnet for the firewall with the name of “AzureFirewallSubnet” otherwise it will not allow you to proceed and asked to create one
Create The Route Table
Let’s create a route table to access the internet through the created firewall for the “Workload_Subnet“, go to “All Services” and select “Route tables“
Add a route table and provide the required information, create the route table
Associate the “Workload_Subnet” in order to route the traffic
Select the correct vnet and the subnet
Add a route to the route table
In the next configuration is quite important. Just provide an appropriate name, address prefix as 0.0.0.0/0, “Next hop type” as “Virtual appliance” and the “Private IP address” of the appliance.
Specify The DNS Servers Manually
I’m going to allow DNS resolution only from Google servers (126.96.36.199 and 188.8.131.52), to add the DNS Servers to the interface of the Virtual Machine(running in the “Workload_Subnet”), go to the Virtual Machine and click on the interface
Update the DNS Servers and save the settings, reboot the Virtual Machine to apply the changes
With the Firewall configuration you might not be able to access the Virtual Machine which is in the “Workload_Subnet“, you need to use the Virtual Machine which is in the “Public_Access_Subnet“
RDP in to the Workload Virtual machine and check the DNS configuration and the access to the facebook.com. It will not allow you to access the facebook
Configure Rules In Azure Firewall
Public DNS servers have been added manually to the vnet and allowing in the Firewall is required to the DNS resolution.
Go to the Firewall , select the “Rules“, select “Network rule collection” and add the “Add network rule collection“
Add a Rule name, Priority and the Action status (Allow/Deny) also, Rule name as “AllowDNS“, Protocol as UDP, Source Address as my “Worker_Subnet” subnet, Destination addresses as Google DNS Servers separating in commas and the port as 53
Let’s move in to the “Application Rule” to allow the exact FQDN, also you can use the tags in application rules. Add a name to the rule source subnet which traffic going out, the protocols (comma separated) and the target FQDN as www.facebook.com. Save the rule
Now, try to access the facebook.com from the Virtual machine which is in the “Worker_Subnet”. You can see the webpage. I’m really sorry my Internet explorer does not load the facebook page properly. But my rules are working perfectly.