start firewall cli article

vhorne · vhorne · commit 3ca1570bce40 · 2019-05-09T06:34:16.000-07:00
diff --git a/articles/firewall/deploy-cli.md b/articles/firewall/deploy-cli.md
@@ -0,0 +1,299 @@
+---
+title: 'Deploy and configure Azure Firewall using Azure CLI'
+description: In this article, you learn how to deploy and configure Azure Firewall using the Azure CLI. 
+services: firewall
+author: vhorne
+ms.service: firewall
+ms.date: 5/9/2019
+ms.author: victorh
+#Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.
+---
+
+# Deploy and configure Azure Firewall using Azure CLI
+
+Controlling outbound network access is an important part of an overall network security plan. For example, you may want to limit access to web sites. Or, you may want to limit the outbound IP addresses and ports that can be accessed.
+
+One way you can control outbound network access from an Azure subnet is with Azure Firewall. With Azure Firewall, you can configure:
+
+* Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
+* Network rules that define source address, protocol, destination port, and destination address.
+
+Network traffic is subjected to the configured firewall rules when you route your network traffic to the firewall as the subnet default gateway.
+
+For this article, you create a simplified single VNet with three subnets for easy deployment. For production deployments, a [hub and spoke model](https://docs.microsoft.com/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.
+
+* **AzureFirewallSubnet** - the firewall is in this subnet.
+* **Workload-SN** - the workload server is in this subnet. This subnet's network traffic goes through the firewall.
+* **Jump-SN** - The "jump" server is in this subnet. The jump server has a public IP address that you can connect to using Remote Desktop. From there, you can then connect to (using another Remote Desktop) the workload server.
+
+![Tutorial network infrastructure](media/tutorial-firewall-rules-portal/Tutorial_network.png)
+
+In this article, you learn how to:
+
+> [!div class="checklist"]
+> * Set up a test network environment
+> * Deploy a firewall
+> * Create a default route
+> * Configure an application rule to allow access to www.google.com
+> * Configure a network rule to allow access to external DNS servers
+> * Test the firewall
+
+If you prefer, you can complete this procedure using the [Azure portal](tutorial-firewall-deploy-portal.md) or [Azure PowerShell](deploy-ps.md).
+
+If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
+
+[!INCLUDE [cloud-shell-try-it.md](../../includes/cloud-shell-try-it.md)]
+
+## Prerequisites
+
+### Azure CLI
+
+If you choose to install and use the CLI locally, run Azure CLI version 2.0.4 or later. To find the version, run **az --version**. For information about installing or upgrading, see [Install Azure CLI]( /cli/azure/install-azure-cli).
+
+## Set up the network
+
+First, create a resource group to contain the resources needed to deploy the firewall. Then create a VNet, subnets, and test servers.
+
+### Create a resource group
+
+The resource group contains all the resources for the deployment.
+
+```azurecli-interactive
+az group create --name Test-FW-RG --location eastus
+```
+
+### Create a VNet
+
+This virtual network has three subnets.
+
+> [!NOTE]
+> The minimum size of the AzureFirewallSubnet subnet is /26.
+
+```azurecli-interactive
+az network vnet create \
+  --name Test-FW-VN \
+  --resource-group Test-FW-RG \
+  --location eastus \
+  --address-prefix 10.0.0.0/16 \
+  --subnet-name AzureFirewallSubnet \
+  --subnet-prefix 10.0.1.0/24
+az network vnet subnet create \
+  --name Workload-SN \
+  --resource-group Test-FW-RG \
+  --vnet-name Test-FW-VN   \
+  --address-prefix 10.0.2.0/24
+az network vnet subnet create \
+  --name Jump-SN \
+  --resource-group Test-FW-RG \
+  --vnet-name Test-FW-VN   \
+  --address-prefix 10.0.3.0/24
+```
+
+### Create virtual machines
+
+Now create the jump and workload virtual machines, and place them in the appropriate subnets.
+When prompted, type a password for the virtual machine.
+
+Create the Srv-Jump virtual machine.
+
+```azurecli-interactive
+az vm create \
+    --resource-group Test-FW-RG \
+    --name Srv-Jump \
+    --location eastus \
+    --image win2016datacenter \
+    --vnet-name Test-FW-VN \
+    --subnet Jump-SN \
+    --admin-username azureadmin
+az vm open-port --port 3389 --resource-group Test-FW-RG --name Srv-Jump
+```
+
+Create a workload virtual machine with no public IP address.
+When prompted, type a password for the virtual machine.
+
+```azurecli-interactive
+az vm create \
+    --resource-group Test-FW-RG \
+    --name Srv-Work \
+    --location eastus \
+    --image win2016datacenter \
+    --vnet-name Test-FW-VN \
+    --subnet Workload-SN \
+    --public-ip-address "" \
+    --admin-username azureadmin
+```
+
+## Deploy the firewall
+
+Now deploy the firewall into the virtual network.
