What is Azure Firewall Basic and How to Deploy it

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this video we review Azure basic firewall [Music] hello everyone I'm Travis and this is xeraldos azure recently announced the general availability of the basic firewall SKU in this video we review the Azure basic firewall and then deploy it in a demo if you like these videos or just this one for that matter I would appreciate it if you'd subscribe it helps the channel a lot I also have courses on Azure virtual Desktop Windows 365 and hybrid identities with Azure ID at udemy.com links are below and a shout out to my channel members your support is appreciated until now Azure firewalls were quite an investment worth it especially for large organizations that want a native highly available firewall solution with Central Management in Azure but for small and medium-sized organizations the price could be a barrier that changes with a basic skew of azure firewall the basic firewall offers layer 3 and layer 7 filtering and alerts on malicious traffic with Microsoft threat intelligence it's Cloud native and supports availability zones in regions where they're supported and multiple firewalls can be managed with Azure firewall manager the Azure firewall uses rules to control traffic in and out of the firewall these rules are grouped into rule collections the rule Collections and rules in the collections are processed in order specifying allow or deny action based on the rule condition the default for all firewall traffic including access to Azure Services is to deny there are three types of rules dnat Network and application dnap provides the ability to allow inbound traffic through the firewall hosting a website for example it uses an inbound translation rule to direct traffic from the internet to a resource behind the firewall the Network rule uses layer 3 and 4 information to allow or deny inbound outbound or east to west traffic these rules are based on IP address port and protocols finally application rules are layer 7 rules that allow or deny inbound outbound or east to west traffic using fully qualified domain names URLs and web protocols the rule groups are processed in this order by default dnat the network and lastly applications when a rule is matched the action is taken and the processing stops also the Azure basic firewall uses snap for outbound access so all public traffic comes from the firewalls public IP address the standard and premium SKU work the same only with some additional features let's look at the features and what makes basic well basic throughput depends on a few variables such as the number of type of connections but total bandwidth is 250 megabits per second for the basic SKU 3 gigs per second for standard and premium standard will scale up to 30 gigabits per second and premium will scale to 100 gigabits per second on the screen is a chart that outlines the difference between the three skus it's worth pointing out a couple of the features not available with a basic firewall first the web categories are not available on basic a web category is a list of websites on specific topics that Microsoft manages administrators can use these categories to create deny or allow rules for web traffic for example a rule could allow Finance news and government websites but block gambling alcohol and tobacco sites web categories are not available with Basics so our options are to block web traffic allow all web traffic or manually Define sites to allow or block another option is to use a solution such as Defender next threat intelligence-based filtering only provides an alert action that requires user intervention to respond to those alerts if those or any other missing features are required for the deployment a standard or premium SKU is a better option let's review the requirements next we need at least three subnets on a v-net to deploy and use the firewall we need the Azure firewall subnet the subnet has to have that exact name and a slash 26 or larger subnet the firewall service main need extra addresses as it scales out also required for the basic firewall is a subnet with the name Azure firewall management subnet that slash 26 or larger the basic firewall splits management and firewall traffic because of the limited bandwidth management and logging tasks won't interfere with internet traffic for the demo coming up the environment has those subnets in a vmed and also a workload subnet for the client we test with we need to configure a route table and default road that directs outbound internet traffic through the firewall the route table is then applied to the workload subnet don't apply it to the firewall or management subnet after that we need to configure traffic rules we'll walk through that with examples that allow outbound web and DNS traffic and allow inbound traffic with a dnet rule let's jump into the Azure portal to get started here we are in the portal and we'll start with the v-net we have three subnets for testing if you're not sure why we have three subnets rewind a bit notice one of the is named Azure firewall management subnet that name is a requirement to deploy a basic firewall it's the same case for Azure firewall subnet we need to have two subnets with those names to deploy a basic Azure firewall the entire slash 24 block isn't required but this is a demo environment so I don't have to worry about saving IPS let's create a new resource and search for firewall we'll select firewall and crate make sure your subscription and Resource Group is selected the firewall has to be in the same Resource Group as the vmet give the firewall a name basic FW for this example select the region it has to be the same as the v-net we're attaching it to West us3 for this example select one or more availability zones to deploy it to availability zones may not be supported in every region I'll select all we can scroll down set the firewall SKU to basic that's because we're deploying a basic firewall for firewall policy let's add a new one give it a name basic FW policy for this example set the region the same as the firewall in the v-net and we only have one option for the policy tier for a basic firewall and that's a basic tier we'll click ok you could add a virtual Network when you deploy the firewall but I'm going to use an existing one we'll select the virtual Network basic FW v-net for this example we'll give it a new public IP address and that will be FW hyphen pip we also need to give it a management public IP address we'll add new and we'll call this FW management pip click ok let's move on to tags we can enter tag values I'll mark that for my lab go next to review and create endcrate this may take a few minutes so I'll pause here and come back once it's done the firewall is finished before we move on we need some IP addresses go to the resource make note of the private IP address we'll need that shortly also go into public IP configuration and make a note of the public IP address we'll also need that coming up shortly once you have those IP addresses recorded we can create a default route to direct internet traffic to the firewall this is required for Azure firewalls as well as any network virtual Appliance or nvas such as a third-party firewall go to create a resource and we'll search for Route tables and add a route table we'll create that select your subscription and set it to the same Resource Group as the vmet select a region and that also should be the same region as the vmet give it a name FW route for this example you can add tags as needed and then go to review and create and once validation passes click create that will