Azure Firewall Deep Dive

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone in this video i want to explore azure firewall a deep dive into azure firewall both the standard features and the new premium features i'm gonna do lots of demos along the way as always this is useful a like subscribe comment and share really is appreciated and hit that bell icon to get notified of new content so azure firewall this is a fully managed cloud native firewall appliance it's designed to protect my virtual network-based resources now it is stateful so it's understanding hey this flow went out we're expecting this return traffic it can support availability zones so i can actually have them distributed for higher resilience and it's going to auto scale based on the actual amount of traffic it's handling so it's big focus really is the inspection of the traffic going in and out of my virtual network but also east-west within my virtual network and between kind of peered virtual networks now with that said it can be used to actually offer services out to the internet i'll show this but really there are better solutions if i'm trying to offer kind of http https those kind of layer 7 to something else we have for example azure app gateway that app gateway with the web application firewall is really just a richer solution when i want to offer services out that are kind of layer 7. could i do it with azure fireball absolutely and i'll kind of show some of those dna rules and where we might use azure firewall but if it's kind of that layer 7 i'm probably going to want to use app gateway instead another important factor to remember when i talk about all of this is traffic is denied by default so i actually have to go and open this up to allow traffic to flow via the azure firewall now i mentioned already there's kind of two skus so we have kind of the standard skew so that's really where we previously before just had azure firewall that's now azure firewall standard and then we now have this premium sku as well which builds on top of standards all of the features in standard are there in premium as well but then it uses kind of more powerful virtual machines to power the actual azure firewall and it adds additional layers of actually functionality one thing to bear in mind is kind of interesting especially if you're using this in a demo environment it is actually possible to kind of stop and start azure firewall either one of these now there's kind of power shell to do this i'll have the link uh in the description below in in for the video but if we actually jump over super quick it's in the faq and it actually shows us the power shell to both deallocate and allocate the azure fireball now you do have to be super careful with this because obviously realize what i'm going to end up doing i'm going to draw this out is as your firewall will kind of be between all of my different traffic flows or if i shut it down nothing's going to flow anymore so while yes i can stop and stop paying for it realize if you do stop it nothing's gonna flow in the lab environment that might be fine now when i talk about the pricing it's really built around two factors so i can think about well i pay kind of this deployment per deployment hour and you can see here there's this standard there's not updated actually this pricing calculator premium is ga now this premium i think is kind of half the price of what it actually is so it's showing me hey it's a 50 discount right now but it has gone ga they just need to update this i think this will be 175 up for deployment hour and then you pay for the data processed so for every gigabyte processed it's kind of one and a half pennies essentially and the reason we get that is because again it's gonna auto scale so as we think about hey more traffic's going through it's going to auto scale the actual number of instances to make sure it can actually map um the amount of traffic going through so from a pricing perspective hey yes i'm going to pay for kind of this base configuration and i pay for the traffic that's actually processed so i want to quickly do is talk about the setup i have to try and frame how we're actually going to use the azure firewall and my setup is pretty common except i'm actually spanning regions now typically what you would do for azure firewall is i would have a deployment per region just for performance sake i don't really want the latency addition of my traffic going to another region that may be coming back so i'm probably going to have a deployment per region now if it's a small hey i may absolutely use an azure firewall in another region but in my deployment right here i can really think about i have this kind of hub virtual network so i have kind of this hub v-net and mine is this 10.0 16 so kind of we're focusing on that 10.0 part there and then what i have is two spoke virtual networks so i kind of have this spoke over here which is actually kind of east u.s so this is a 10.1 16. and then i have another spoke over here which is 10.3 so i have these basically three virtual networks that are in play in this configuration and in each of these i've kind of got an infrastructure subnet but something that's important because that's where we're going to deal with kind of some of the routing that we're going to apply and then the way this actually deploys is well azure firewall is going to get deployed into that hub now these appeared which means traffic can kind of flow between these but remember peering is not transitive so these cannot talk to each other they don't have a direct peer and ordinarily there's nothing in here that would facilitate these being able to communicate to each other now for my azure firewall it deploys into its own subnet so i can think about drawing kind of its own subnet in here and that's actually going to be my azure so it has a set name azure firewall subnet and this needs to be a slash 26 that gives it enough room to grow as it kind of builds out based on what's happening i can only have one azure firewall per virtual network but again multiple virtual networks can share that as a firewall and i'm going to show that now one point if you're doing this kind of peering configuration and you want the peers to be able to talk to each other via this make sure in your peering configuration you allow forwarded traffic i.e traffic not originating from the virtual network because otherwise it won't route so what do i mean by that if we quickly jump over because i wasted about two hours on this i forgot i changed this settings when i originally set this up so here i need to go and select the spoke virtual networks so if i quickly just jump over and on each of the spokes so it's like for example east us go to the pairings and this is appearing from got the spoke to the hub i need to make sure i'm allowing traffic forwarded from the remote virtual network so it's falling from that hub from possibly other virtual networks so here it's saying hey allowed 40 traffic from sus scus which is the hub i'm not originating from that hub i a different peer into this so i must have that setting so that's kind of an important point or again various things won't work you also want to make sure in your configuration that if you have network security groups they're not conflicting because those will apply as well so i'm going to set up rules in my azure firewall if i've got network security groups applying as well well if they're blocking traffic but the firewall allows it it still won't go likewise if i have virtual machines that have a firewall inside the os they need to allow that traffic as well it's very much a cumulative effect so azure firewall itself is actually built around virtual machine scale sets so when i deploy the azure firewall what it's actually doing is it's deploying kind of this virtual machine scale set and that's what actually gives me kind of this auto scale so because it's built on vmss based on the workload that's happening it can scale the number of instances accordingly now initially in terms of the throughput i think it's built around kind of 2.5 to 3 