Securing Your Azure Web Application with Azure Firewall (Part 3)

Introduction:

This blog post is part 3 of a series on securing your Azure environment. In the previous parts, we created a virtual network and implemented a Network Security Group (NSG) for basic isolation. Now, we'll take things a step further and secure your web application using Azure Firewall for advanced traffic filtering. As a reminder, the images show Canada Central but if you're following along, use US East.

Setting Up the Firewall Subnet

1. Navigate to Virtual Networks in the Azure portal search bar and select your application network.

2. Under Subnets, click + Subnet.

   

3. Name the subnet AzureFirewallSubnet and use the address range 10.1.63.0/24. Leave other settings default and click Add.

   

Creating the Azure Firewall

1. Search for Firewall in the portal and click it.

2. Click + Create.

   

3. Configure the firewall settings as follows:

   • Name: Choose a descriptive name for your firewall.
   • SKU: Select the Standard Firewall SKU (adjust based on needs).
   • Management: Choose "Firewall policy to manage this firewall".
   • Firewall Policy: Click "Add new" and name the policy fw-policy.
   • Location: Select the appropriate region.
   • Tier: Choose the Standard Policy Tier.
   • Virtual Network: Select "Use existing" and choose your application virtual network.
   • Public IP Address: Click "Create new" and name the IP address fwpip.

4. Review your settings and click Create.

   

Configuring Firewall Policies

1. Search for Firewall Policies in the portal and select fw-policy.
2. Under Settings, navigate to Application Rules.

3. Click Add a Rule Collection and configure it as follows:

   • Name: Choose a clear name for the rule collection.
   • Type: Select "Application".
   • Priority: Set to 200.
   • Action: Allow
   • Rule Collection Group: DefaultApplicationRuleCollectionGroup

   

4. Under Rules create a rule named AllowAzurePipelines. Configure it to allow HTTPS traffic from the source IP range 10.1.0.0/23 to the destination FQDNs dev.azure.com and azure.microsoft.com.

   

5. Navigate to Network Rules and click + Add a rule collection.

   

6. Configure the network rule collection as follows:

   • Name: Choose a clear name for the rule collection.
   • Type: Network
   • Priority: Set to 200.
   • Action: Allow
   • Rule Collection Group: DefaultNetworkRuleCollectionGroup

7. Under Rules create a rule named AllowDns. Configure it to allow UDP traffic on ports 53 to the destination IP addresses 1.1.1.1 and 1.0.0.1, with a source IP range of 10.1.0.0/23.

8. Click Add to create the rule.

   

Verifying Deployment

1. Search for Firewall in the portal and select your application firewall. Verify the Provisioning state is "Succeeded".

   

2. Navigate to the firewall policy (fw-policy) and ensure its Provisioning state is also "Succeeded".

   

Conclusion

By following these steps, you've successfully deployed an Azure Firewall with basic rules to allow secure access for your web application. Remember to adjust the specific rules based on your application's requirements.

In the next post we'll configure routes for the Azure Firewall.