Skip to main content Link Menu Expand (external link) Document Search Copy Copied
Migrate Windows & SQL workloads to Azure

Task 05 - Deploy and configure Azure Firewall

Introduction

Tailspin Toys is migrating their on-premises SQL Server database to Azure SQL Managed Instance. In this task, you will implement an Azure Firewall to protect network traffic.

Description

In this task, you will implement an Azure Firewall to protect network traffic.

The key tasks are as follows:

  1. Test network traffic from the Virtual Machine to the Internet. You should have access to bing.com.
  2. Deploy Azure Firewall.
  3. Configure rules to block access to bing.com.
  4. Test network traffic from the Virtual Machine to the Internet. Access to bing.com is now blocked.

Success Criteria

  • Azure Firewall is deployed and fully worked as expected.

Solution

Expand this section to view the solution

  1. In the Azure Portal, navigate to your lab resource group and select the tailspin<uniqueid>-onprem-sql-vm virtual machine from the list of resources.

    The Virtual machine pane for the Simulated on-premises SQL Server VM is shown in the Azure Portal.

  2. On the VM blade, select Bastion under Connect in the left menu, and on the Bastion blade, enter the following username and password, ensure Open in a new browser window is checked, then select Connect.

    • Username: demouser
    • Password: demo!pass123

    The Bastion pane of the tailspin-onprem-sql-vm Virtual machine is shown with the Username and Password fields entered and highlighted.

  3. On the VM, launch a web browser and navigate to https://www.bing.com. The Bing web page should load successfully in the browser on the VM.

  4. In a separate browser tab on your local machine, open the Azure portal, navigate to your lab resource group, and select the tailspin<uniqueid>-hub-vnet virtual network resource.

  5. On the Hub VNet blade, expand Settings in the left menu, select Subnets and then create a new subnet by selecting the + Subnet button on the toolbar.

    A Virtual Network pane is shown, with the Subnets sections selected and with the add subnet option highlighted.

  6. On the Add a subnet pane, enter the following values, then select Add.

    • Subnet purpose: Select Azure Firewall.
    • IPv4 Starting address: 10.1.100.0/24

    The Add a subnet pane is shown, with the values entered in to add the Azure Firewall.

  7. In the Search resources, services, and docs text box at the top of the Azure portal, search for Firewalls, and select Firewalls unser Services.

  8. On the Firewalls page, create a new firewall by selecting + Create on the toolbar.

  9. On the Create Firewall Basics tab, enter the following values, then select Add new on the Firewall policy section.

    • Resource group: Select your lab resource group.
    • Name: hub-fw
    • Region: Select the same region where your other resources in your resource group are located. IMPORTANT: If you choose a difference region this will not work.
    • Firewall SKU: Standard
    • Firewall management: Use a Firewall Policy to manage this firewall

    The Basics tab of the Create a Firewall is displayed with values entered.

  10. On the Create a new Firewall Policy popup, enter the following values, then select OK.

    • Name: hub-fw-pol
    • Region: Select the same region where your other resources in your resource group are located. IMPORTANT: If you choose a difference region this will not work.

    The Create a new Firewall Policy popup is shown, with the values entered.

  11. On the Basics tab, enter the following values, then select Add new on the Public IP address section.

    • Choose a virtual network: Use existing
    • Virtual network: tailspin-hub-vnet

    The Basics tab of the Create a Firewall is displayed with further values entered.

  12. On the Add a public IP popup, enter the following values, then select OK.

    • Name: hub-fw-pip

    The Add a public IP popup is shown, with the values entered.

  13. On the Basics tab, ensure that the Enable Firewall Management NIC option in Not Checked.

    The Basics tab of the Create a Firewall is displayed with another value entered.

    IMPORTANT: Unchecking this option may result in your public IP address settings being cleared. If that happens, repeat the previous step to add a publi IP named hub-fw-pip.

  14. Review the values entered, then select Next : Tags >.

    The Basics tab of the Create a Firewall is displayed with the full set of values entered.

  15. On the Tags tab, select Next : Review + create >.

    The Tags tab of the Create a Firewall is displayed with the values entered.

