Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources. Organizations mandates centralized network security for the application virtual network. With the anticipated rise in application usage, there will be a need for finer-grained application-level filtering and enhanced threat protection. Additionally, the application is expected to require ongoing updates from Azure DevOps pipelines.
Azure Firewall is essential for enhanced security within the app-vnet. A firewall policy must be established to regulate access to the application.
An application rule within the firewall policy is necessary, permitting the application to connect to Azure DevOps for code updates and network rule in the firewall policy is required, enabling DNS resolution functionality.
Establish an Azure Firewall subnet within the existing virtual network
In the search bar located at the top of the portal, type Virtual networks. Choose Virtual networks from the search results. Select app-vnet. Navigate to Subnets. Click + Subnet. Input the specified details and click Save. Leave all other settings as default.
Name==>AzureFirewallSubnet
Address range==>10.1.63.0/26
Deploy an Azure Firewall instance
In the search bar at the top of the portal, type Firewall and select Firewall from the search results. Click + Create. Note that Firewall Manager serves as the repository for the list of firewalls within the resource.
Deploy a firewall using the values provided in the table below. For any unspecified property, retain the default value.
Resource group==>RG1
Name==>app-vnet-firewall
Firewall SKU==>Standard
Firewall management==>Use a Firewall Policy to manage this firewall
Firewall policy select==>Add new
Policy name==>fw-policy
Region==>East US
Policy Tier==>Standard
Choose a virtual network==>Use existing
Virtual network==>app-vnet (RG1)
Public IP address==>Add new: fwpip
Modify the existing Firewall Policy.
In the portal, navigate to Firewall Policies and select fw-policy.
To add an application rule:
In the Rules blade, go to Application rules and select Add a rule collection. Configure the application rule collection, then click Add to save it
Name==>app-vnet-fw-rule-collection
Rule collection type==>Application
Priority==>200
Rule collection action==>Allow
Rule collection group==>DefaultApplicationRuleCollectionGroup
Name==>AllowAzurePipelines
Source type==>IP address
Source==>10.1.0.0/23
Protocol==>https
Destination type==>FQDN
Destination==>dev.azure.com, azure.microsoft.com
The AllowAzurePipelines rule enables the web application to connect to Azure Pipelines. It grants access to both the Azure DevOps service and the Azure website.
To add a network rule:
In the Rule blade, choose Network rules and click Add a network collection. Set up the network rule by inputting these value, then select Add to apply the changes.
Name==>app-vnet-fw-nrc-dns
Rule collection type==>Network
Priority==>200
Rule collection action==>Allow
Rule collection group==>DefaultNetworkRuleCollectionGroup
Rule==>AllowDns
Source==>10.1.0.0/23
Protocol==>UDP
Destination ports==>53
Destination addresses==>1.1.1.1, 1.0.0.1
Verify the Firewall and Firewall Policy Status
In the portal, search for and select Firewall. Locate app-vnet-firewall and confirm that the Provisioning state is set to Succeeded. This process may take a few minutes.
Next, search for and select Firewall policies in the portal. Find fw-policy and ensure its Provisioning state is also Succeeded. This may take a few minutes as well.
Hence, Implementing Azure Firewall for the app-vnet involves deploying a firewall, configuring a policy with application and network rules for Azure DevOps access and DNS resolution, and enabling monitoring. These measures ensure enhanced security and operational efficiency.