Azure-Advanced-Networking

M06-Unit 9 Secure your virtual hub using Azure Firewall Manager

In this exercise, you will create the spoke virtual network and create a secured virtual hub, then you will connect the hub and spoke virtual networks and route traffic to your hub. Next you will deploy the workload servers, then create a firewall policy and secure your hub, and finally you will test the firewall.

Create a hub and spoke architecture

In this part of the exercise, you will create the spoke virtual networks and subnets where you will place the workload servers. Then you will create the secured virtual hub and connect the hub and spoke virtual networks.

In this exercise, you will:

Estimated time: 60 minutes

Task 1: Create two spoke virtual networks and subnets

In this task, you will create the two spoke virtual networks each containing a subnet that will host your workload servers.

  1. On the Azure portal home page, in the search box, type virtual network and select Virtual Network when it appears.
  2. Select Create.

Important Note:

If the CREATE VIRTUAL NETWORK - TAB menu order is:
“Basics | Security | IP Addressess | Tags | Review + Create”. Use Option 1 instructions.

If the CREATE VIRTUAL NETWORK - TAB menu order is:
“Basics | IP Addressess | Security | Tags | Review + Create”. Scroll down and use Option 2 instructions.

Option 1 instructions

  1. On the Create virtual networks pane, on the Basics tab, use the information in the following table to create the VNet:

    Setting Value
    Resource Group Create new: Name: fw-manager-rg
    Virtual Network Name Spoke-01
    Region East US
  2. Click Next.

  3. On the Security blade.Click Next.

  4. On the IP addresses blade: In the existing Address space section, check that the address space is set to 10.0.0.0/16

Note: If the Address space is different, then delete and re-create a 10.0.0.0/16 address space.

  1. In the Address space section, under Subnets, select Default.

  2. On the Edit subnet blade, use the information in the following table to edit the current Subnet (leave others with their default values):

    Setting Value
    Name Workload-01-SN
    Starting address 10.0.1.0
    Subnet size /24 (256 addresses)
  3. Click Save

  4. Click Review and Create. Let validation occur, and click Create again to submit your deployment.

Repeat Option 1 steps above to create another similar virtual network and subnet but using the following information:

Setting Value
Resource Group Select: fw-managers-rg
Virtual Network Name Spoke-02
Region East US
Address space Edit the default address space using the following settings.
Address space details  
Starting address 10.1.0.0
Address space size /16 (65536 addresses)
Subnet details  
Subnet template Default
Name Workload-02-SN
Starting address 10.1.1.0
Subnet size /24 (256 addresses)
Save subnet and then Select Review and create, then Create  

If you carried out Option 1 instructions: GO TO Task 2

Option 2 instructions

  1. In Resource group, select Create new, and enter fw-manager-rg as the name and select OK.

  2. In Name, enter Spoke-01.

  3. In Region, select your region.

  4. Select Next: IP Addresses.

  5. In IPv4 address space, enter 10.0.0.0/16.

  6. Delete any other address spaces listed here, such as 10.1.0.0/16.

  7. Under Subnet name, select the word default.

  8. In the Edit subnet dialog box, change the name to Workload-01-SN.

  9. Change the Subnet address range to 10.0.1.0/24.

  10. Select Save.

  11. Select Review + create.

  12. Select Create.

Repeat steps 1 to 14 above to create another similar virtual network and subnet but using the following information:

Task 2: Create the secured virtual hub

In this task you will create your secured virtual hub using Firewall Manager.

  1. From the Azure portal home page, select More services.

  2. In the search box, type firewall manager and select Firewall Manager when it appears.

  3. On the Firewall Manager page, Select the Overview tab, select View secured virtual hubs.

  4. On the Virtual hubs page, select Create new secured virtual hub.

  5. For Resource group, select fw-manager-rg.

  6. For Region, select East US.

  7. For the Secured virtual hub name, enter Hub-01.

  8. For Hub address space, enter 10.2.0.0/16.

  9. Choose New vWAN.

  10. In Virtual WAN Name, enter Vwan-01.

  11. For Type, Leave the default Standard.

  12. Select Next: Azure Firewall. Create new secured virtual hub - Basics tab

  13. Select Next: Security Partner Provider.

  14. Select Next: Review + create., wait for validation to complete.

  15. Select Create.

    [!NOTE]

    This can take up to 30 minutes to deploy.