gigabits per second that can actually grow to 30 gigabits per second so that's where the auto scale can grow and at 60 utilization of its current number of instances it will do those auto scales to make sure it can kind of keep up with the utilization obviously that takes a few minutes to actually happen and the way it's actually surfaced is well it's using the azure load balancer so you think about well now we don't see any of this this is kind of hidden from us but absolutely there's kind of an azure load balancer there and the important thing we need to know this has kind of this internal firewall ip an ip address from the virtual network i've deployed it to and this is what i need to know time and time again i need to tell things hey go to this ip address over here now additionally it is going to have a public oh that means do that additionally it's going to have a public ip address as well and that's what it's actually going to use for kind of nat configuration so if i think about okay there's also going to be a public ip now i'm saying public ip it can actually be multiple it can actually be up to 250. so i can really add a lot of public ips to this but i can think about obviously it's a separate lobe answer but it's all going through these mechanisms and that's how i'm actually going to go and communicate with it now these instances themselves have a single nic most of the time if i do kind of forced tunneling then it actually deploys a second nick i'll actually have a second subnet which it uses for its management traffic because it still has to be able to get to the control plane to actually function so if i actually do force tunneling i do it's a deployment time there'll be a second subnet as well for the firewall management so that's kind of a key point and the reason that single nic is important if you watch my highly available nva talk it's all about getting that symmetric routing which is super important for a stateful firewall now i'm going to show my demos through the portal i can use arm templates i can use powershell i can use the azure cli there's a whole bunch of these that i can do just the portal is more intuitive it makes it easier for me to actually show it so i can think about hey we have these different mechanisms here so when i deploy this thing it's actually a very simple deployment i have to pre-create this azure firewall subnet so i create that subnet in my virtual network i don't want any network security groups on that subnet needs to be a slash 26 minimum size to make sure it can grow now one interesting point when i deploy the azure firewall i have to deploy it to the same resource group that the virtual network is in it's just one of those things has to be in the same resource group so i deploy this and i can show you mine super quickly just so we can see what this looks like so if i looked at my virtual network we can see in my subnets hey i created at the bottom here this azure firewall subnet a slash 26 and the only actual kind of connected device thing i would see on that if i look at my 12 is i can actually see the firewall so that's that internal ip address within that azure firewall subnet now if i go and look at my firewall itself there's actually very little on the firewall so i can see here well i'm a premium sku i've kind of got this configured it shows me the subnet it's deployed to i can see it's public ip and i can see its firewall private ip so it's showing me the most kind of important information i need and then really everything else is set via this kind of firewall policy that we see down here i actually don't really do anything else at the firewall level other than and i'll talk about this hey i can add additional public ips and i want to make sure i set up my diagnostic settings so i'm sending the various logs let's go back to that second let's actually edit my settings i want to make sure i'm setting my logs for my application rules my network rules my proxy and my metrics to a log analytics workspace that's going to actually enable me to go and query see what the traffic is from log analytics and there's a whole bunch of different kind of queries built in so make sure you go and turn on those diagnostic settings it's going to be super super useful but that that's really it for the firewall and everything i'm actually going to do is by my policy and we will actually come back to that so this is great i've deployed the thing it's not configured yet i have to go and do the policy but one important thing to realize is this only works if traffic flows via it now this does not work with something like route server today route server is based on bgp this is not support bgp today so i have to go and tell my other subnets hey i want you to send your traffic to this ip that internal ip of the firewall as your next hop now the way i've configured it in my environment i created two route tables remember we use a route table to do user defined routing so i can think about on here i created a route table and remember a route table is this user defined routing and for this subnet i'm actually going to apply it to this subnet i want everything internet bound anything to go to the azure firewall so that one my route is zero zero zero zero slash zero and what am i sending it to well it's a network virtual appliance so i want my next top to be of type network virtual appliance and the ip address would be that ip address of that firewall so i'm going to put in the ip address of that internal firewall and then that route table gets applied to the subnet now for my other subnet on this other virtual network i don't want all traffic to go via the firewall i only want traffic to go via the firewall if it's trying to get to this ip space so i create a different route table create another one so again it's a user-defined routing and this time it's hey if you're trying to get to 10.3 i want you to go to a network virtual appliance and it's that internal firewall ip and then i apply it to that subnet so now what essentially is going to happen is hey if i have a machine here and it's trying to talk to anything that basically starts with 10.3 it's going to go up by that firewall so if it's trying to get over here it knows essentially to go up to that ip to one of the back end set members and essentially we'll go that way for this subnet it's just told hey everything so for this one everything will just always go to that ip address and it will decide where it goes next so this is kind of sending all traffic this is only sending it if it's 10.3 as the destination so that's how this is configured so these are route tables to tell it hey i want to override the defaults that it learns through peering or whatever gateways when you're trying to get to here i actually want you to take this path this is my next hop so if i go and look at this quickly if in my environment i look at my route tables you just create these so for my west central us this is where i want everything so if i look at my routes i just added a default route of zero zero zero zero zero it's going to a virtual appliance and the next top is that 10.0.12.4 remember 10.0.12.4 is the internal ip of our firewall 10.0.12.4 if i look at my other route table for east us well for this one i only want the traffic to go by the fireball if it's trying to get to that other spoke 10.3.0 to 0 16. hey next top 10.0.12.4 so that that's really all it's doing and once you've applied those you actually link it to subnets so that route table links to my east us infra subnet and then that other route table links to my info subnet on west central us so i've got that override of the routing actually put in place right there so that is doing all of that configuration to actually make that work i can actually go and look at this to make sure those routes are actually in action so if i was to go and look at one of the virtual machines that are actually on one of those virtual networks so if we actually jump over to our virtual network for a second or actually look at the vm so if i look at the virtual machine and i'll pick just that east us one