Azure Firewall

Azure Firewall

Step 1 - Logging In

Run this command to log in to the Azure account:

az login -u $username -p $password

After you log in, you should get a block of JSON with details about your sign-in.

You can view the Azure account username with this command:

echo $username

You can view the Azure account password with this command:

echo $password

Step 2 - Getting Set Up

While we can create our own firewall with a custom virtual machine, it might be a better bet to use the firewall service Microsoft provides. As a platform-as-a-service (PaaS), it will have high availability and scalability. It also offers different tiers of standard and premium services, where more categories of threats are captured. In this lab we will use a Standard tier which follows L3–L7 security policies, and you can read more about the standard and premium tiers here.

In this lab, we will implement a firewall and configure it to allow outbound traffic to GitHub.com. Note this lab assumes you have some comfort with creating virtual networks and user-defined routing.

The steps will entail:

  • Creating a virtual network and subnets

  • Creating a frontend and backend VM with a network interface between them

  • Declaring and configuring a firewall

  • Routing all public requests through the firewall

  • Opening up the right IP addresses for the public API

First we need a resource group. O'Reilly provides one with a name saved to the variable $resource, which was created with this command:

az group create --name $resource --location eastus

Let's also enable the Azure Firewall extension:

az extension add --name azure-firewall

Next let's create a virtual network with the az network vnet create command. This will also contain the firewall's subnet:

az network vnet create \
  --name lesson28VN \
  --subnet-name AzureFirewallSubnet \
  --address-prefix 10.0.0.0/16 \
  --subnet-prefix 10.0.1.0/26 \
  --location eastus \
  --resource-group $resource

And then let's create the subnets for the workload and jump virtual machines, giving us a total of three subnets (including the AzureFirewallSubnet created in the virtual network):

az network vnet subnet create \
  --name workloadSubnet \
  --vnet-name lesson28VN  \
  --address-prefix 10.0.2.0/24 \
  --resource-group $resource
az network vnet subnet create \
   --name jumpSubnet \
   --vnet-name lesson28VN \
   --address-prefix 10.0.3.0/24 \
   --resource-group $resource

Step 3 - Configuring the VMs

Let's create the two virtual machines, one for the jump and the other for the workload, and put them in the subnets we just created. We are going to make their username azureuser. First let's create the jump VM:

az vm create \
    --name jumpVM \
    --image UbuntuLTS \
    --location eastus \
    --resource-group $resource\
    --vnet-name lesson28VN \
    --subnet jumpSubnet \
    --admin-username azureuser \
    --generate-ssh-keys

Let's also open up port 22 for forwarding via SSH:

az vm open-port \
    --name jumpVM \
    --port 22 \
    --resource-group $resource

Let's then create a network interface controller (NIC) for the work VM we are about to create.

az network public-ip create \
  --name workPublicIp \
  --allocation-method Static \
  --resource-group $resource \
  --sku Standard

az network nic create \
   --name workNIC \
   --vnet-name lesson28VN \
   --subnet workloadSubnet \
   --public-ip-address workPublicIp \
   --resource-group $resource

Next, create the worker VM with the preceding NIC configuration:

az vm create \
    --name workVM \
    --image UbuntuLTS \
    --location eastus \
    --nics workNIC \
    --resource-group $resource \
    --admin-username azureuser \
    --generate-ssh-keys