    Create new secured virtual hub - Review + create tab

  16. When the deployment completes, from the Azure portal home page, select More services.

  17. In the search box, type firewall manager and select Firewall Manager when it appears.

  18. On the Firewall Manager page, select Virtual hubs.

  19. Select Hub-01.

  20. Select Public IP configuration.

  21. Note down the public IP address (e.g., 51.143.226.18), which you will use later.

Task 3: Connect the hub and spoke virtual networks

In this task you will connect the hub and spoke virtual networks. This is commonly known as peering.

  1. From the Azure portal home page, select Resource groups.

  2. Select the fw-manager-rg resource group, then select the Vwan-01 virtual WAN.

  3. Under Connectivity, select Virtual network connections.

  4. Select Add connection.

  5. For Connection name, enter hub-spoke-01.

  6. For Hubs, select Hub-01.

  7. For Resource group, select fw-manager-rg.

  8. For Virtual network, select Spoke-01.

  9. Select Create. Add hub and spoke connection to virtual WAN - Spoke 1

  10. Repeat steps 4 to 9 above to create another similar connection but using the connection name of hub-spoke-02 to connect the Spoke-02 virtual network.

Add hub and spoke connection to virtual WAN - Spoke 2

Wait for deployments to complete before doing the next Task.

Task 4: Deploy the servers

  1. On the Azure portal, open the PowerShell session within the Cloud Shell pane.

  2. In the toolbar of the Cloud Shell pane, select the Upload/Download files icon, in the drop-down menu, select Upload and upload the following files FirewallManager.json and FirewallManager.parameters.json into the Cloud Shell home directory one by one from the source folder F:\Allfiles\Exercises\M06.

  3. Deploy the following ARM templates to create the VM needed for this exercise:

    $RGName = "fw-manager-rg"
       
    New-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile FirewallManager.json -TemplateParameterFile FirewallManager.parameters.json
    
  4. When prompted for adminpassword enter Pa55w.rd1234?? (where ?? = your initials.)

  5. When the deployment is complete, go to the Azure portal home page, and then select Virtual Machines.

  6. On the Overview page of Srv-workload-01, in the right-hand pane, under the Networking section, note down the Private IP address (e.g., 10.0.1.4).

  7. On the Overview page of Srv-workload-02, in the right-hand pane, under the Networking section, note down the Private IP address (e.g., 10.1.1.4).

Task 5: Create a firewall policy and secure your hub

In this task you will first create your firewall policy, then secure your hub. The firewall policy will define collections of rules to direct traffic on one or more Secured virtual hubs.

  1. From the Azure portal home page, select Firewall Manager.
    • If the Firewall Manager icon does not appear on the homepage, then select More services. Then in the search box, type firewall manager and select Firewall Manager when it appears.
  2. From Firewall Manager, under the Security heading in the menu, select Azure Firewall Policies.

  3. Select Create Azure Firewall Policy.

  4. On Resource group, select fw-manager-rg.

  5. Under Policy details, for the Name, enter Policy-01.

  6. On Region select East US.

  7. On Policy tier, select Standard.

  8. Select Next : DNS Settings.

  9. Select Next : TLS Inspection.

  10. Select Next : Rules.

  11. On the Rules tab, select Add a rule collection.

  12. On the Add a rule collection page, in Name, enter App-RC-01.

  13. For Rule collection type, select Application.

  14. For Priority, enter 100.

  15. Ensure Rule collection action is Allow.

  16. Under Rules, in Name type Allow-msft.

  17. For the Source type, select IP Address.

  18. For Source, enter *.

  19. For Protocol, enter http,https.

  20. Ensure Destination type is FQDN.

  21. For Destination, enter *.microsoft.com.

  22. Select Add.

    Add application rule collection to firewall policy

  23. To add a DNAT rule so you can connect a remote desktop to the Srv-workload-01 VM, select Add a rule collection.

  24. For Name, enter dnat-rdp.

  25. For Rule collection type, select DNAT.

  26. For Priority, enter 100.

  27. Under Rules, in Name enter Allow-rdp.

  28. For the Source type, select IP Address.

  29. For Source, enter *.

  30. For Protocol, select TCP.

  31. For Destination Ports, enter 3389.

  32. For Destination Type, select IP Address.

  33. For Destination, enter the firewall virtual hub public IP address that you noted down earlier (e.g., 51.143.226.18).

  34. For Translated address, enter the private IP address for Srv-workload-01 that you noted down earlier (e.g., 10.0.1.4).

  35. For Translated port, enter 3389.

  36. Select Add.

  37. To add a Network rule so you can connect a remote desktop from Srv-workload-01 to Srv-workload-02 VM, select Add a rule collection.