we can actually scroll down and if we look at the networking i can look at its network interface so i'm actually looking here this network interface adapter and if we look at that if we scroll down we can look at its effective routes so i'm looking at this here and what i'll see is i'll see that route injected in that it's actually getting because of that user-defined route so we look at all the routes most these are built in but we can see this one added here this user for virtual appliance so now i can see okay yeah look at that there's this hey if it's going to 10.3 16 my next hop is 10.0.12.4 that azure firewall so that's the setup so all of this is really just about making sure we have the various things deployed ready to actually do stuff okay so what can i do well the first thing it does is it does provide the routing so they talked about normally different spokes can't communicate the peering relationship is not transitive i would actually have to create like a mesh or put an appliance in the hub well you saw i've set up that routing so for west central everything goes via the azure firewall for east us anything going to 10.3 goes via the azure firewall i between these two subnets it's going to be symmetric it's taking the same path in both directions that's super important or again traffic won't flow my nsgs although i have nsgs on these subnets they don't block traffic within the known ip space either virtual network so that's not going to be a problem and so it enables this communication now it only enables the communication that i enable via rules and i'm going to show you that in a second but for now i've have a rule in place to enable things like icmp so they can ping so a super super simple demo is if i jump over really quickly so this is my virtual machine in west central us and i'm going to try and ping a vm in that east us so if i'm just going to ping 10.1.0.10 so that's going via that azure firewall hold on let me try this one more time wrong wrong ip address there we go so we can actually see there it's working so that's going through the azure firewall now you notice the latency is quite big the reason the latency is quite big is remember what i have configured this as is my virtual networks this is in west central this is in east u.s that is in south central and again normally you would deploy the azure firewall kind of per a region but even now it's not it's not a huge pain but just realize that's why you're seeing the latency you're seeing it's not the azure firewall adding that big latency it's because these are actually going across regions so make sure you've got that peering configuration to allow from remote non-originating v-net but now hey it's enabling that kind of routing between those different spokes so that that's one thing it's doing but then what we really care about it is a firewall so the whole point of a firewall is well i restrict the traffic i'm allowing now before i actually get to the firewall part of the configuration i do want to kind of stress this concept we have and we have this concept called i p groups and as the name suggests an ip group lets me just add ip ranges to this ip group and what that lets me do is i'm essentially defining these ip groups and then i can use them in all of the different types of rules i'm going to show you so rather than having to define the ip addresses multiple times in all these different rules i go and create this ip group i create lots of different ip groups with the sets of ip ranges that belong to that group and then it makes it much easier i'm essentially managing the ip groups and i'm going to use them in all of the rules so if i was to jump over again for a second you just go and search for ip groups and see i've created two one is home base so that's kind of ip addresses that are for the locations i use and the reason that's useful is that in my rules i can say hey only if the traffic is coming from what is my public-facing ip and i create another one for the main us kind of v-net ip space so in here i just add the ip addresses that i want to be able to kind of talk to each other and use actually through this azure firewall configuration so so that's my goal of having this so once we've got that concept so we understand okay ip group's great i now have to configure my azure firewall so we've deployed this azure firewall we have this nice azure firewall deployed i have to tell it its whole configuration so we have this az firewall now originally of azure fireball there were two different ways i could actually do that configuration as kind of these classic rules where i actually define the rules on the fireball itself or there are these new firewall policies the firewall policy is its own object and the great thing about a policy is hey i'm going to create this policy and that policy i can apply to n number of firewalls so i could think about yes i create this policy once like this one policy and i can have multiple policies different configurations but i can apply it to n azure firewalls so i could have hey i've got another azure firewall up here i could apply that same policy to that one as well so it simplifies all of my configuration now azure firewall standard it can use either one now i still recommend you would use the policy but if we jump over for a second and if we were going to create a brand new firewall what you'll notice is it gives me the option of hey if i'm standard here do you want to use firewall policy or use firewall rules to manage this if i change it to premium i don't have that option i can only use firewall policy if i'm using premium so that's kind of this key point and that's the direction going forward now one thing i would say is with the actual firewall policies there's a billing implication for it if i if i have a policy and i link it to more than one azure firewall then it becomes this billable object if i create a policy and it's only linked to zero or one i don't pay for it so there is a pricing implication of policies if i go and look at the pricing page we can actually see it spells this out so it becomes this azure firewall manager policy is a hundred dollars per policy per region but that pricing only kicks in if it's more than one so notice it spells this out no azure fire will manage policy charges will be done for policies that associated to a single firewall and it even has a little picture here telling you when you would pay for it so child policy 2 is only applied to a single firewall there is no charge for that one but these other policies that are applied to multiple how you're going to pay those 100 per policy per region where it's actually used so just be aware there is a billing implication of the policies but if it's only used by one firewall um there's no pricing for that now i am going to focus on the policy again i'm focused on premium that's my deployment and so with that i have to use fiber policies okay so what what is this policy so the policy is actually made up of a number of logical components those logical components are really there to help me organize the different rules i'm going to create now there are three different types of rule there's a dna rule there is a network rule and there is an application rule i'm going to go into each of them now at the top level of the policy i can have one or more rule collection groups and again i can i have another one so i can have another rule collection group etc within the rule collection group i have rule collections now the rule collection is of a specific type so that is going to be dna network application and then it's made up of rules of that particular type then i could have a different rule collection again of a certain type the rule collection group can have a mixture of types it's not set to any particular type then all of that could then repeat in the next one so if we quickly go and look just you can see this so remember this is not part the firewall this is part of the firewall policy so if i go and look at my fireball policies here's my policy we can see hey i have my rule collections now the first thing