What is Azure Firewall
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Some features include:
- High availability
- Cloud scalability
- Application FQDN filtering rules
- Network traffic filtering rules
You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.
Steps to Deploy and configure Azure Firewall using the Azure portal:
In the tutorial, we will create a simplified single VNet with three subnets for easy deployment. For production deployments, a hub and spoke model is recommended. The firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.
- AzureFirewallSubnet – the firewall is in this subnet.
- Workload-SN – the workload server is in this subnet. This subnet’s network traffic goes through the firewall.
- Jump-SN – The “jump” server is in this subnet. The jump server has a public IP address that you can connect to using Remote Desktop. From there, you can then connect to (using another Remote Desktop) the workload server.

In this tutorial, we will learn how to:
- Set up a test network environment
- Deploy a firewall
- Create a default route
- Configure an application rule to allow access to www.cloudsguy.com
- Configure a network rule to allow access to external DNS servers
- Test the firewall
If you prefer, you can complete this tutorial using Azure PowerShell.
If you don’t have an Azure subscription, create a free account before you begin.
Set up the network
First, create a resource group to contain the resources needed to deploy the firewall. Then create a VNet, subnets, and test servers.
Create a resource group
The resource group contains all the resources for the tutorial.
- Sign in to the Azure portal at https://portal.azure.com.
- On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Then select Add.
- For Resource group name, enter Test-FW-RG.
- For Subscription, select your subscription.
- For Resource group location, select a location. All other resources that you create must be in the same location.
- Select Create.
Create a VNet
This VNet will contain three subnets.
- On the Azure portal menu or from the Home page, select Create a resource.
- Select Networking > Virtual network.
- For Name, type Test-FW-VN.
- For Address space, type 10.0.0.0/16.
- For Subscription, select your subscription.
- For Resource group, select Test-FW-RG.
- For Location, select the same location that you used previously.
- Under Subnet, for Name type AzureFirewallSubnet. The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.
- For Address range, type 10.0.1.0/26.
- Accept the other default settings, and then select Create.
Create additional subnets
Next, create subnets for the jump server, and a subnet for the workload servers.
- On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Then select Test-FW-RG.
- Select the Test-FW-VN virtual network.
- Select Subnets > +Subnet.
- For Name, type Workload-SN.
- For Address range, type 10.0.2.0/24.
- Select OK.
Create another subnet named Jump-SN, address range 10.0.3.0/24.
Create virtual machines
Now create the jump and workload virtual machines, and place them in the appropriate subnets.
- On the Azure portal menu or from the Home page, select Create a resource.
- Select Compute and then select Windows Server 2016 Datacenter in the Featured list.
- Enter these values for the virtual machine:
TABLE 1 Setting Value Resource group Test-FW-RG Virtual machine name Srv-Jump Region Same as previous Administrator user name azureuser Password Azure123456! - Under Inbound port rules, for Public inbound ports, select Allow selected ports.
- For Select inbound ports, select RDP (3389).
- Accept the other defaults and select Next: Disks.
- Accept the disk defaults and select Next: Networking.
- Make sure that Test-FW-VN is selected for the virtual network and the subnet is Jump-SN.
- For Public IP, accept the default new public ip address name (Srv-Jump-ip).
- Accept the other defaults and select Next: Management.
- Select Off to disable boot diagnostics. Accept the other defaults and select Review + create.
- Review the settings on the summary page, and then select Create.
Use the information in the following table to configure another virtual machine named Srv-Work. The rest of the configuration is the same as the Srv-Jump virtual machine.
Setting | Value |
---|---|
Subnet | Workload-SN |
Public IP | None |
Public inbound ports | None |
Deploy the firewall
Deploy the firewall into the VNet.
- On the Azure portal menu or from the Home page, select Create a resource.
- Type firewall in the search box and press Enter.
- Select Firewall and then select Create.