  16. Once the validation passes, select Create.

    The validation tab of the Create a Firewall is displayed.

  17. Wait for the deployment to complete, then select Go to resource to navigate to the hub-fw Firewall resource in the Azure portal.

  18. On the hub-fw blade, copy the Private IP address that was assigned to the firewall. This is located in the Essentials section of the Overview blade.

    The Hub-fw overview page is shown with the Private IP highlighted.

  19. Next, in the Search resources, services, and docs text box at the top of the Azure portal, search for Route tables, and select the Route tables service.

  20. On the Route tables blade, create a new route table by selecting + Create on the toolbar.

    The Route tables list with the Create option highlighted.

  21. On the Create Route table pane, enter the following values.

    • Resource group: Select your lab resource group.
    • Region: Select the same region as your resource group and other lab resources.
    • Name: firewall-rt

    The Create Route table pane is shown, with the values entered.

  22. Select Review + create, then select Create.

  23. On the Route tables blade, click Refresh and, in the list of route tables, select firewall-rt.

    The Route tables list with the Firewall-route entry highlighted.

  24. On the firewall-rt blade, expand Settings in the left menu, then select Subnets.

    The Firewall-route Route table pane with the Subnets sub-section highlighted.

  25. On the **firewall-rt Subnets** blade, select + Associate on the toolbar.

    The Firewall-route Route table Subnets pane with the Associate option highlighted.

  26. On the Associate subnet pane, enter the following values, then select OK.

    • Virtual network: Select the tailspin<uniqueid>-onprem-vnet
    • Subnet: default

  27. On the firewall-rt blade, expand Settings in the left menu, then select Routes.

    The Firewall-route Route table pane with the Routes sub-section highlighted.

  28. On the **firewall-rt Routes** blade, select + Add.

    The Firewall-route Route table Routes pane with the Associate option highlighted.

  29. On the Add route pane, enter the following values, then select Add.

    • Route name: FW-DG
    • Destination type: IP Addresses
    • Destination IP addresses/CIDR ranges: 0.0.0.0/0
    • Next hop type: Virtual appliance
    • Next hop address: Paste the private IP address of the firewall that you copied from the Essentials section of your Azure Firewall. For example: 10.1.100.4.

    The Add route pane is shown, with the values entered.

    Note: Azure Firewall is actually a managed service, but virtual appliance works in this situation.

  30. Return to your Bastion session for the tailspin<uniqueid>-onprem-sql-vm.

  31. Using Microsoft Edge navigate to https://www.bing.com (or refresh the page if your browser is still running from the previous step). You should no longer be able to access Microsoft Bing.

  32. In the Azure portal, navigate back to the hub-fw firewall.

  33. On the hub-fw blade, in the Firewall policy section, select hub-fw-pol.

    The hub-fw overview page is shown with the Firewall policy highlighted.

  34. On the hub-fw-pol Firewall Policy blade, expand Rules in the left menu, then select Application rules.

    The hub-fw-pol Firewall Policy pane with the Application rules sub-section highlighted.

  35. On the **hub-fw-pol Application rules** blade, select + Add a rule collection from the toolbar.

    The hub-fw-pol Firewall Policy pane with the Add a rule collection option highlighted.

  36. On the Add a rule collection pane, enter the following values.

    • Name: App-Coll01
    • Rule collection type: Select Application
    • Priority: 200
    • Action: Allow
    • Rule collection group: DefaultApplicationRuleCollectionGroup

    The Add a rule collection pane is shown, with the values entered.

  37. Within the Rules section, create a new entry with the following values.

    • Name: AllowBing
    • Source type: IP Address
    • Source: 10.0.0.0/24
    • Protocol: http:80,https:443
    • Destination Type: FQDN
    • Destination: www.bing.com

  38. Select Add.

  39. Wait until you get a notification in the Azure portal that the rule collection has been added successfully, and the rule collection group appears on the Application rules blade. This may take several minutes.

  40. Return to your Bastion session for the tailspin<uniqueid>-onprem-sql-vm, and once again attempt to navigate to https://www.bing.com using Microsoft Edge. You should be able to access Microsoft Bing.