is actually you can have a parent policy so i might have a core set of rules that i want to apply everywhere so what i can do is i can create that policy and then child policies can specify that parent policies who will inherit those settings they will be processed first so they will take kind of preference over policies i create in this child policy note that parent policy is therefore being used when i apply this child policy i.e i will pay for that parent policy um with whatever regions i'm actually using it then i have my rule collections as you can see here i've got three different wall collection groups these are actually built in so it has a default network application and dnet again those can contain anything if i add a new rule collection group it just wants a name now notice it wants a priority as well so the whole point here is as i'm creating these for rule collection groups and rule collections i actually give them a priority and that priority is between a hundred two is it sixty-five sixty-five thousand so you have a big range the lower the number the higher the priority so obviously 100 is kind of the highest you probably won't use that because then i've got no flexibility in the future maybe i started a thousand or something so that has a priority this has a priority this has a priority this new one would have a priority etc the rules themselves do not have priorities they just get used as part of the priority of their parent object and so the way that is used is hey the rule collection group with the highest priority either lowest number is processed first within that first wall collection group the rule collection with the highest priority is processed then the next rule collection in terms of priority and so on once they're all processed then it goes to the next rule collection group now uh there is an exception to this in terms of the actual rule types which i'm going to get to in a second but for now think of those priorities as hey if i have these groups that's how i can determine which group is actually applied first so that's kind of the key point around those objects so if we jump back again so a rule collection group is just a name and a certain priority whereas a rule collection well this actually is a type so i can only add rules of the type of the rule collection once again i add a priority and then i can add individual rules actually to it so that's kind of those fundamentals about those organizational structures so i'm going to create a policy i create rule collection groups if i don't want to use the default ones then they're all collections and i create rules within there now i talked about they were kind of the three rule types so each of those are of one of three so if i talk about the rule types and this is actually important in terms of the processing because the first rule type to get processed is dnat so regardless of the actual priorities in here dna rules get processed first now whichever one is the highest priority dna rule gets processed we'll process all of the dna rules first so all of the dna rules will get processed in this order so the highest rule collection group than the highest rule all of the dnac rules once all of the dna rules are processed then and only after they're all processed will it then go and process the network rules so once again it goes and pulls out all of the network rules in the order of the rule collection group then of all collections applies all of them lastly only after they're processed will it then go and apply the application rules again in the order of the rule collection group and the rule collections that's important because if i go and create a whole bunch of application rules with a granular a this fully qualified domain name this category etc then i add some network rule that says allow everything my application rules will never get used because the traffic is just allowed in because of the network rule so just be aware those things are actually applying and that's going to kick in also before these network and application rules threat intelligence so a feature would run first so if my threat intelligence detects and blocks a set of traffic these won't get called they can't override the threat intelligence so when i think about the functionality if i go and look at my firewall notice i have this option for threat intelligence now i can run this in different modes so threat intelligence is based on known malicious ip addresses and their domains it's powered by the intelligent security graph that's part of microsoft security and what i basically do is i say hey look what is my mode so where's my throat intelligent mode i've got it to alert and deny so it'll actually block that traffic if it's high confidence now i could just say alert only or i could disable that check but this is going to run before those network or application rules now i can override this in terms of the threat intelligence policy i could say hey do not filter traffic to these ip addresses these ranges these subnets or these particular fully qualified domain names so i do have that option for the various configurations let's actually go back and think about these various types of rules and where we're actually using this let's think about my nat rules first so my nat rule is all based around hey these these public ip addresses and when i think about that that nat what's actually happening is that public ip can really do two different things so one of it is hey i've got things coming in so that is dnat i am coming into one of my public ips and i then want to map that to something on the back end maybe i'm mapping it to rdp on a certain virtual machine so for the dna rule what we're actually having over here is my configuration is built around well where is that request coming from so i think okay well what is my source kind of ip where am i coming from so it could be an ip or it could be an ip group remember all of these things i can use ip groups and then what i'm going to map is hey which public ip of the firewall is it talking to and port and then i want to map it to what i'm going to map it to a certain private ip and port so it's just mapping it through so if i was to go and look at my rules over here and these these are very simple if i go and look at my dna rule i've got two kind of configured here i only have one public ip and if i go and look at the rule it's a rule name so my source type is from an ip group but again that also could have been an ip address so mine is home base so if the traffic is coming from the ip addresses in that ip group i.e my home where i work from public ip addresses i'm trying to go to this destination ip so that ip address is the public ip address of my azure firewall if my azure file had multiple public ip addresses i could distinguish on which one so i could have different rules depending on which public ip address i was actually going to it's tcp i'm using hey 13 389 and i want to translate it notice i could be an ip address or fully qualified domain name to this ip address on my internal network to 3389 ie rdp i have a second rule which is basically exactly the same same public ip address of the azure firewall slightly different port and that mapped to a different ip address on my private network so it lets me get to different virtual machines within my environment by going to different ports when i rdp to it so really all dna is doing is that very simple hey you're coming into this ip address i'll send you to that one so that that's really the whole point of that so that's dna hey stuff coming in go to here now the other big important thing that obviously is doing is hey i'm trying to actually go outbound to the internet so that's snap source network address translation so here it's using those public ips and some of the ports to establish the connections actually going outbound now it does not snap the traffic if it's going to an rfc 1918 address block are those internally reserved i can change that configuration so as part of my azure firewall policy if i go and actually look at private ip ranges notice by default