Introduction
Virtual Network Connectivity
Azure Front Door Service
Network Security Groups
Azure Firewall
Application Security Groups
Remote Access Management
Security Baselines
Conclusion
This course covers how to implement Azure network security. Through a combination of both theory and practical demonstrations, you will learn how to create and configure a range of Azure services designed to keep your network secure.
This includes topics such as virtual network connectivity, the Azure Front Door Service, NSG configuration, Azure firewall configuration, and application security groups. The course then moves on to the configuration of remote access management via just-in-time access and tools that are used to configure baselines.
We’d love to get your feedback on this course, so please give it a rating when you’re finished. If you have any queries or suggestions, please contact us at support@cloudacademy.com.
Learning Objectives
- Understand how to implement Azure network security
- Learn about the various Azure services and methodologies available to secure your network
Intended Audience
This course is intended for IT professionals who are interested in earning Azure certification and for those who work with Microsoft Azure on a daily basis.
Prerequisites
To get the most from this course, you should have at least a basic understanding of Azure network resources such as virtual networks, Azure firewalls, and network security groups.
Hello, everyone, and welcome back. In this lesson here, we're going to create and configure Azure firewall. To prepare for this demonstration, I've already set up a virtual network and a few subnets that we're going to use. This vNet-FirewallDemo virtual network is the virtual network we're going to work with. Within this virtual network, I've created two subnets. I did this to simulate a production environment.
The first subnet is called subnet-workloads. The second subnet is called subnet-jump. In the workloads subnet, I have a VM called PROD01, this PROD01 can simulate an app server or a file server or whatever the case might be. Now I've configured PROD01 without a public IP and I've configured the public inbound ports for it to none.
In my jump subnet, I also have a VM running, this VM is called JUMP01. And it's going to serve as my jump box to access my PROD01 in the workloads subnet. The address range for the subnet workloads subnet is 10.0.2.0/24. The address range for subnet-jump is 10.0.3.0/24.
So with our lab environment explained here, let's get into the deployment of Azure firewall.
To start our configuration, we need to create a subnet with a specific name. We need to create a subnet called AzureFirewallSubnet within our virtual network here, this subnet will house our firewall.
So we'll go ahead and create my sub net and I'm not going to do a play-by-play here because I assume you already know how to do this. What I'm going to do here is give this a range of 10.0.1.0/26. And this is because Microsoft recommends a size of /26 for the firewall subnet.
Okay, so we have our firewall subnet here with our range of 10.0.1.0/26. With our firewall subnet created, we can deploy our firewall into the vNet-FirewallDemo virtual network. To do this, I'm going to click Create a Resource from my portal page here and I'm just going to search for firewall and then we'll select it from the list. We'll go ahead and create.
Now, from this Create page, I'm going to configure my new firewall that we're deploying here. I need to make sure that I'm deploying into my intended subscription and into the resource group I intend. So we'll go ahead and select our DemoRG. I'm going to call my firewall, simply MyFirewall. And then I'll set my region to the same as my other resources, which is Central U.S., and I'm not worried about high availability here. So I'll leave the availability zone set to none for this exercise here.
Now, in this, choose a virtual network here. What I need to do is either create a new virtual network for this firewall or use an existing one. So we're going to use an existing one. We'll select our vNet-FirewallDemo and then what I need to do is specify a public IP address. Now, I can either create a new one or select an existing one. So bear with me here while I create a new one. Just going to call it PublicIP-FW.
Now, I should point out here that the SKU section here for my public IP needs to be standard and it needs to be static. And we can see here that these are already set for us. So we'll okay this and now what I'll do is click Review and Create here to create the firewall. And then we'll go ahead and create it. And this deployment can take a few minutes to finish. So we'll let this run and then we'll come back and do our configuration.
So with the deployment complete, I can click on Go to Resource here to see my firewall details. Now I need to note the private IP here, because I'm going to use this later on when I create my default route. Now my default route is going to send all traffic from the workload subnet through the firewall. To create my default route, what I'm going to do is browse to All Services here. And then what I'm going to do is browse to Networking and then I'm going to choose Route tables. And then I can either click Create Route Table or Add and we're going to create a new route table and we'll call it MyRouteTable.
We're going to deploy into my lab subscription and into my demo resource group. Location again will be Central U.S. and if we planned to associate this route table to a subnet in a virtual network that's connected to an on-prem network through a VPN gateway, disabling propagation would cause our on-prem routes to not propagate to the network interfaces in our subnet. We're going to leave propagation enabled here. And then with all my choices made, I can click Create.
Now once it's been deployed, and it takes a few moments, I can refresh here and see my new route table. Let's go ahead and refresh here. And we can see my route table's now showing up. So now what I need to do is associate my table with my virtual network. So I'll click my route table here, and then select subnets. We can see there are currently no subnets associated with the route table, so we'll click Associate here. And then from here, I will select my vNet-FirewallDemo virtual network. Now the subnet that I choose here is going to be my workload subnet. Then we'll Okay it.
