Microsoft AZ-700: Exercise – Secure Your Virtual Hub Using Azure Firewall Manager

Reading Time: 3 minutes

Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 9: Exercise – Secure Your Virtual Hub Using Azure Firewall Manager

Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)

  • Task 1: Create two spoke virtual networks and subnets.
    • Search and choose Virtual Networks in Azure Portal
    • Select Create
      • Create New Resource group
        • Enter unique name and click OK
      • Enter Unique Instance Name
      • Choose Region from dropdown
      • Choose Next : IP Addresses >
      • Choose the hyperlink for default under subnet name
        • Enter a unique subnet name
        • Change Subnet address range to appropriate CIDR range
        • Click Save
      • Click Review + create
      • Once validated click Create
    • Repeat for second Virtual Network
  • Task 2: Create the secured virtual hub.
    • Search and Click Firewall Manager in Azure Portal
    • Click Overview tab
    • Click View secured virtual hubs
    • Click Create new secured virtual hub
      • Select Resource Group from dropdown
      • Select Region from dropdown
      • Enter unique name for Secured virtual hub name
      • Enter appropriate CIDR for Hub address space
      • Enter Unique name for Virtual WAN Name
      • Click Next : Azure Firewall >
      • Click Next : Security Partner Provider >
      • Click Next : Review + create >
      • Once validation succeeds click Create
      • Search and return to Firewall Manager under Azure Portal
      • Choose Virtual Hubs in left panel
      • Choose Hub-01
      • Select Public IP configuration
      • Note Public IP Address for later
  • Task 3: Connect the hub and spoke virtual networks.
    • Search for and choose Virtual WANs in Azure Portal
    • Choose Vwan-01
    • Select Virtual network connections in left panel
    • Choose Add connection
      • Enter unique Connection name
      • Choose hub from dropdown
      • Choose resource group from dropdown
      • Choose VNet from dropdown
      • Select Create
    • Repeat for Spoke 2
  • Task 4: Deploy the servers.
    • Open PowerShell from Portal
    • Upload Template and Parameters files
    • Verify subscription
      • (az account show –output table)
    • Set subscription
      • (az account set –subscription “Name from output above”)
    • Set route group name variable
      • ($RGName = “fw-manager-rg”)
    • Deploy ARM template
      • (New-AzResourceGroupDeployment -ResourceGroupeName $RGName -TemplateFile filename.json -TemplateParameterFile filename.parameters.json)
    • Return to portal and navigate to Virtual Machines
      • Click first VM and note IP
      • Repeat for second VM
  • Task 5: Create a firewall policy and secure your hub.
    • Search and Select Firewall Manager in portal
    • Click Azure Firewall Policies in left panel
    • Select Create Azure Firewall Policy
      • Choose Resource group from dropdown
      • Enter a unique name
      • Choose Region from dropdown
      • Toggle tier to Standard
      • Click Next : DNS Settings >
      • Click Next : TLS inspection >
      • Click Next : Rules >
      • Click Add a rule collections
        • Enter Unique Name
        • Select Application from Rule collection type dropdown.
        • Enter Priority (100)
        • Enter Name under Rules
        • Enter source (wildcard in this case *)
        • Enter http,https as protocol
        • Enter *.microsoft.com as destination
        • Click Add
      • Repeat for a DNAT rule collection type
        • Select TCP under protocol
        • Set Dest Port as 3389
        • Set Public Ip for DST
        • Enter Translated Address or FQDN
        • Enter DST port
        • Click Add
      • Repeat for Network rulle collection type
      • Click Review + Create
      • Once validated click Create
  • Task 6: Associate the firewall policy.
    • In portal search and click Firewall Manager
    • Click Azure Firewall Policies
      • Check box next to Policy-01
      • Select Manage associations dropdown in menu bar
      • Select Associate hubs
        • Check box next to Hub-01
        • Select Add
      • Click Refresh
        • Should be listed now
  • Task 7: Route traffic to your hub.
    • Select Virtual Hubs under deployments in left panel
    • Choose Hub-01
    • Under settings select Security configuration
      • Internet traffic select Azure Firewall from dropdown
      • Private traffic dropdown select Send via Azure Firewall
    • Click Save
    • Click OK in dialog
    • Ensure for both spokes Internet Traffic and Private Traffic list “Secured by Azure Fireall”
  • Task 8: Test the application rule.
    • Launch Remote Desktop Connection
    • Enter IP in Computer Box
    • Click Connect
    • Click Connect again
    • Enter Creds
    • Click OK
    • In RDP open Internet Explorer
    • Browse to Microsoft Home Page
    • Okay in dialog
    • Browse to Google Home Page
    • Denied due to app rule
  • Task 9: Test the network rule.
    • In RDP search and launch Remote Desktop Connection
    • Enter Private IP of workload VM
    • Click connect
    • Enter Creds
    • Clock OK
    • RDP Launches
Share this article:

Permanent link to this article: https://www.packetpilot.com/microsoft-az-700-exercise-secure-your-virtual-hub-using-azure-firewall-manager/

Leave a Reply

Your email address will not be published.