Any organization must ensure that Azure resources, such as virtual machines, remain secure. This is provided by Microsoft through the Azure Firewall offering.
Useful terms
- Azure Firewall
Using Azure Firewall, you can protect your Azure VNet resources using a managed, cloud-based network security service.
- Azure Firewall Policy DNAT
Using DNAT, you can redirect traffic from a specific port or IP address on the public-facing side of the firewall to internal resources.
- Azure Route Table
Using an Azure Route Table, network traffic can be controlled and directed within a virtual network.
Case
Consider the scenario in which you have an Azure VM with SQL Server installed, and you wish to reroute inbound traffic through the Azure Firewall service, and no one else is permitted to log in using the Azure VM Public IP except the Azure Firewall Public IP.
Prerequisites
- An active Azure subscription
- Azure VNet
- Azure Firewall (Basic SKU)
- Azure Route Table
- Azure VM
VNet configuration
Create a new virtual network with one subnet, “DBSrv-SubNet”. The second subnet (AzureFirewallSubnet with a CIDR notation of /26) will be created automatically when the Azure Firewall service is deployed.
Azure Firewall configuration
Add a new Azure Firewall and configure a new firewall rule into the Rules (classic) – NAT rule collection, so that the traffic can be routed to the private IP of the VM when you RDP to the public IP of the Azure Firewall.
Route table configuration
Add a new route to the Azure Route table that routes traffic from the DBSrv-SubNet to Azure Firewall (Virtual appliance) private IP address.
Network Security group configuration
Add a new Inbound Security Rule for the RDP port to allow connections only from the Azure Firewall.
Test the configuration
Refer to the video below to see how the above configuration will work.
Usefull links
- https://learn.microsoft.com/en-us/azure/cloud-adoption-framework/ready/azure-best-practices/plan-for-inbound-and-outbound-internet-connectivity
- https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat-policy
- https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-dnat
- https://cloudopszone.com/exploring-azure-firewall-policies/