create our route table we'll give it a minute to finish that finish next we have to associate the route table to the workload subnet that's the subnet our test VM is in in larger environments we'll have to attach the route table to any subnet that has clients that need to access the internet through the firewall but don't apply the routing table to the Azure firewall or Azure firewall management subnet just the workload subnet let's go to the resource go to subnets select associate make sure our v-net is set and we'll select the workload subnet so that's the subnet our clients are on and okay next go to routes and we're going to add a route give it a name this one will be FW hyphen Dr we'll select the destination IP address and add 0.0.0.0 forward slash zero that's the default route in next top select virtual Appliance add the private internal IP address for the Azure firewall that's the private IP address we made a note of earlier click add this tells the v-net to send any traffic that it doesn't have a route for to the firewall now we can start creating our firewall rules we'll start with an application rule let's go to the firewall here we are in the firewall open our firewall policy basic FW policy for this example from here go to application rules rules are grouped into collections let's start by creating a new collection called app col01 make sure the type is application and give it a priority 500 for this example rule collections are processed in order it's a good idea to leave space in front of the rule collection in case we need to add a rule before this in the orders processed leave the action set to allow and go down to name this is where the basic firewall becomes well basic by default the firewall blocks all traffic inbound and outbound with the basic firewall we have to specify the sites we want to allow our users to access I don't think anyone keeps a detailed list of all the sites users visit we can add fqdn tags that allows access to Azure services this is helpful if we want to block all traffic to the internet but allow our clients to access Azure services with avd for example the session host could still access the avd service although it's called Windows Virtual desktop here but it's the same thing the standard and premium firewalls offer web categories so we can allow traffic to known good sites based on the category like news or productivity or shopping but that's not an option with the basic firewall for this example we're going to add a rule that allows all outbound web traffic is that a good idea maybe maybe not but unless you're locking down all internet access with some exceptions this option will allow our users to access the internet without having to add each site manually we'll change this back to fqdn give it a name all web out The Source type is IP address and under Source we can add a single IP address or a subnet we could also add the asterisks for all for this example I'm going to be a little bit more restrictive and add the v-net address space that's 10.1.0.016 for this environment that way any client on the vnet will be able to access the internet for protocol we'll add HTTP and https you don't have to add the port separate them with a comma leave the destination as fqdn and set the destination to any or just an asterisk we'll add the rule one other thing we can't order rules or add a rule ahead of another these rules we add to a collection are processed in order so plan ahead and start with the most specific rule first let's move on to the Network rule next the Network rule is a layer 3 or important protocol rule we'll add an outbound DNS for this example let's add a rule collection give it a name net col01 for this example leave the rule collection type as Network and set the priority to 500. we'll leave the action to allow and set the collection group to default Network rule collection group now we'll create the rule give it a name DNS out we'll set the source type as IP address and we'll add the v-net address space to the scope for protocol we'll set it to UDP and destination Port is 53 for DNS leave the destination as IP address I'll just use an asterisk to allow all outbound DNS queries if you have specific public DNS servers you can add them instead click add that creates the DNS Network rule next we'll create a dnat rule this is optional and what I'm going to show you is probably not recommended I'm going to allow RDP port 3389 in if you want to see a lot of failed login attempts leave port 3389 open to the internet for this download it's fine though a better option to connect to an Azure VM behind a firewall is azure Bastion but that wouldn't make for a good demo we'll add an RDP rule so we can log into the VM and test outbound access go to dnat rules and add a new rule collection give it a name we'll call it dnat cll01 the collection type is dnat priority is 500. set the rule collection group to default dnat rule collection group we'll add the rule we'll call it rdpn we'll select the source address and use the wildcard asterisk but you could add a known public IP address if you want to limit what public IP address can log into this VM for protocol we'll select TCP and Port is 33.89 let's scroll over The Destination type is IP address and set the destination IP address to the public IP address of the firewall and remember we made a note of that earlier this is a translation rule so it will translate the destination public IP address to an internal private IP address the private IP address we want that to translate to is the VM we're trying to log into and for my example that's 10.1.2.4 the internal private IP address of the VM we're going to log into and we'll translate that to the same port 3389 once that's ready we can hit add and that adds the rule now we have rule collections for each rule type there's the rule that allows outbound web there's the rule that allows outbound DNS and there's the rule that allows inbound RDP the rules can take a minute to finish applying I'll pause here and come back once the inbound rule has applied okay the rule collection is finished applying now that we have the basic configuration in place we can test let's start by connecting to the computer behind the firewall with RDP we'll open up the RDP client and we'll go to the public IP address of the firewall we get a login screen that's a good sign and it looks like we can log in and we are going to the public IP address of the firewall that's good now let's open up a web browser okay from the web browser we're going to open up a site that will tell us what our public IP address is that site is ipchicken.com that's our clients public IP address and that matches the firewalls public IP address that's good that means our rules are working that is how to configure the Azure basic firewall as you may have noticed the basic firewall is just that basic it's a better than nothing option at an affordable price a good option for small and medium-sized companies that need a firewall without some of the advanced functionality I hope this helps you better understand the basic firewall thanks for watching

Info

Channel: Travis Roberts

Views: 12,832

Rating: undefined out of 5

Keywords: Azure Firewall, Firewall, Basic firewall, firewall basic, Network Address Translation, Source Network Address Translation, IP, zonal, Azure, Microsoft, Azure Networking, network, outbound connection, Azure internet, VM, Virtual Machine, Private IP, Public IP, Static IP, training, Azure training, free Azure, tutorial, azure networking tutorial

Id: nhWvye214No

Channel Id: undefined

Length: 17min 43sec (1063 seconds)

Published: Sun Mar 26 2023