Any organization must ensure that Azure resources, such as virtual machines, remain secure. This is provided by Microsoft through the Azure Firewall offering.

Useful terms

  • Azure Firewall

Using Azure Firewall, you can protect your Azure VNet resources using a managed, cloud-based network security service.

  • Azure Firewall Policy DNAT

Using DNAT, you can redirect traffic from a specific port or IP address on the public-facing side of the firewall to internal resources.

  • Azure Route Table

Using an Azure Route Table, network traffic can be controlled and directed within a virtual network.

Case

Consider the scenario in which you have an Azure VM with SQL Server installed, and you wish to reroute inbound traffic through the Azure Firewall service, and no one else is permitted to log in using the Azure VM Public IP except the Azure Firewall Public IP.

Prerequisites

  • An active Azure subscription
  • Azure VNet
  • Azure Firewall (Basic SKU)
  • Azure Route Table
  • Azure VM

 

VNet configuration

Create a new virtual network with one subnet, “DBSrv-SubNet”. The second subnet (AzureFirewallSubnet with a CIDR notation of /26) will be created automatically when the Azure Firewall service is deployed.

Azure Firewall configuration

Add a new Azure Firewall and configure a new firewall rule into the Rules (classic) – NAT rule collection, so that the traffic can be routed to the private IP of the VM when you RDP to the public IP of the Azure Firewall.

 

Route table configuration

Add a new route to the Azure Route table that routes traffic from the DBSrv-SubNet to Azure Firewall (Virtual appliance) private IP address.

 

Network Security group configuration

Add a new Inbound Security Rule for the RDP port to allow connections only from the Azure Firewall.

Test the configuration

Refer to the video below to see how the above configuration will work.

 

Usefull links

Share This