Notes from MS Learn AZ-700 Module 6: Design and implement network security – Unit 9: Exercise – Secure Your Virtual Hub Using Azure Firewall Manager
Tasks (taken from MS Learn: Items without “Task” in front of them are personal additions)
- Task 1: Create two spoke virtual networks and subnets.
- Search and choose Virtual Networks in Azure Portal
- Select Create
- Create New Resource group
- Enter unique name and click OK
- Enter Unique Instance Name
- Choose Region from dropdown
- Choose Next : IP Addresses >
- Choose the hyperlink for default under subnet name
- Enter a unique subnet name
- Change Subnet address range to appropriate CIDR range
- Click Save
- Click Review + create
- Once validated click Create
- Create New Resource group
- Repeat for second Virtual Network
- Task 2: Create the secured virtual hub.
- Search and Click Firewall Manager in Azure Portal
- Click Overview tab
- Click View secured virtual hubs
- Click Create new secured virtual hub
- Select Resource Group from dropdown
- Select Region from dropdown
- Enter unique name for Secured virtual hub name
- Enter appropriate CIDR for Hub address space
- Enter Unique name for Virtual WAN Name
- Click Next : Azure Firewall >
- Click Next : Security Partner Provider >
- Click Next : Review + create >
- Once validation succeeds click Create
- Search and return to Firewall Manager under Azure Portal
- Choose Virtual Hubs in left panel
- Choose Hub-01
- Select Public IP configuration
- Note Public IP Address for later
- Task 3: Connect the hub and spoke virtual networks.
- Search for and choose Virtual WANs in Azure Portal
- Choose Vwan-01
- Select Virtual network connections in left panel
- Choose Add connection
- Enter unique Connection name
- Choose hub from dropdown
- Choose resource group from dropdown
- Choose VNet from dropdown
- Select Create
- Repeat for Spoke 2
- Task 4: Deploy the servers.
- Open PowerShell from Portal
- Upload Template and Parameters files
- Verify subscription
- (az account show –output table)
- Set subscription
- (az account set –subscription “Name from output above”)
- Set route group name variable
- ($RGName = “fw-manager-rg”)
- Deploy ARM template
- (New-AzResourceGroupDeployment -ResourceGroupeName $RGName -TemplateFile filename.json -TemplateParameterFile filename.parameters.json)
- Return to portal and navigate to Virtual Machines
- Click first VM and note IP
- Repeat for second VM
- Task 5: Create a firewall policy and secure your hub.
- Search and Select Firewall Manager in portal
- Click Azure Firewall Policies in left panel
- Select Create Azure Firewall Policy
- Choose Resource group from dropdown
- Enter a unique name
- Choose Region from dropdown
- Toggle tier to Standard
- Click Next : DNS Settings >
- Click Next : TLS inspection >
- Click Next : Rules >
- Click Add a rule collections
- Enter Unique Name
- Select Application from Rule collection type dropdown.
- Enter Priority (100)
- Enter Name under Rules
- Enter source (wildcard in this case *)
- Enter http,https as protocol
- Enter *.microsoft.com as destination
- Click Add
- Repeat for a DNAT rule collection type
- Select TCP under protocol
- Set Dest Port as 3389
- Set Public Ip for DST
- Enter Translated Address or FQDN
- Enter DST port
- Click Add
- Repeat for Network rulle collection type
- Click Review + Create
- Once validated click Create
- Task 6: Associate the firewall policy.
- In portal search and click Firewall Manager
- Click Azure Firewall Policies
- Check box next to Policy-01
- Select Manage associations dropdown in menu bar
- Select Associate hubs
- Check box next to Hub-01
- Select Add
- Click Refresh
- Should be listed now
- Task 7: Route traffic to your hub.
- Select Virtual Hubs under deployments in left panel
- Choose Hub-01
- Under settings select Security configuration
- Internet traffic select Azure Firewall from dropdown
- Private traffic dropdown select Send via Azure Firewall
- Click Save
- Click OK in dialog
- Ensure for both spokes Internet Traffic and Private Traffic list “Secured by Azure Fireall”
- Task 8: Test the application rule.
- Launch Remote Desktop Connection
- Enter IP in Computer Box
- Click Connect
- Click Connect again
- Enter Creds
- Click OK
- In RDP open Internet Explorer
- Browse to Microsoft Home Page
- Okay in dialog
- Browse to Google Home Page
- Denied due to app rule
- Task 9: Test the network rule.
- In RDP search and launch Remote Desktop Connection
- Enter Private IP of workload VM
- Click connect
- Enter Creds
- Clock OK
- RDP Launches