it's going to perform snap for all ip address ranges except rfc 1918 but if i wanted to i could override that i could say hey i want to do it for specific ip address ranges by unselecting that and i could specify hey don't snap maybe i use a different ip range internally so i i want to not snap for those as well so i do have configuration over that kind of snap behavior now obviously one of the challenges with snack is it uses up a port for every kind of unique connection i can actually go to my monitoring if i go and look at the azure firewall itself and look at its metrics it does actually give me a metrics of snap port utilization and you can see i'm basically doing nothing i have a single machine really doing anything to the internet with this so i'm really not struggling but realize if you have a lot of machines using this it's going to be using those ports now i can add multiple public ips if i'm getting to this kind of snap exhaustion i can keep adding more public ips up to 250 that's why we can add multiple ones to handle kind of snap scale and also for dna so i can have more kind of incoming directions if you are very large scale another option would actually be deploying that gateway so that gateway is that service designed to kind of snap the traffic going outbound and it's just more efficient with the public ips so if i do have this very large scale kind of snap requirement you could consider deploying that gateway link that gateway to the azure firewall subnet and then it will use that for the now after any other configuration that would just work so realize there is an option there as well okay so that's dnet that's those kind of rules we have there the next type are the network rules remember i had to have the network rule to enable these to be able to ping because the default is to just deny it now a network we're always going to seem very very familiar because the network was really just based around kind of the standard five tuples so any kind of time you do a lot of configuration network security groups use the same kind of thing it's really based around hey where is it coming from so i have this source kind of ip port we have kind of this protocol and then we have this destination now again i'm writing ip it can be ipgroup destination can be kind of ip group but there are also some other special things i can do here i could also do a fully qualified domain name i can also do a service tag now realize this is just um really network layer four if i use a fully quad qualified domain name it's really just resolving that to an ip address so if i have different fully qualified domain names for the same ip it's very it's not going to do anything special based on that service text remember are we use those in network security groups i have a service tag that represents a certain azure service and all those public-facing ip addresses maybe it's global maybe it's for a certain region so this is a fairly standard set of configuration if we jump over and look so i can jump back look at my policy look at my network rules so i created two so the first one you've got here is called ping and let's actually just look at the rule we can see hey it's a name my source is an ip group and that's main usb net ip space that was those three different sideart ranges of 10.0 10.1 10.3 16. so basically any of my known kind of ip spaces and you can see my options are i p address or ip group if it's going to an ip address an ip group a fully qualified domain name or a service tag so mine is hey it's basically coming from or going to my known space the protocol icmp any pool allow it so this is i'm adding those kind of allows again it's denied by default so i'm going in and adding where i actually want to allow these things so that was that one and then i added another one which was the same sets of ips but 33.89 but if i was to add another rule notice in my destinations if i picked service tag here i would see all those different service tags for the different resource types services in azure and then i'll see kind of for app service the different regional ones so i can control two of those different types of service based on the regions so we have those capabilities as well just in there and that's network rules again nothing particularly exciting about those it's really just built off of those kind of five tuples but we have to go and add them now you can also see these again if i just look at my rule collections if i just selected one of those so hey let's just go and look at my basic wall collection again it's showing them just in here so it's very easy to go and see those and that is for the rule collection you do have an action so these are all allows i could add a rule collection as well that maybe i i've added a bunch of allows but i have some more specific ones that i don't want to allow so i could go and add kind of a deny as well make sure i get the priorities right so those take effect so the last one are application so the application ones this actually understands kind of a higher level hey we're doing these for example layer seven we're accessing urls for example so this is actually fully qualified domain name for my kind of http https sql and i don't have to do tls inspection to be able to use um the fully qualified domain name what it's actually going to use is that server name indication so the way this works is once again my source hey ip that source ip ip group as my configuration and then hey where is it going to so here i can specify a fully qualified domain name if it's premium but only premium i could also specify a url so that's kind of a premium only feature and just with super clear so what's the difference so fully qualified domain name could be www.savaltech.com that is the fully qualified domain name the url the difference on the url is well there's kind of https whack and then it could be page something so that's url so really the big difference between the url is now i can make different decisions based on actually what i'm accessing at that site if i'm just doing fully qualified domain name all i know is the name server name indication even with tls will tell me what the fully qualified domain name was but i can't distinguish on the different types of content i'm accessing at that site whereas with url filtering i can actually look at the entire url and with premium it's a premium feature even if it's encrypted if i've got tls inspection i can still distinguish based on those i'm going to i'm going to show that that's a really cool feature so that's the difference fully qualified domain name is in the url but the url has extra stuff as well so my application rule can be fully qualified domain name um url we also have these fqdn tags so fqdn tags are created by microsoft they're for some of the well-known actually names for microsoft services like windows update if we go and look at the documentation for a second we can see i can't add to these but it shows the current tags so there's windows update windows diagnostics and you can see these ones are included so i could add these actually as part of my rules and then finally what we get as well is we can actually have categories so we have this idea of this web category now premium adds to this so there's a basic functionality and then premium because premium can work off the url that does also add the url part to the web category as well if you are premium so it does build on that so this is where hey there's this feed of information saying hey this site this is a news site this is a search site this is a gambling site um and then i can make my decisions actually based on those instead and again with premium even if it's https i.e a tls encrypted connection it can still see the url so we can still categorize based on the full url and use that so these are actually very very cool now i don't have to do any special configuration on the clients for the application filtering this is not a proxy that i configure in the browser or anything remember my next hop is set to the nva so all of my traffic goes here so when i'm accessing sort of a