Lukmon Adeokun · Follow
5 min read · Nov 7, 2023
Azure virtual network is quite similar to the traditional network that we already know. It allows us perform subnetting, assign IP addresses to resources just like a traditional network. The key difference between both is that in Azure virtual network, the infrastructure needed to perform subnetting and other functions have been abstracted way leaving us to just provision isolated and connected networks within Azure. But of what use if we create virtual networks without adequately securing it?
Azure actually provides us with a few offerings to cater to this need. One of such offering is a firewall called Azure Firewall. Azure provides 3 Azure Firewall SKUs; basic, standard and premium. If you run a small to medium scale business, the basic sku is perhaps just right for you. The standard sku provides a more robust features while the premium provides fully comprehensive features such as signature-based Intrusion Detection Systems for very quick detection of cyber attacks
Azure firewall is a service provided by azure in order to help protect azure virtual network resources, data and application from unauthorised access as well as cyber threats. It provides a filtering feature at both the network layer and the application level. Crucially, it also provides an integration of threat intelligence directly from Microsoft and it is updated real time. This provides the ability to alert and also deny traffic from identified malicious ip address. In addition, it has monitoring capabilities. We can also integrate with azure monitor to capture firewall traffic
To implement azure firewall into a virtual network, we have to first create a virtual network which typically comes with a default subnet. We then create a second subnet which must be named AzureFirewallSubnet. The Azure firewall would reside in this AzureFirewallSubnet and any traffic from the default subnet is routed (through a route table) to the Azure firewall. It is recommended this second subnet have a CIDR notation of “/26”. The reason for placing the azure firewall in a smaller subnet (i.e., /26) with a limited number of IP addresses is to allow one to isolate and control traffic to and from the firewall more effectively. This helps to reduce the attack surface and potential exposure to cyber threats.
Consequently, we can then define NAT rules, application rules and network rules in rule collection to deny traffic or block malicious IPs.
In a situation whereby the basic sku is to be deployed, we create a third subnet which must be named AzureFirewallManagementSubnet
This article looks at how a small business with a decent number of customers can implement azure firewall into its virtual network. We would be looking at how to use a firewall to perform network address translation (NAT). Network address translation is important for so many reasons
1. It provides a level of security by hiding the internal IP address of a device in a private network from cyber threat actors on the public internet making it more difficult to easily access the device.
2. By allowing a firewall share a single public IP address with multiple devices in a private network, this help conserve the limited pool of available public IP address which can be an issue in situations where IPV4 addresses is scarce.
3. It becomes easier to log and monitor more effectively by tracking the translation of private IP addresses to public addresses. The logs become useful when the need for troubleshooting arises
AZURE FIREWALL IMPLEMENTATION STEPS
- Create a virtual network called WillyWonka-VNET and rename its default subnet to vm-SUBNET
2. Create a windows virtual machine and place it inside vm-SUBNET
3. Add a subnet called AzureFirewallSubnet with a CIDR notation of /26
4.Add a third subnet called AzureFirewallManagementSubnet with a CIDR notation of /26
5.Create a firewall and place it inside the subnet called AzureFirewallSubnet
6.Create a route table so that the traffic from vm-SUBNET is routed to the firewall
7. Create a route in the route table which would route traffic from the VM-subnet to the private IP of the firewall
8.Make an association between the route table and the vm-SUBNET so that it applies the route to the subnet.
9.Configure firewall rules in rule collection such that traffic when we rdp into the public IP of the firewall, we should be routed to the private IP of the windows virtual machine
Conclusion
Azure provides Azure firewall; a cloud-based network security service whose aim is to protect your Azure virtual network and the resources in it. It achieves this by leveraging and providing users as well as businesses with a set of features for network security and traffic management
