Create And Configure Azure Firewall

Source: Dev.to

Overview

Azure Firewall is a cloud‑based network security service in Microsoft Azure that protects virtual network resources by filtering and controlling traffic between Azure resources and the internet or other networks.

Scenario

Your organization needs centralized network security for the application virtual network. As usage grows, you will require:

• Granular application‑level filtering
• Advanced threat protection
• Continuous updates from Azure DevOps pipelines

Identified requirements:

• Azure Firewall for additional security in the app‑vnet.
• A firewall policy to manage access to the application.
• An application‑rule collection to allow the application to access Azure DevOps for code updates.
• A network‑rule collection to allow DNS resolution.

Skills Tasks

• Create an Azure Firewall.
• Create and configure a firewall policy.
• Create an application rule collection.
• Create a network rule collection.

Step‑by‑Step Instructions

1. Create an Azure Firewall subnet in the existing virtual network

1. In the Azure portal search box, type Virtual networks and select it.
2. Choose app‑vnet.
3. Open Subnets.
4. Click + Subnet, name it (e.g., AzureFirewallSubnet), and configure.
5. Save changes.

Note: Leave all other settings at their defaults.

2. Deploy the Azure Firewall

1. In the portal search box, type Firewall and select it.
2. Click + Create.
3. Fill in the values provided in your deployment guide (resource group, name, region, virtual network, subnet, etc.).
4. Choose Review + create, then Create.

3. Update the Firewall Policy

1. Search for and select Firewall Policies.
2. Open the policy named fw‑policy (or the policy you created).

4. Add an Application Rule Collection

1. In the policy’s Rules blade, select Application rules → Add a rule collection.
2. Configure the collection (e.g., name AllowAzurePipelines, priority, action = Allow).
3. Add a rule named AllowAzurePipelines that permits traffic to Azure DevOps services (e.g., dev.azure.com, *.visualstudio.com).
4. Save the collection.

This rule enables the web application to access Azure Pipelines and the Azure DevOps service.

5. Add a Network Rule Collection

1. In the policy’s Rules blade, select Network rules → Add a network collection.
2. Configure the collection (e.g., name AllowDNS, priority, action = Allow).
3. Add a rule that permits DNS traffic (typically UDP/TCP port 53 to your DNS servers or *.azure-dns.com).
4. Save the collection.