Loading...

Firewall rule - antusnet.ca

Azure Quick Links

Networking

VNet-toVNet VPN

Private Endpoint

DNS Name Resolution

Public Load Balancer

 

Security

Azure Firewall Rule

Container Registry

Privileged Access and Monitoring

User & Identity Security

Microsoft Defender for Cloud

Compute & Storage

Azure File Sync

Azure AI Services

Create Storage with Terraform

ARM Template Deployment

Bicep template deployment

Disaster recovery plan

AD Lab for Hybrid Azure

Expert-level projects

Azure Data Factory & Synapse

Databricks Analytics

Securing Azure SQL Database

Azure Sentinel & playbook

Azure & Power BI Visualizations

Hybrid Identity Synchronization

Site-to-Site VPN

VNet Peering

Point-to-Site VPN

DevOps

App service deployment

Agents, Pipelines & Secrets

DevOps IaC Pipeline

*

Microsoft Fabric

 Fabric Data Engineering & Analytics Pipeline

Power BI

Advanced Data Preparation

Model the data

Visualization & Report Creation

Report Deployment & Management

*

*

Back to Projects

Azure Cloud Projects

Firewall rule

Firewall rule

Task Details

Creating a firewall rule will help your organization control both inbound and outbound network access, which is a critical component of a comprehensive network security strategy. Specifically, you aim to create and test the following infrastructure components:

1. A virtual network with three subnets: one for the workload, one for the jump host, and one for the firewall.

2. A virtual machine in each subnet.

3. A custom route that forces all outbound traffic from the workload subnet to pass through the firewall.

4. Firewall application rules that allow outbound traffic only to www.bing.com.

5. Firewall network rules that permit external DNS server lookups.

Architecture Diagram

*

Steps

1. Create a virtual network named Test-FW-VN with an address space of 10.0.0.0/16, and add four subnets: Workload-SN for the workload, Jump-SN for the jump host, AzureFirewallSubnet for the firewall, and AzureFirewallManagementSubnet for forced tunneling.

*

2. On the IP addresses tab, delete the existing subnet, then create four subnets: Workload-SN for the workload, Jump-SN for the jump host, AzureFirewallSubnet for the firewall and AzureFirewallManagementSubnet subnet for forced tunneling.

Note: AzureFirewallManagementSubnet subnet for forced tunneling is now required when also using Firewall SKU basic.

Workload-SN subnet

  • Click "Add a subnet."
  • In the appeared panel on the right, name the subnet (e.g., "Workload-SN").
  • Set the starting IP address (e.g., "10.0.2.0").
  • Click "Save."

*

Jump-SN subnet

  • Click "Add a subnet."
  • In the appeared panel on the right, name the subnet (e.g., "Jump-SN").
  • Set the starting IP address (e.g., "10.0.3.0").
  • Click "Save."

Note: Srv-Jump is a secure gateway VM (also called a jump box) placed in a public subnet, used to remotely access and manage other resources (like VMs) inside a private Azure virtual network. Instead of exposing all VMs to the internet, only the Jump-Srv has a public IP, helping restrict and control external access while maintaining internal connectivity.

*

AzureFirewallSubnet subnet

  • Click "Add a subnet."
  • In the appeared panel on the right, choose Subnet purpose as AzureFirewall.
  • Azure automatically allocates the internal IP for the Azure Firewall from the subnet’s address space (e.g., "10.0.1.192").
  • Click "Save."

Note: You must create a subnet named exactly AzureFirewallSubnet (case-sensitive) with at least a /26 address space. You can assign a Public IP manually to the firewall (AzureFirewall → Public IP configuration), but the internal IP is auto-assigned.

*

AzureFirewallManagementSubnet subnet

  • Click "Add a subnet."
  • In the appeared panel on the right, choose Subnet purpose as (e.g., "AzureFirewallManagementSubnet").
  • Azure automatically allocates the internal IP for the Azure Firewall from the subnet’s address space (e.g., "10.0.1.128").
  • Click "Save."

Note: You only need to configure and associate a Public IP manually (if needed for outbound access or DNAT).

AzureFirewallManagementSubnet must be at least /26.