website it's going to this azure firewall anywhere i don't have to do something my browser say hey go via this service all of my traffic is going by that service anyway in fact we can kind of see that so remember the azure firewall has a public ip so if i was to jump over for a second so my azure firewall it has this public ip and i can see it's hey is this 1384 to 11.61 now if i jump over to my virtual machine and what is my ip.com hopefully this works there we go so my public ip is 13.84.211.61 well that should look very familiar 13.84.21.61 13.84.211.61 so all of my traffic is being snatted by that azure firewall i can actually see that is happening so then i can have obviously those those application was my traffic is flowing via it so if i go back and look at my policy i now have my application rules remember these are process last and i have a number of different rules in here so if we look kind of we'll look at this this one first so this rule this is based on url you can see here my drop down i've got fully qualified domain name tags categories and url so this one is only allowing this particular url and i am using tls inspection so even if it's an encrypted connection i'm only going to be able to access that particular site this rule hey i'm using fqdn tags and these are built in i'm allowing windows diagnostics and windows update this rule this is based on web categories and i've enabled what have i enabled here i know it's general [Music] and search engines and computers technology and entertainment but i'm not allowing for example news that's kind of an important remember that i don't allow news don't want anyone to know it ignore those things so those are the rules i have in place now again i'm mixing kind of premium functionality in here because when i'm looking at that tls inspection i'm using the url that's a premium feature i could not do url if this was just a standard rule but i have these in place and i'm going to kind of demo all these in a second actually seeing how this works how it works with the tls inspection really making sure all of those things are actually working because again that's a feature of premium so i'm going to focus on that in a second but that's the basic construct of actually what we have now you might notice here we have this dns option i can well firstly i could make it use a different set of dns servers for the azure firewall it doesn't have to use the azure provided i could point it to other dns servers but i can also then enable it to be a dns proxy now you might wonder why would i want azure firewall to be a dns proxy well realize some of those rules are based on fully qualified domain names so i can use kind of the fqdns as part of those rules well that fully qualified domain name maps to an ip address which azure firewall resolves so it's going to resolve to a certain ip but if i have a client using a different dns service and it resolves that same fully qualified domain name to a different ip address the rule is not going to apply the same way i don't want inconsistencies between my dns so by turning on that dns proxy i can make sure the clients are going to get resolved the same way as azure firewall to make sure i get a consistent resolution to make sure i get a consistent rule application it also might be useful if maybe i had clients outside of azure that can't directly point to kind of the azure private dns zones well the azure firewall can because it's in azure then i could point other things to the azure firewalls proxy dns so it could then access azure private dns zones so all of this all of that configuration was all via this policy i have those different rule types i've configured them probably worth talking about firewall manager just very very quickly so firewall manager is all about giving me this central point for the management of my firewall environment so those policies remember i don't pay for them if it's only linked to one azure firewall but i can go and actually see the overall configuration of my environment so if i actually go and look at fireball manager firstly it's kind of giving me how you should go and create azure firewall policies and then add it to virtual hubs or virtual networks a virtual hub you're really thinking about things like azure virtual one so i can secure that using azure firewall so i look at my virtual hubs i've got route server so it's going to see in that as that kind of hub and it's saying hey you don't have a firewall deployed here if i look at my virtual networks it sees all the virtual networks and it's smart enough to say hey look this virtual network at the bottom yes you have azure firewall these others hey you don't have firewall but you're peered to a network that does i hey you're in a good position from that configuration so essentially i can quickly go and see hey i've got my environment i could go ahead and create a new secured virtual network from this menu i can see all of my different policies that i have and actually drill down and edit them directly from here so fireball manager is really about giving me that central point for the configuration but again remember as soon as i apply policy to more than one firewall then i start paying for it okay so now i want to get to the fun part so that was basic functionality and it's cool is it it's functionality i need let's talk about premium so what does premium do it is the same code base as standard i talked about this already it's built on top of standard it is a more powerful vm skew so those vms i think with standard it's kind of a d type maybe a dv2 this moves to an fs series v2 for the premium sku again it only works with firewall policy i cannot use classic rules and there are a whole bunch of different features now i can move from standard to premium it's basically if you think about it most of the configuration is in the policy so i don't have to worry about all of the rules as such but there are things like the public ip addresses uh maybe udr's so what i would do is i would export the configuration of my standard create my premium and then bring that configuration so let's talk about the features remember there were some limitations tls encryption is always painful for something that's trying to be in the middle so if i am here trying to talk in sync over here i can't see tls traffic because remember the whole point of tls if we think about what it's doing if i have some server so this is something i'm talking to and then i have my kind of client so the way tls works is that server has a certificate now the whole point of that certificate let's say this is bing so this is www.bing.com and it has a private part of that and there's a public park obviously the public park everyone knows about so what happens is when a client wants to talk to a server it resolves the dns name to an ip address it establishes a tcp connection and then it establishes a tls session so it establishes this tls and it basically works by hey this public certificate this is asymmetric encryption which is not very good for bulk amounts of traffic but it uses this to actually establish an encrypted session where it can share a session key which is a symmetric key so it uses this to securely create this symmetric key and share it and it's doing this because hey i know your public key so i can send you kind of some information so we arrive at the same symmetric key that we'll then use for that session so it's all based around this public key and only after it establishes that tls session is it actually starts to send things like urls so i cannot even see the url that path that gets sent i can't see that we don't send that and until we have the tls and then we send the request over the tls connection so if i have this tls if i try and put azure firewall in the middle and say hey i want you to kind of look at all the traffic how can it do that i have no way of looking inside that encrypted connection i don't know what the symmetric key is i cannot look inside that so what we have to do is azure premium can actually do tls inspection so we have this tls inspection and the