Microsoft AZ-700: Exercise – Deploy and Configure Azure Firewall Using the Azure Portal

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 7: Exercise – Deploy and Configure Azure Firewall Using the Azure Portal

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create a virtual network and subnets.
    • Search and Choose Virtual Networks in Azure Portal
    • Click Create
      • Choose a resource group from the dropdown or click create new (create new in this example)
      • Enter a unique name in the dialog box and click OK
      • Enter a unique name under Instance Details
      • Select a region from the dropdown
      • Click Next : IP Addresses >
      • Select (check box) and the link to the default subnet
        • In right panel enter a unique subnet name
        • Enter an appropriate Subnet address range
        • Click Save
      • Click Add subnet for later use
        • Repeat above settings as appropriate
        • Click Add
      • Click Review + create
      • Once Validation has passed click Create
  • Task 2: Create a virtual machine.
    • Open PowerShell in cloudshell (Shell button next to portal search bar)
    • Upload Template and Parameters files
    • View and specify subscription
      • “az account show –output table”
      • “az account set –subscription “NAME from output above””
  • Set resource group variable
    • “$RGName = Test-FW-RG”
  • Return to Azure Portal to verify VM created
  • Select new VM and note IP Address
  • Task 3: Deploy the firewall and firewall policy.
    • Deploy template
      • “New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile filename.json -TemplateParameterFile filename.parameters.json”
    • In Azure Portal Search and Click Firewalls
    • Select Create
      • Choose Resource group from dropdown
      • Enter Instance Name
      • Choose region from dropdown
      • Choose FW SKU (Standard in this example)
      • Choose Add New under Firewall Policy
        • Enter Unique Policy Name in dialog
        • Choose Region from dropdown
        • Select OK
      • Under Choose a virtual network toggle to Use existing
      • Choose VNet under dropdown
      • Choose Add new under Public IP address
        • Enter Unique Name in dialog
        • Click OK
      • Click Review + Create
      • Once validation passed click Create
      • When complete click Go to resource
      • On overview page copy Firewall private IP
      • In left panel click Public IP configuration under Settings
      • Note public IP address
  • Task 4: Create a default route.
    • Search and click Route Tables in Azure Portal
    • Click Create
      • Choose Resource group from dropdown
      • Choose Region from dropdown
      • Enter unique name
      • Click Review + create
      • Once validation complete click Create
      • Once complete click Go to resource
      • Under settings select Subnets
      • Click Associate
        • Verify Virtual network and Subnet are as expected
        • Select OK
      • Under settings choose Routes
      • Click Add
        • Enter a unique route name
        • In Address prefix destination dropdown choose IP Address
        • Enter Destination IP addresses/CIDR ranges
        • In Next hop type dropdown choose Virtual Appliance
        • Enter Next Hop address
        • Select Add
  • Task 5: Configure an application rule.
    • In Azure Portal navigate to FW policy created earlier
    • Click Application rules
    • Select Add a rule collection
      • Enter Unique name
      • Enter a priority (200 in this example)
      • Enter a name in the Name box
      • Enter Source IP (CIDR)
      • Enter Protocol (http,https)
      • Enter Destination (www.google.com)
      • Click Add
  • Task 6: Configure a network rule.
    • Choose Network Rules under settings
    • Choose Add a rule collection
      • Enter a unique name for collection
      • Enter priority value (200)
      • Choose Rule Collection Group from dropdown
      • Enter unique name for rule under Name box
      • Enter Source (CIDR)
      • Choose Protocol from dropdown
      • Enter Destination Port(s)
      • Enter Destination
      • Click Add
  • Task 7: Configure a Destination NAT (DNAT) rule.
    • Choose DNAT rules under settings
    • Select Add a rule collection
      • Enter unique name for rule collection
      • Enter priority value (200)
      • Choose Rule collection group from dropdown
      • Enter unique name for rule
      • Enter Source IP as wildcare (*)
      • Choose protocol from dropdown
      • Enter Destination Port
      • Enter Destination IP
      • Enter IP addr in Translated address or FQDN box
      • Enter Translated Port
      • Click Add
  • Task 8: Change the primary and secondary DNS address for the server’s network interface.
    • Navigate to created VM earlier in Azure Portal
    • Click Networking under settings
    • Click the Network Interface for the VM
    • Click DNS servers under settings
      • Toggle to Custom
      • Add Primary and Secondary DNS Server
      • Click Save
    • Restart VM
      • Overview
      • Restart
      • Yes
  • Task 9: Test the firewall.
    • Launch Remote Desktop Connection
    • Enter FW Public IP:3389
    • Connect
    • Connect
    • Enter Credentials for VM and click OK
    • Open Internet Explorer and Browse to Google
    • In dialog select OK
    • Browse to microsoft.com – blocked due to FW
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-deploy-and-configure-azure-firewall-using-the-azure-portal/

Leave a Reply

Your email address will not be published.