Configure Azure Firewall to Access an Azure VM

In today’s cloud era, securing cloud-hosted resources is important. In particular, Azure Cloud offers a security service called Azure Firewall that helps you control and monitor traffic in your Azure resources.

This post outlines the key steps to configure your Azure Firewall to securely access an Azure VM without exposing the RDP port or managing inbound and outbound traffic.

Prerequisites

To follow the steps below, you need to meet the prerequisites.

An active Azure Subscription
An Azure VNet with three subnets
- Subnet1 (default)
- AzureFirewallSubnet
- AzureFirewallManagementSubnet
A route table
An Azure VM

In this scenario, a DNAT (Destination Network Address Translation) rule will be created to redirect traffic to the Azure VM’s private IP address, specifically targeting the RDP port.

To avoid any misunderstanding, in accordance with the terms SNAT and DNAT, the SNAT acronym means Source Network Address Translation, and it changes the Source IP for outbound traffic. On the flip side, DNAT (Destination Network Address Translation) changes the destination IP for inbound traffic routing.

This kind of setup is common in hub-and-spoke architectures, where all outgoing traffic passes through a central firewall for inspection and control.

Route table configuration

Navigate to your Route Table resource in Azure.

Route Configuration

Use the following settings:

Destination type	IP addresses
Destination IP addresses/CIDR ranges	0.0.0.0/0
Next hop type	Virtual appliance
Next hop address	Azure Firewall Private IP

The address 0.0.0.0/0 sends all outgoing traffic. Use a virtual appliance to direct this traffic to Azure Firewall, which serves as the Network Virtual Appliance (NVA). Set the next-hop address to Azure Firewall’s private IP so all subnet traffic goes through it.

Associate Route Table with Subnet

Once you have created the route, follow these steps:

Open the Route Table and select Subnets.
Click the + Associate button.
Choose your target Virtual Network.
Select the subnet you want to use, such as the default subnet.
Click Save to apply your changes.

Configure NAT Rule for SSH Access

To allow inbound SSH to a VM behind the firewall, configure a DNAT rule.

When someone connects to FirewallPublicIP on port 63900, the firewall sends that request to 10.0.0.4 on port 22 inside the network.

This way, you can use SSH to access the internal virtual machine securely, and port 22 stays hidden from the public.

Validate SSH Connectivity

When you try to use SSH from the Azure Portal, you may get an error message. With this setup, you can connect to the internal VM securely while keeping port 22 closed to the public.

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-7445511428585429" crossorigin="anonymous"></script>  <ins class="adsbygoogle" style="display:block" data-ad-client="ca-pub-7445511428585429" data-ad-slot="1036616002" data-ad-format="auto" data-full-width-responsive="true"></ins> <script> (adsbygoogle = window.adsbygoogle || []).push({}); </script>

Configure Azure Firewall to Access an Azure VM