way it works is it becomes a man in the middle but to be able to work it has to be able to see the traffic and again we've already established it can't in this normal natural order of things so what we do instead is this gets in the middle of all of the communication which already is remember we have that user-defined route all of the traffic flows via the azure firewall and i don't have anything special udr it goes by this and so it's in the middle of the communication passes in the middle even of that initial communication path what we're going to do is the azure file is going to act as the gateway this man in the middle what actually happens is when we establish this tls session i using these different certificates it's not going to get in the middle of that whole process now to make that work we think about this is all pki public key infrastructure now probably for your company you have some kind of enterprise pki that enterprise pki has kind of a root signing like this root ca which is the client you have a whole list of kind of trusted routes there's a whole bunch like verisign and there's some microsoft ones in there a whole bunch of them your enterprise root ca is probably in that trusted list as well you have that there already what we need to do is we need to give the ability for azure firewall to generate certificates that the client will trust and you'll see why in a second so what we're going to do is i want a subordinate certificate authority certificate to be created so the enterprise is going to issue a subordinate ca certificate now in azure we have azure key vault this is this secure place for keys and secrets and certificates so we have azure key vault so we're going to store that in there so we create the subordinate ca we're going to store that in the azure key vault remember that's made up of this public and private part the azure firewall is now going to give permission to use it and this is by a user assigned managed identity so we're going to give the azure firewall this user assigned managed identity and we're going to give that managed identity the permission to operate on that kind of certificate we're bringing in there so now it can actually generate certificates for any name because it was issued by that enterprise route that i trust when the certificate chain that this is going to create search for my client will trust that certificate because i trust the root it's like me saying hey you trust me and i say tim is trustworthy so then things tim tells you you trust it's that kind of chain of trust so now what happens is when my client tries to access bing.com two sessions get established so the azure firewall using the bing.com public cert it's like okay i'll establish a tls session and that symmetric session key with you it will then generate its own certificate for www.bing.com so there's the public part there and then obviously it has the private access by the key vault so there's another tls session here and you used this public key to establish so now what does that mean the traffic is encrypted but azure firewall can decrypt it look at it and then encrypts it again to go to the destination i can now actually look inside of that there's a whole bunch of different configurations i'm going to go the documentation is great it goes through the step by step but to really just kind of summarize if i look at my policy you can see i've got tls inspection and what you can see here is it's using a certain managed identity so i created the managed identity and i assigned it to this azure firewall policy i have that certificate which i stored in my particular key vault and i gave that managed identity permission to that certificate now again that certificate that for a second is generated from my pki so if i go and look super quick so i have my enterprise ca you just go and request a certificate advanced cert request and my type would be this subordinate certificate authority make sure you do at least 4096 for your key length it's kind of an important part and if you're having problems with this make sure you have permission to enroll so if i look at my certificate authority templates make sure when you actually look at the properties it didn't work for me to be part of the group i had to actually add myself directly to have kind of the permissions so i'd actually go and give myself the permission to enroll write and read so if i look at me i can see hey read write wrong so you have to actually go and create the subordinate sir once you go and request and create that you then export it out from the browser with the private key you can actually go look at my content you can see i created a number of different certificates but there was my 4096 ones you just export that out and then bring it into keyboard so then that's there and i can see all the different issued certificates i have now the key point is on the client that's kind of the important part remember it has to trust it so if i look at the certificate snapping on my client my local machine you have this trusted root certificate authorities and it's part of my domain so you can see here my enterprise signing cert is trusted by it so along with globalsign and digicert and all the others it trusts any certificate issued as part of my chain so let's kind of prove the point so if i go to bing.com actually make sure i'm doing https which it will default to anyway but let's just play this out bing.com okay it's encrypted you'd expect that let's click the little padlock icon for a second so interesting right so that's kind of weird that it's this cert authority is identified the site if i view the serp it was issued by azure firewall remember it's in the middle if i look at my certification path yep so there's my enterprise root ca which issued a subordinate for azure firewall manager ca then azure firewall manager ca created a cert for bing.com so because my client trusts that i can issue the cert and i can get to it so this is probably the most amount of setup you actually have to do for any of the different functionalities but once you've done that i am now looking inside even tls encrypted traffic that's kind of the super powerful part now within certain rules like my tls inspect my application rules my idps i can say hey do tls inspection so even for various types of traffic go and look inside it now this is going to work for traffic kind of east west so east west is kind of between things in our azure virtual network it's going to work for things going outbound out of the firewall out to the internet for inbound from the internet it can do it if it partners with app gateway so you would deploy app gateway and then remember app gateway sits in its own subnet so the traffic from app gateway then just looks like east west app gateway can then actually do that decryption and forward it on unencrypted or that gateway could even re-encrypt it but it will be assert i know so i could do that tls inspection as well so for inbound inspection uh we'd need to partner with app gateway to actually enable me to do that but once i've got that i can now look inside all of that encrypted traffic and i'll show that in some of the configurations now the first thing beyond that so let's say we've got this set up and again that's the most setup you're going to have to do for azure fireball is to get that part working but once you do hey i can now check a box and say look inside the traffic and you saw hey my being access or anything else is now using certs from my azure firewall so now my azure firewall can look at all of the traffic they can look at urls you can look at the content the headers everything so that gets me onto the next feature of azure firewall premium that is intrusion detection prevention system idps this works for plain text and encrypted text and it's based on signatures and there's a daily feed i think it's about 35 000 of these different signatures today and if the traffic matches it can kind of alert you or alert and block so if i go and look at my idps hey my mode so hey disabled alert or alert and deny i could override it so i