*

3. After creating the four subnets, ensure all four subnets are listed, then click "Review + Create" to deploy. Once deployment is complete, click "Go to resource", and you will see your four subnets under the Subnets tab of the virtual network.

*

4. Create two virtual machines: Srv-Work VM in the Workload subnet and Srv-Jump VM in the Jump subnet.

Srv-Work VM

*

5. In the Virtual Machines section, select + Create a virtual machine, then enter the following values on the Basics tab.

Resource group : Select your resource group

Instance details :

  • Virtual machine name : Enter Srv-Work
  • Region : Select (US) East US
  • Image : Select Windows Server 2022 Datacenter : Azure Edition - x64 Gen2 
  • VM architecture: Select x64
  • Size : Select Standard_B2s

Administrator Account :

  • Username : Enter a username
  • Password : Enter a password
  • Confirm password : Re-enter password

Inbound Port rules : 

  • Public inbound ports : Select Allow selected ports
  • Select inbound ports: Select RDP(3389)

*

6. Click Next to proceed to the Disks tab and configure the desired disk settings then click "Review + create"

*

7. On the Networking tab, assign the Srv-Work VM to the Workload-SN subnet, apply the following settings, and then click Review + Create.

*

8. After the Srv-Work VM is created, note the public and private IP addresses of the Srv-Work VM.

*

Srv-Jump VM

Note: Jump-Srv is used as a secure gateway VM to connect to other resources inside a private Azure virtual network.

*

9. In the Virtual Machines section, select + Create a virtual machine, then enter the following values on the Basics tab.

Resource group : Select your resource group

Instance details:

  • Virtual machine name : Enter Srv-Jump
  • Region : Select (US) East US
  • Image : Select Windows Server 2022 Datacenter : Azure Edition - x64 Gen2 
  • VM architecture: Select x64
  • Size : Select Standard_B2s

Administrator Account:

  • Username : Enter a username
  • Password : Enter a password
  • Confirm password : Re-enter password

Inbound Port rules: 

  • Public inbound ports : Select Allow selected ports
  • Select inbound ports: Select RDP(3389)

*

10. Click Next to proceed to the Disks tab and configure the desired disk settings then click "Review + create"

*

11. On the Networking tab, assign the Srv-Jump VM to the Jump-SN subnet, apply the following settings, and then click Review + Create.

*

12. After the Srv-Jump VM is created, note the public and private IP addresses of the Srv-Work VM.

13. Deploy and test an Azure Firewall named Test-FW01.

*

14. On the Basics tab of the 'Create a Firewall' blade, specify the following settings, then click Next twice, and finally click Review + create.

  • Name the firewall as: Test-FW01
  • Firewall SKU: Basic
  • Click Add new to create a new firewall policy and name it Policy1
  • Select the previously created virtual network named Test-FW-VN
  • Click "Add new" to create a new public IP address named Test-FW-PIP.
  • Click Add new to create a new management public IP address named Test-FW-PIP2

Note: A management public IP address is needed to securely enable remote administration and configuration of the Azure Firewall.

*

15. After the deployment is complete, click "Go to resources" and note the private and public IP addreses.
Note: You have to click on TEST-FW-PIP to view public IP.

*

16. Create a default route with Route table for the Workload-SN subnet to direct all outbound traffic through the firewall for enhanced security and traffic control.

*

17. Choose your subscription and resource group, name the route table Firewall-Route, then click Review + create, and finally click Go to resource.

*

18. Associate the Workload-SN subnet with the route table.
On the Firewall-Route blade, under Settings, click Subnets. Then, on the Firewall-Route | Subnets blade, click + Associate, and select your virtual network and subnet.

*

19. Add a New Route

  • On the Add route blade, specify the following settings:
  • Route name: Give a name to the route table
  • Destination type: Select IP Addresses
  • Destination IP addresses/CIDR ranges: Enter 0.0.0.0/0
  • Next hop type: Select Virtual appliance
  • Next hop address: Enter the private IP address of your Azure Firewall

Note: We use destination IP address 0.0.0.0/0 in the route table to route all outbound traffic to the Azure Firewall’s private IP (next hop: virtual appliance), so that all internet-bound or external traffic is inspected and controlled by the firewall before leaving the subnet.