  38. For Name, enter vnet-rdp.

  39. For Rule collection type, select Network.

  40. For Priority, enter 100.

  41. For Rule collection action, select Allow.

  42. Under Rules, in Name enter Allow-vnet.

  43. For the Source type, select IP Address.

  44. For Source, enter *.

  45. For Protocol, select TCP.

  46. For Destination Ports, enter 3389.

  47. For Destination Type, select IP Address.

  48. For Destination, enter the private IP address for Srv-workload-02 that you noted down earlier (e.g., 10.1.1.4).

  49. Select Add.

    List rule collections in the firewall policy

  50. You should now have 3 rule collections listed.

  51. Select Review + create: Wait for validation to complete.

  52. Select Create.

Task 6: Associate the firewall policy

In this task you will associate the firewall policy with the virtual hub.

  1. From the Azure portal home page, select Firewall Manager.
    • If the Firewall Manager icon does not appear on the homepage, then select More services. Then in the search box, type firewall manager and select Firewall Manager when it appears.
  2. On Firewall Manager, under Security, select Azure Firewall Policies.

  3. Select the checkbox for Policy-01.

  4. Select Manage associations>Associate hubs.

  5. Select the checkbox for Hub-01.

  6. Select Add.

  7. Wait for the deployment to complete.

  8. When the policy has been attached, select Refresh. The association should be displayed.

Show associated firewall policy on hub

Task 7: Route traffic to your hub

In this task you will ensure that network traffic gets routed through your firewall.

  1. On Firewall Manager, select Virtual hubs.

  2. Select Hub-01.

  3. Under Settings, select Security configuration.

  4. On Internet traffic, select Azure Firewall.

  5. On Private traffic, select Send via Azure Firewall.

  6. Select Save.

Click OK for the warning message.

Once configuration has completed (This can take up to 10 minutes), ensure that under INTERNET TRAFFIC and PRIVATE TRAFFIC, it says Secured by Azure Firewall for both hub-spoke connections.

Task 8: Test the application rule

In this part of the exercise, you will connect a remote desktop to the firewall public IP address, which is NATed to Srv-Workload-01. You will then use a web browser to test the application rule and connect a remote desktop to Srv-Workload-02 to test the network rule.

In this task you will test the application rule to confirm that it works as expected.

  1. Open Remote Desktop Connection on your PC.

  2. On the Computer box, enter the firewall’s public IP address (e.g., 51.143.226.18).

  3. Select Show Options.

  4. On the Username box, enter TestUser.

  5. Select Connect.

    RDP connection to srv-workload-01

  6. On the Enter your credentials dialog box, log into the Srv-workload-01 server virtual machine, by using the password you created during the VM deployment.

  7. Select OK.

  8. (If it appears), Select Yes on the Network blade.

  9. Open Internet Explorer and select Ok in the Set up Internet Explorer 11 dialog box.

  10. Browse to https://www.microsoft.com.

  11. On the Security Alert dialog box, select OK.

  12. Select Close on the Internet Explorer security alerts that may pop-up.

  13. You should see the Microsoft home page.

    RDP session browsing microsoft.com

  14. Browse to https://www.google.com.

  15. On the Security Alert dialog box, select OK.

  16. You should be blocked by the firewall.

    RDP session browser blocked on google.com

  17. So, you have verified that you can connect to the one allowed FQDN but are blocked from all others.

Task 9: Test the network rule

In this task you will test the network rule to confirm that it works as expected.

  1. While still logged in to the Srv-workload-01 RDP session, from this remote computer, open Remote Desktop Connection.

  2. On the Computer box, enter the private IP address of Srv-workload-02 (e.g., 10.1.1.4).

  3. On the Enter your credentials dialog box, log in to the Srv-workload-02 server by using the username TestUser, and the password you provided during the deployment.

  4. Select OK.

  5. (If it appears), Select Yes on the Network blade.

    RDP session from srv-workload-01 to another RDP session on srv-workload-02

  6. So, now you have verified that the firewall network rule is working, as you have connected a remote desktop from one server to another server located in another virtual network.

  7. Close both RDP sessions to disconnect them.

Task 10: Clean up resources

Note: Remember to remove any newly created Azure resources that you no longer use. Removing unused resources ensures you will not see unexpected charges.

  1. On the Azure portal, open the PowerShell session within the Cloud Shell pane.

  2. Delete all resource groups you created throughout the labs of this module by running the following command:

    Remove-AzResourceGroup -Name 'fw-manager-rg' -Force -AsJob
    

    Note: The command executes asynchronously (as determined by the -AsJob parameter), so while you will be able to run another PowerShell command immediately afterwards within the same PowerShell session, it will take a few minutes before the resource groups are actually removed.