could actually add signature rules so for a certain id i could say hey disable it do not check this one or i want to do something different from the others or i could say hey for these for a certain name um don't so i actually want to bypass this so do not filter any traffic to any of these particular ranges that i'm configuring here so i can override if i need to but that idps is obviously it's stateless this is not looking for any kind of ongoing communications it has a signature base that matches based on the payload of the packet or the header of the packet like solarwinds for example so solarwinds um had a specific signature that could have been blocked and if i'm sending headers that has the malicious part i can block that so the idps there's a whole set functionality there again plain and encrypted the next feature of premium is actually url filtering so standard remember could do fully qualified domain names and it could do that because even though i have that kind of encrypted connection as part of that initial kind of client hello it can send this server name indication as sni this extra bit of info so at least i know well what name are you actually talking to so i could do rules on that but premium adds the full url i can actually make decisions on that full url even if it's https because i can do that decryption it can support cards and it's something can actually do as part of the application rule so let's see one of these so what i have over here if i look at my application rules i'm going to have this iron brit events so if we look at the rule what i've configured here is it's a url so we can see that right here i'm only allowing the ironbrit.com ironman events completed and i want to do tls inspection so it's https 443. so i'm very specific here it's not just the the site it's actually only a specific part of the url so if i jump over to my client and type in that url https it works fantastic okay if i try and go to the main site it doesn't work because i have no rule it's understanding the url it's not just a fully qualified domain name even though it's encrypted it can actually go and see the full url because it's sitting in the middle and it's saying action deny there is no rule and again if we went and looked at the cert we'll see hey it was actually issued by that azure firewall that's how it can actually go and see the url that is sent over the encrypted tls so that's very powerful that i can do that url filtering just as part of that now i could even go and look at the logs now it takes a couple of minutes for logs to get to the firewall if i go and look at my firewall for a second remember i've got the diagnostic settings turned on so if i look at my logs there are a number kind of built in but what i have pre ready here is so i'm looking at my azure firewalls type application rules i'm looking if it contains the iron brick and if i run this so it's showing me a bunch of different entries and here are the the ones we can see just running right now these two and i think it's just coming in right now but we look at it we can actually see all the detail so we can see this http request coming from a certain ip the iron brit url the iron events completed and if we keep scrolling action allow it actually shows us hey look here's the actual policy everything i can see all of that just working if we keep again it takes a couple of minutes to see if this one it's probably part of that same one oh so there's here the deny perfect this one hey the url is just the iron brick deny no rule matched proceeding with default action so here you can see the actual url filtering happening so it's understanding that and actually blocking it so that's part of that feature that's using yes the tls inspection but also the premium feature of url filtering so that's this the next part is web categories now again for the web categories it's a constant feed that gets updated daily but this understands the url as well with premium and again it can actually look inside that tls encrypted session so let's take a look at the web categories one so here i'm going to jump over look at the premium that's right the policy again and we can see my application rule i've got these allowed sites and we can see my web categories i've got selected and i turned on some of them so i've got computers entertainment not news search engines i'm allowing and i've got this tls turn it off accidentally and i've got that tls inspection turned on as well so let's see that in action so what i would expect is on my little site over here if i go to google.com that works it's a search site if i go to cnn.com no no it won't let me do that what about if i go to google.com news it won't let me to it so it's using the tls inspection then it's using the url as part of the categorization so it's not just the name the categorization feature uses the url as well so when i try to go to google.news it's denying it because there's no rule allowing that through my rule only allows search it does not allow news sites so i can now see hey that web categorization that's actually treating that super super differently and i mean just why i'm here i kind of showed you some of the logging already but there are a whole bunch of different kind of monitoring capabilities if i go and look at the logs there are different kind of rules available to me for the firewall says kind of firewall audit firewall blocked request there are firewall logs application of raw data dns proxy data network rule log data threat intelligence rule log data there's a whole bunch of these just kind of built in for you you can run these and it will show me the detail well i'm actually in the wrong query but they're all kind of built in available for you that i can actually leverage and jump back out second let me jump over here so again if we look at the different queries so i have those final logs let's just look at application rule logs so i can get all of the detail about all the different kind of things it's talking to so huge amounts of data available to me again there are metrics as well that we have available to us final health state data processed again not doing very much in my environment but we have these pieces of information available to us i'm still probably not doing anything on snap yep zero percent essentially on my my tiny configuration but we do have all this information so we can troubleshoot and actually go and see what is actually happening in the environment so that was it um that was kind of my deep dive into the azure firewall i really hope that was useful again huge amounts of functionality very simple deployment route tables tell it to send the traffic to the azure phone obviously this can be from any kind of connected network could could use this really the bulk of the power now is through the policies we want to use those have to use it for premium want to use it for standard based on these rule collection groups and rule collections but remember within those it's dna rules first then network rules and application rules based on the priorities within each of those categories i have a lot of configurations i can use based on does it make sense at layer 4 layer 7. premium the big deal here is that tls inspection some setup initially making sure you've got the right certificates in place but once i have it i can now use that for kind of url filtering even if it's tls encrypted i have that intrusion detection prevention capability i have the web categories that can be based on the url even if it's tls encrypted as well so really adds a whole bunch of functionality to that so with that um good luck in all your kind of azure firewall endeavors and until next time take care you
Info
Channel: John Savill's Technical Training
Views: 13,642
Rating: 4.9920793 out of 5
Keywords: azure, azure cloud, microsoft azure, microsoft, cloud, Azure firewall, firewall, idps, tls inspection, filtering, network, virtual network, security
Id: JiUerkqyW0g
Channel Id: undefined
Length: 84min 35sec (5075 seconds)
Published: Tue Jul 27 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.