Challenge 2: Firewalling Traffic

< Previous Challenge - Home - Next Challenge >

Introduction

In this challenge you will be fine-tuning your routing design to send VM traffic through the firewall.

Description

In this challenge you should deploy an Azure Firewall to the hub VNet, so that you have the topology described here:

hubnspoke basic

You need to make sure that the firewall is inspecting all Internet traffic from the Virtual Machines, as well as traffic going from Azure to onprem.

Additionally, you should install a web server on each Azure VM (hub-vm, spoke1-vm and spoke2-vm), and make sure that the web servers are reachable from the public Internet.

Success Criteria

  1. The spoke VMs can reach each other.
  2. The Azure Firewall should inspect traffic from any VM in the hub or the spoke going to the public Internet or to onprem.
  3. The Azure Firewall should inspect traffic from any on-premise client going to the hub or any spokes.
  4. The solution should be independent of network administrators adding, changing or removing prefixes in the on-premises network in the future.
  5. A web server should be installed on each VM, and it should be reachable from the public Internet.
  6. The participants should be able to show Azure Firewall logs, to demonstrate that traffic traverses the firewall.
  7. The participants should be able to identify the client source IP as seen by each web server and explain it.

Advanced Challenges (Optional)

If you want to dive even deeper in the technology: