Table Of Contents

• Introduction
• Create and configure virtual networks
• Configure a peer relationship between the virtual networks
• Create and configure network security groups
• Create Application Security Group
• Create and Associate the Network Security Group
• Create and configure Azure Firewall
  1. Create Azure Firewall subnet in our existing virtual network
  2. Create an Azure Firewall
  3. Add an application rule
  4. Add a network rule
• Configure network routing
  1. Create a route table
  2. Add the route table
  3. Associate the route table to the subnets
  4. Create a route in the route table
• Create DNS zones and configure DNS settings
  1. Create a private DNS zone
  2. Create a virtual network link to your private DNS zone
  3. Create a DNS record set

Introduction

Networking is the process of connecting computers and other devices together so they can communicate, share data, and access resources like the internet, printers, or files. In this article we will see how we can do all this in a secured way without any security vulnerabilities

Create and configure virtual

Virtual networks
A Virtual Network (VNet) is a software-defined network in the cloud that allows Azure resources (like virtual machines, databases, apps) to communicate securely with each other, with the internet, and with on-premises networks

Key Features of a Virtual Network

Isolation: Each VNet is private and isolated from others.
Subnets: Divide the VNet into smaller sections for organization and security.
Communication: Resources in the same VNet can communicate directly with each other.
Internet Access: Public IP or NAT Gateway lets resources access the internet.
On-Premises Connection Connect to your physical network using VPN or ExpressRoute.
Security: Use firewalls and Network Security Groups (NSGs) to control traffic.

Steps on creating hub and spoke virtual networks and subnets

a. *First, we have to sign in to the Azure portal: * https://portal.azure.com

b. On the Azure portal, search and select the virtual network

c. Select + Create and complete the configuration of the App-VNet. This virtual network requires two subnets, frontend and backend. We will use the following properties and values below.
On the basics, select Resource group = RG1,
Virtual network name = app-vnet, Region = East US,

On the IP addresses use address space below
IPv4 address space = 10.1.0.0/16, then on the subnet, click edit and provide information for the frontend and save it.
Subnet name = frontend, Subnet address range = 10.1.0.0/24,

after that, click on add a subnet at the top left corner and provide information for the backend and save it
Subnet name = backend, Subnet address range = 10.1.1.0/24

Note: Leave all other settings as their defaults. When finished, select “Review + create and then Create.

d. Create the Hub-vnet virtual network configuration. This virtual network has the firewall subnet. We will use the following property and value provided below.
Resource group = RG1, Name = hub-vnet, Region = East US
IPv4 address space = 10.0.0.0/16,
Subnet name = AzureFirewallSubnet,
Subnet address range = 10.0.0.0/26
On the basics select Resource group = RG1, Name = hub-vnet, Region = East US

On the IP address use the IP space below
IPv4 address space = 10.0.0.0/16
Then, on the subnet, click Edit; for the subnet purpose, choose firewall; the subnet name will change to AzureFirewallSubnet. On the starting address, make sure it is 10.0.0.0/26, then save it and review and create.

e. Once the deployments are complete, search for and select your virtual networks.

f. Verify your virtual networks and subnets were deployed.

Configure a peer relationship between the virtual networks.

Peering is a way of allowing secure, private communication between Vnets across accounts or regions.
To peer app-vnet and hub-vnet we will follow the steps below

a. Search for and select the app-vnet virtual network.

b. In the Settings blade, select Peerings.

c. + Add a peering between the two virtual networks.
we will use below properties and values
Remote peering link name = app-vnet-to-hub
Virtual network = hub-vnet
Local virtual network peering link name = hub-to-app-vnet

Note: Leave all other settings as their defaults. Select “Add” to create the virtual network peering.

d. Once the deployment completes, verify the peering status is connected.

Create and configure network security groups.

We will need two Virtual machines VM1 and VM2, to achieve that, we will use Azure Cloud Shell and run the following code below by copying and past then hit enter

   $RGName = "RG1"

   New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateUri https://raw.githubusercontent.com/MicrosoftLearning/Configure-secure-access-to-workloads-with-Azure-virtual-networking-services/main/Instructions/Labs/azuredeploy.json

Note, if your Resource group name is not RG1 make sure you use the correct resource group

In the portal search for and select virtual machines. Verify both vm1 and vm2 are Running.
vm1

vm2

Create Application Security Group

a. In the portal, search for and select Application security groups.

b. Select + Create and configure the application security group.
We will use the following properties and values below to create an application security group.

Subscription Select your subscription
Resource group = RG1, Name = app-frontend-asg
Region East US

c. Select Review + create and then select Create.

Note: You are creating the application security group in the same region as the existing virtual network.

Associate the application security group to the network interface of the VM

a. In the Azure portal, search for and select VM1.

b. In the Networking blade, select Application security groups and then select Add application security groups.

c.** Select the app-frontend-asg and then select Add.**

Create and Associate the Network Security Group

a. In the portal, search for and select Network security group.

b. Select + Create and configure the network security group.

We will use the following properties and values below to create network security group
Subscription Select your subscription
Resource group = RG1, Name = app-vnet-nsg,
Region = East US

c. Select Review + create and then select Create.

Associate the NSG with the app-vnet backend subnet.

a. Select Go to resource or navigate to the app-vnet-nsg resource.

b. In the Settings blade select Subnets.

c. Select + Associate

d. Select app-vnet (RG1) and then the backend subnet. Select OK.