- On the Create a Firewall page, use the following table to configure the firewall:
TABLE 3 Setting Value Subscription <your subscription> Resource group Test-FW-RG Name Test-FW01 Location Select the same location that you used previously Choose a virtual network Use existing: Test-FW-VN Public IP address Add new. The Public IP address must be the Standard SKU type. - Select Review + create.
- Review the summary, and then select Create to create the firewall.
This will take a few minutes to deploy.
- After deployment completes, go to the Test-FW-RG resource group, and select the Test-FW01 firewall.
- Note the private IP address. You’ll use it later when you create the default route.
Create a default route
For the Workload-SN subnet, configure the outbound default route to go through the firewall.
- On the Azure portal menu, select All services or search for and select All services from any page.
- Under Networking, select Route tables.
- Select Add.
- For Name, type Firewall-route.
- For Subscription, select your subscription.
- For Resource group, select Test-FW-RG.
- For Location, select the same location that you used previously.
- Select Create.
- Select Refresh, and then select the Firewall-route route table.
- Select Subnets and then select Associate.
- Select Virtual network > Test-FW-VN.
- For Subnet, select Workload-SN. Make sure that you select only the Workload-SN subnet for this route, otherwise your firewall won’t work correctly.
- Select OK.
- Select Routes and then select Add.
- For Route name, type fw-dg.
- For Address prefix, type 0.0.0.0/0.
- For Next hop type, select Virtual appliance.
Azure Firewall is actually a managed service, but virtual appliance works in this situation.
- For Next hop address, type the private IP address for the firewall that you noted previously.
- Select OK.
Configure an application rule
This is the application rule that allows outbound access to www.cloudsguy.com.
- Open the Test-FW-RG, and select the Test-FW01 firewall.
- On the Test-FW01 page, under Settings, select Rules.
- Select the Application rule collection tab.
- Select Add application rule collection.
- For Name, type App-Coll01.
- For Priority, type 200.
- For Action, select Allow.
- Under Rules, Target FQDNs, for Name, type Allow-Google.
- For Source type, select IP address.
- For Source, type 10.0.2.0/24.
- For Protocol:port, type http, https.
- For Target FQDNS, type www.cloudsguy.com
- Select Add.
Configure a network rule
This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).
- Select the Network rule collection tab.
- Select Add network rule collection.
- For Name, type Net-Coll01.
- For Priority, type 200.
- For Action, select Allow.
- Under Rules, IP addresses, for Name, type Allow-DNS.
- For Protocol, select UDP.
- For Source type, select IP address.
- For Source, type 10.0.2.0/24.
- For Destination address, type 209.244.0.3,209.244.0.4
These are public DNS servers operated by CenturyLink.
- For Destination Ports, type 53.
- Select Add.
Change the primary and secondary DNS address for the Srv-Work network interface
For testing purposes in this tutorial, configure the server’s primary and secondary DNS addresses. This isn’t a general Azure Firewall requirement.
- On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Select the Test-FW-RG resource group.
- Select the network interface for the Srv-Work virtual machine.
- Under Settings, select DNS servers.
- Under DNS servers, select Custom.
- Type 209.244.0.3 in the Add DNS server text box, and 209.244.0.4 in the next text box.
- Select Save.
- Restart the Srv-Work virtual machine.
Test the firewall
Now, test the firewall to confirm that it works as expected.
- From the Azure portal, review the network settings for the Srv-Work virtual machine and note the private IP address.
- Connect a remote desktop to Srv-Jump virtual machine, and sign in. From there, open a remote desktop connection to the Srv-Work private IP address.
- Open Internet Explorer and browse to https://www.cloudsguy.com.
- Select OK > Close on the Internet Explorer security alerts.
You should see the Google home page.
- Browse to https://www.microsoft.com.
You should be blocked by the firewall.
So now you’ve verified that the firewall rules are working:
- You can browse to the one allowed FQDN, but not to any others.
- You can resolve DNS names using the configured external DNS server.
Clean up resources
You can keep your firewall resources for the next tutorial, or if no longer needed, delete the Test-FW-RG resource group to delete all firewall-related resources.