Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 7: Exercise – Deploy and Configure Azure Firewall Using the Azure Portal
Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)
- Task 1: Create a virtual network and subnets.
- Search and Choose Virtual Networks in Azure Portal
- Click Create
- Choose a resource group from the dropdown or click create new (create new in this example)
- Enter a unique name in the dialog box and click OK
- Enter a unique name under Instance Details
- Select a region from the dropdown
- Click Next : IP Addresses >
- Select (check box) and the link to the default subnet
- In right panel enter a unique subnet name
- Enter an appropriate Subnet address range
- Click Save
- Click Add subnet for later use
- Repeat above settings as appropriate
- Click Add
- Click Review + create
- Once Validation has passed click Create
- Task 2: Create a virtual machine.
- Open PowerShell in cloudshell (Shell button next to portal search bar)
- Upload Template and Parameters files
- View and specify subscription
- “az account show –output table”
- “az account set –subscription “NAME from output above””
- Set resource group variable
- “$RGName = Test-FW-RG”
- Return to Azure Portal to verify VM created
- Select new VM and note IP Address
- Task 3: Deploy the firewall and firewall policy.
- Deploy template
- “New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile filename.json -TemplateParameterFile filename.parameters.json”
- In Azure Portal Search and Click Firewalls
- Select Create
- Choose Resource group from dropdown
- Enter Instance Name
- Choose region from dropdown
- Choose FW SKU (Standard in this example)
- Choose Add New under Firewall Policy
- Enter Unique Policy Name in dialog
- Choose Region from dropdown
- Select OK
- Under Choose a virtual network toggle to Use existing
- Choose VNet under dropdown
- Choose Add new under Public IP address
- Enter Unique Name in dialog
- Click OK
- Click Review + Create
- Once validation passed click Create
- When complete click Go to resource
- On overview page copy Firewall private IP
- In left panel click Public IP configuration under Settings
- Note public IP address
- Deploy template
- Task 4: Create a default route.
- Search and click Route Tables in Azure Portal
- Click Create
- Choose Resource group from dropdown
- Choose Region from dropdown
- Enter unique name
- Click Review + create
- Once validation complete click Create
- Once complete click Go to resource
- Under settings select Subnets
- Click Associate
- Verify Virtual network and Subnet are as expected
- Select OK
- Under settings choose Routes
- Click Add
- Enter a unique route name
- In Address prefix destination dropdown choose IP Address
- Enter Destination IP addresses/CIDR ranges
- In Next hop type dropdown choose Virtual Appliance
- Enter Next Hop address
- Select Add
- Task 5: Configure an application rule.
- In Azure Portal navigate to FW policy created earlier
- Click Application rules
- Select Add a rule collection
- Enter Unique name
- Enter a priority (200 in this example)
- Enter a name in the Name box
- Enter Source IP (CIDR)
- Enter Protocol (http,https)
- Enter Destination (www.google.com)
- Click Add
- Task 6: Configure a network rule.
- Choose Network Rules under settings
- Choose Add a rule collection
- Enter a unique name for collection
- Enter priority value (200)
- Choose Rule Collection Group from dropdown
- Enter unique name for rule under Name box
- Enter Source (CIDR)
- Choose Protocol from dropdown
- Enter Destination Port(s)
- Enter Destination
- Click Add
- Task 7: Configure a Destination NAT (DNAT) rule.
- Choose DNAT rules under settings
- Select Add a rule collection
- Enter unique name for rule collection
- Enter priority value (200)
- Choose Rule collection group from dropdown
- Enter unique name for rule
- Enter Source IP as wildcare (*)
- Choose protocol from dropdown
- Enter Destination Port
- Enter Destination IP
- Enter IP addr in Translated address or FQDN box
- Enter Translated Port
- Click Add
- Task 8: Change the primary and secondary DNS address for the server’s network interface.
- Navigate to created VM earlier in Azure Portal
- Click Networking under settings
- Click the Network Interface for the VM
- Click DNS servers under settings
- Toggle to Custom
- Add Primary and Secondary DNS Server
- Click Save
- Restart VM
- Overview
- Restart
- Yes
- Task 9: Test the firewall.
- Launch Remote Desktop Connection
- Enter FW Public IP:3389
- Connect
- Connect
- Enter Credentials for VM and click OK
- Open Internet Explorer and Browse to Google
- In dialog select OK
- Browse to microsoft.com – blocked due to FW