Create Network Security Group rules

a. In the search box at the top of the portal, enter** Network security groups**. Select Network security groups in the search results.

b. Select app-vnet-nsg from the list of network security groups.

c. *In the Settings blade, select Inbound security rules.
*

d. Select + Add and configure an inbound security rule.
We will use the following properties and values below to configure an inbound security rule

Source = Any, Source port ranges = *
Destination = Application Security group,
Destination application security group = app-frontend-asg,
Service = SSH, Action = Allow, Priority = 100
Name = AllowSSH

Create and configure Azure Firewall

Azure Firewall is a cloud-native network security service provided and managed by Microsoft Azure. It helps in filtering and monitoring inbound and outbound network traffic based on security rules.

Create Azure Firewall subnet in our existing virtual network

a. In the search box at the top of the portal, enter Virtual networks. Select Virtual networks in the search results.

b. Select app-vnet.

c. Select Subnets.

d. Select + Subnet.

e. Enter the following information and select Save.

Name = AzureFirewallSubnet,Address range = 10.1.63.0/26
Note: Leave all other settings as default.

Create an Azure Firewall

a. In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.

b. Select + Create.

c. Create a firewall by using the values in the following below. For any property that is not specified, use the default value.
Resource group = RG1, Name = app-vnet-firewall,
Firewall SKU = Standard,
Firewall management = Use a Firewall Policy to manage this firewall,
Firewall policy select = Add new, Policy name = fw-policy,
Region = East US, Policy Tier = Standard,
Choose a virtual network = Use existing,
Virtual network = app-vnet (RG1),
Public IP address = Add new: fwpip

d. Select Review + create and then select Create.

Update the Firewall Policy
In the portal, search for and select Firewall Policies.

Select fw-policy.

Add an application rule
a. In the firewall policy click on policy we created, then click Rules blade, select Application rules and then Add a rule collection.

b. Configure the application rule collection and then select Add.
Use the following properties and values.
Name = app-vnet-fw-rule-collection,
Rule collection type = Application, Priority = 200,
Rule collection action = Allow,
Rule collection group = DefaultApplicationRuleCollectionGroup,
Name = AllowAzurePipelines, Source type = IP address,
Source = 10.1.0.0/23, Protocol = https,
Destination type = FQDN,
Destination = dev.azure.com, azure.microsoft.com,

Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.

Add a network rule
a. In the firewall policy click on policy we created, then click Rules blade, select Network rules and then Add a network collection.

b. Configure the network rule and then select Add.
Use the following properties and values.
Name = app-vnet-fw-nrc-dns,
Rule collection type = Network, Priority = 200,
Rule collection action = Allow,
Rule collection group = DefaultNetworkRuleCollectionGroup,
Rule = AllowDns, Source = 10.1.0.0/23,
Protocol = UDP, Destination ports = 53,
Destination addresses = 1.1.1.1, 1.0.0.1,

Verify the firewall and firewall policy status
a. In the portal search for and select Firewall.

b. View the app-vnet-firewall and ensure the Provisioning state is Succeeded. This may take a few minutes.

c. In the portal serach for and select Firewall policies.

d. View the fw-policy and ensure the Provisioning state is Succeeded. This may take a few minutes.

Configure network routing

Create a route table
Record the private IP address of app-vnet-firewall

a. In the search box at the top of the portal, enter Firewall.
Select Firewall in the search results.

b. Select app-vnet-firewall.

c. Select Overview and record the Private IP address.

Add the route table

a. In the search box, enter Route tables. When Route table appears in the search results, select it.

b. In the Route table page, select + Create and create the route table.
using the properties and values below

Resource group = RG1, Region = East US,
Name = app-vnet-firewall-rt

c. Select Review + create and then select Create.

d. Wait for the route table to deploy, then select Go to resource.

Associate the route table with the subnets
a. In the portal, continue working with the route table, select app-vnet-firewall-rt.

b. In the Settings blade, select Subnets and then + Associate.

c. ** Configure an association to the frontend subnet, then select OK.**
use the properties and values below.
Virtual network = app-vnet (RG1), Subnet = frontend,

d. Configure an association to the backend subnet, then select OK.
use the properties and values below.
Virtual network = app-vnet (RG1), Subnet = backend,

Create a route in the route table
a. In the portal, continue working with the route table, select app-vnet-firewall-rt.

b. In the Settings blade, select Routes and then + Add.

c. Configure the route, then select Add.
use the properties and values below.
Route name = outbound-firewall,
Destination type = IP addresses,
Destination IP addresses/CIDR range = 0.0.0.0/0
Next hop type = Virtual appliance
Next hop address = private IP address of the firewall
Note on the next hop address , the IP address of the firewall is should use will be the private IP address of the app-vnet-firewall.

Create DNS zones and configure DNS settings

Create a private DNS zone
a. On the Azure portal, search for and select Private dns zones.

b. Select + Create and configure the DNS zone.
use the following properties and values.
Resource group = RG1, Name = private.contoso.com,
Region = East US.

c. Select Review + create and then select Create.

Wait for the DNS zone to deploy, and then select Go to resource.

Create a virtual network link to your private DNS zone
a. In the portal, continue working on the private.contoso.com DNS zone.

b. In the DNS Management blade, select + Virtual network links

.

c. Select + Add” and configure the virtual network link.
use the following properties and values.
Link name = app-vnet-link, Virtual network = app-vnet,
Enable auto registration = Enabled.

d. Select Create and wait for the deployment to finish. If necessary, Refresh the page.

Create a DNS record set
a. In the portal, continue working on the private.contoso.com DNS zone.

b. In the DNS Management blade, select + Recordsets.

c. Notice that two A records have automatically been created for each of the virtual machines.

d. Select + Add and configure a record set. When finished select Add.
use the following properties and values.
Name = backend, Type = A, TTL = 1, IP address = 10.1.1.5,
Note: This record set implies there is a virtual machine in app-vnet with a private IP address of 10.1.1.5.

Thanks for reading till the end, hope you learn something.
you can put your comment, Like and Share with your friends.