*

20. Configure an application rule on the Test-FW01 firewall to allow outbound access to www.bing.com.

  • Within the "Firewall policy" section, you will see the currently associated policy listed (e.g., Policy1)
  • To manage or view the details of this policy, click on the policy name

*

21. Add application rule collection to allow outbound access to www.bing.com from Workload-SN subnet.

In the Add a rule collection tab, enter or select the following values:

  • Name: App-Coll01
  • Rule collection type: Application
  • Priority: 200
  • Rule collection action: Allow
  • Rule collection group: DefaultApplicationRuleCollectionGroup

Rules:

  • Name: AllowBing
  • Source type: IP address
  • Source: 10.0.2.0/24
  • Protocol: HTTP, HTTPS
  • Destination type: FQDN
  • Destination: www.bing.com

Select Add

Note: The source IP should belong to the Workload-SN subnet address range.

*

22. Configure a network rule to allow outbound access to the IP addresses 209.244.0.3 and 209.244.0.4 on port 53 (DNS).
Note: IP's 209.244.0.3 and 209.244.0.4 are public DNS servers.

In the Add a rule collection tab, enter or select the following values:

  • Name: NetColl01
  • Rule collection type: Network
  • Priority: 200
  • Rule collection action: Allow
  • Rule collection group: DefaultNetworkRuleCollectionGroup

Rules:

  • Name: Allow-DNS
  • Source type: IP address
  • Source: 10.0.2.0/24
  • Protocol: UDP
  • Destination ports: 53
  • Destination type: IP address
  • Destination: 209.244.0.3, 209.244.0.4

Note: When you associate a subnet with a route table that directs traffic through Azure Firewall, all traffic is denied by default unless explicitly allowed. If you need to RDP into a VM in that subnet, create the appropriate Azure Firewall rules:

Inbound from the Internet: Add a DNAT rule to map the firewall’s public IP and TCP port 3389 to the VM’s private IP.

From another subnet: Add a network rule to allow TCP 3389 from the source subnet to the VM’s private IP.
Also ensure the NSG for the subnet/NIC allows inbound RDP.

*

23. Configure the primary and secondary DNS server addresses for the virtual machine Srv-work.

On the Network settings blade of the Srv-Work virtual machine, click on Network interface

On the DNS servers blade of the network interface for the Srv-Work VM, add the primary and secondary public DNS servers, then click save.

*

24. Test the firewall to confirm that it works as expected.
Download the RDP file and use it to connect to the Srv-Jump Azure VM via Remote Desktop. When prompted to authenticate, provide your credentials.

Note: In this demo, we will RDP to Srv-jump and then from Srv-jump to Srv-work. Since only the Srv-work subnet is associated with a route table pointing to Azure Firewall, and the NSG on Srv-work allows inbound RDP, the connection should proceed without additional firewall rules. Ensure that no conflicting routes or firewall policies are in place.

*

25. RDP to Srv-Jump VM

*

26. Within the Remote Desktop session to Srv-Jump, right-click Start, in the right-click menu, click Run, and, from the Run dialog box, run the following to connect to Srv-Work.

Command: mstsc /v:Srv-Work

 

*

27. Within the Remote Desktop session on Srv-Work, open Server Manager, click Local Server, then click IE Enhanced Security Configuration.
In the Internet Explorer Enhanced Security Configuration dialog box, set both options to Off, and click OK.

Note: We need to turn off Internet Explorer Enhanced Security Configuration to browse the web more conveniently.

*

28. Start Internet Explorer and browse to http://www.microsoft.com/

Within the browser page, you should receive a deny message with text resembling the following:

*

29. Start Internet Explorer and browse to https://www.bing.com

The website should successfully display. The firewall allows you access.

 

*

Conclusion
By implementing the described firewall configuration, you have established a secure and controlled network environment. The use of subnet segmentation, virtual machines for testing, custom routing, and strict firewall rules ensures that all outbound traffic is inspected and limited to approved destinations. This setup strengthens your organization’s security posture by enforcing network boundaries, reducing the attack surface, and allowing only essential, authorized communications.

*

Written by Kirill.A - Azure & Cybersecurity Consultant at AntusNet

➤ Want more? Browse all our Azure implementation guides.

Need help implementing secure Azure solutions?

Contact us for a free consultation.

    error: Content is protected !!