Next, I need to click on Routes, and then click Add. This is where I'm going to define my actual route that sends all traffic through the firewall. I'm going to call my route DefaultRoute. For address prefix, I need to type 0.0.0.0/0, since I'm sending all traffic through this route. The next hop type here should be set to virtual appliance. And this is because my next hop is Azure firewall. Now you might be saying to yourself, I thought Azure firewall was a service, it is but for this exercise, it's seen as a virtual appliance.
Now for the next hop address, I need to provide the private IP address for my firewall. Remember, we noted this earlier, At this point, I can click Okay. And this adds my route to my route table.
So now that we have our default route configured, what we're going to do is create an application rule that allows outbound access to www.cloudacademy.com. Essentially, what we're doing is locking everything down to just cloudacademy.com. To do this, we're going to browse to our firewall. Let's go back out, to home, go to our firewall here. And then what we're going to do is go to Rules under Settings here. And since we're setting up an application rule, we'll choose the Application Rule Collection tab. And then under the Application Rule Collection tab we'll click Add Application Rule Collection.
We're going to call our collection here, MyAppCollection. And what we'll do here, is give it a priority of 200. Since we want to allow traffic, we're going to select Allow here for our action. And now under rules, we want to target FQDNs. So what we'll do is we'll provide a name for our new rule, and we'll call it AllowCloudAcademy.
For source addresses, we need to specify what network is allowed to reach Cloud Academy. So for this exercise, we're going to allow the workload subnet, the 10.0.2.0/24. And for protocols, we'll allow HTTP and HTTPS. And then of course, for the target FQDNs, we're going to target www.cloudacademy.com. And then what I'll do, is I'll add my rule here.
Okay, so now I've shown you how to create a route table, a default route, and an application rule. Now what I'm going to do is show you how to create a network rule. The network rule we're going to create allows outbound access to two different IP addresses on port 53, which is DNS. Because we're going to need DNS to resolve the cloudacademy.com domain name.
To create our network rule, we need to select the Network Rule Collection tab. Now from here, we'll choose the option to add a network rule collection and we'll call this NetworkCollection. Again, we'll set our priority to 200 and we're going to allow our traffic. At this point, we need to define our rule. So under IP addresses, under the Rule section here. For our name, we're going to call it AllowDNS. We'll choose UDP for the protocol since DNS is UDP traffic. For this source address here, we're going to set the source to our workload subnet which is 10.0.2.0/24. And then we're going to specify Google's public DNS servers of 8.8.8.8 and 8.8.8.4 for our destinations and then we can use a comma here. And for destination ports here, we'll use Port 53, because that's what DNS operates over. Then we'll go ahead and click Add.
So what we just did was create a rule that allows DNS traffic through our firewall, but only to Google's public DNS servers. And we'll let this rule appear here, and then we'll move on to the next step. Okay, so now our new rule is in place. So to test things out, we need to configure the primary and secondary DNS servers that our virtual machine is going to use. Now, just to be clear, this isn't an Azure firewall requirement, we're just doing this because it's a test environment and we're testing things out here in a demo.
So what I'm going to do is browse to the network interface for our PROD01 virtual machine. So let's go back here into this network interface here, the PROD01739 network interface here is the NIC for PROD01. So we'll select our NIC here. And what we're going to do is change the DNS servers to custom and specify Google's servers here. And we'll save it.
Now once this updates, what I'll do is I'll go out to my PROD01 VM here and we'll start him up. We'll let this VM come up and then what we'll do is we'll test our rules to make sure everything's working the way it's supposed to.
So our PROD01 is running, but we can see we have no public IP address here. So we can't RDP to it directly and this was by design. So what we're going to do is go out to our JUMP01 box here that I deployed. And he is in the process of starting up, we're going to connect to our JUMP01. And then from there, jump over to PROD01. So we'll go ahead and connect here, now that it's running. And I'm just connecting off-screen here. And I'll drag this into my live screen.
Now I'll minimize this and remember, we're going to connect to PROD01 and that's 10.0.2.4. All right, so JUMP01 is up here. Let's launch our RDP console here or RDP client, I should say. And these are some slower lab machines so bear with me here. So the first test we're going to do here is see if we can actually RDP to our PROD server from JUMP. And it does appear that it's going to let me so now that I'm on my PROD01 VM, I can launch a browser here and try to browse to cloudacademy.com. What we'll do here is we'll minimize and open Chrome here. And what we'll do is we'll browse to www.cloudacademy.com. And you can see we've actually hit the page.
Now, the reason we have a mess here with no styling is because our firewall is blocking all traffic to everything but cloudacademy.com. So a lot of the styling is coming from an outside site or like a CDN. Now, if I try to go to, for example, microsoft.com, I can't even get to the site and it tells me that the request is denied because there's no rule matched. So we can see that I was allowed to hit Cloud Academy but wasn't allowed to hit microsoft.com, I'm blocked by the firewall. This confirms that my firewall rules are working. It confirms that I can only browse to the allowed FQDN and it confirms that DNS access to Google's DNS servers is working as well. Otherwise, I wouldn't have been able to resolve the names. So with that, you now know how to create a route table, a default route application rules, and network rules. You now know how to create and configure an Azure firewall.
Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.
In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.
In his spare time, Tom enjoys camping, fishing, and playing poker.