+
+```azurecli-interactive
+az network firewall create \
+    --name Test-FW01 \
+    --resource-group Test-FW-RG \
+    --location eastus
+az network public-ip create \
+    --name fw-pip \
+    --resource-group Test-FW-RG \
+    --location eastus \
+    --allocation-method static \
+    --sku standard
+az network firewall ip-config create \
+    --firewall-name Test-FW01 \
+    --name FW-config \
+    --public-ip-address fw-pip \
+    --resource-group Test-FW-RG \
+    --vnet-name Test-FW-VN
+az network firewall update \
+    --name Test-FW01 \
+    --resource-group Test-FW-RG \
+az network public-ip show \
+    --name fw-pip \
+    --resource-group Test-FW-RG
+fwpipaddr="$(az network public-ip list -g Test-FW-RG --query "[?name=='fw-pip'].ipAddress" --output tsv)"
+```
+
+Note the private IP address. You'll use it later when you create the default route.
+
+## Create a default route
+
+Create a table, with BGP route propagation disabled
+
+```azurecli-interactive
+az network route-table create \
+    --name Firewall-rt-table \
+    --resource-group Test-FW-RG \
+    --location eastus \
+    --disable-bgp-route-propagation true
+```
+
+Create the route.
+
+```azurecli-interactive
+az network route-table route create \
+  --resource-group Test-FW-RG \
+  --name DG-Route \
+  --route-table-name Firewall-rt-table \
+  --address-prefix 0.0.0.0/0 \
+  --next-hop-type VirtualAppliance \
+  --next-hop-ip-address $fwpipaddr
+```
+
+Associate the route table to the subnet
+
+```azurecli-interactive
+az network vnet subnet update \
+    -n Workload-SN \
+    -g Test-FW-RG \
+    --vnet-name Test-FW-VN \
+    --address-prefixes 10.0.2.0/24 \
+    --route-table Firewall-rt-table
+```
+
+## Configure an application rule
+
+The application rule allows outbound access to www.google.com.
+
+```azurecli-interactive
+az network firewall application-rule create \
+   --collection-name App-Coll01 \
+   --firewall-name Test-FW01 \
+   --name Allow-Google \
+   --protocols Http=80 Https=443 \
+   --resource-group Test-FW-RG \
+   --target-fqdns www.google.com \
+   --source-addresses 10.0.2.0/24 \
+   --priority 200 \
+   --action Allow
+```
+
+Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. For more information, see [Infrastructure FQDNs](infrastructure-fqdns.md).
+
+## Configure a network rule
+
+The network rule allows outbound access to two IP addresses at port 53 (DNS).
+
+```azurecli-interactive
+az network firewall network-rule create \
+   --collection-name RCNet01 \
+   --destination-addresses 209.244.0.3 209.244.0.4 \
+   --destination-ports 53 \
+   --firewall-name Test-FW01 \
+   --name Allow-DNS \
+   --protocols UDP \
+   --resource-group Test-FW-RG \
+   --source-addresses 10.0.2.0/24 \
+   --action Allow
+```
+
+```azurepowershell
+$NetRule1 = New-AzFirewallNetworkRule -Name "Allow-DNS" -Protocol UDP -SourceAddress 10.0.2.0/24 `
+   -DestinationAddress 209.244.0.3,209.244.0.4 -DestinationPort 53
+
+$NetRuleCollection = New-AzFirewallNetworkRuleCollection -Name RCNet01 -Priority 200 `
+   -Rule $NetRule1 -ActionType "Allow"
+
+$Azfw.NetworkRuleCollections = $NetRuleCollection
+
+Set-AzFirewall -AzureFirewall $Azfw
+```
+
+### Change the primary and secondary DNS address for the **Srv-Work** network interface
+
+For testing purposes in this procedure, configure the server's primary and secondary DNS addresses. This isn't a general Azure Firewall requirement.
+
+```azurepowershell
+$NIC.DnsSettings.DnsServers.Add("209.244.0.3")
+$NIC.DnsSettings.DnsServers.Add("209.244.0.4")
+$NIC | Set-AzNetworkInterface
+```
+
+## Test the firewall
+
+Now, test the firewall to confirm that it works as expected.
+
+1. Note the private IP address for the **Srv-Work** virtual machine:
+
+   ```
+   $NIC.IpConfigurations.PrivateIpAddress
+   ```
+
+1. Connect a remote desktop to **Srv-Jump** virtual machine, and sign in. From there, open a remote desktop connection to the **Srv-Work** private IP address and sign in.
+
+3. On **SRV-Work**, open a PowerShell window and run the following commands:
+
+   ```
+   nslookup www.google.com
+   nslookup www.microsoft.com
+   ```
+
+   Both commands should return answers, showing that your DNS queries are getting through the firewall.
+
+1. Run the following commands:
+
+   ```
+   Invoke-WebRequest -Uri https://www.google.com
+   Invoke-WebRequest -Uri https://www.google.com
+
+   Invoke-WebRequest -Uri https://www.microsoft.com
+   Invoke-WebRequest -Uri https://www.microsoft.com
+   ```
+
+   The www.google.com requests should succeed, and the www.microsoft.com requests should fail. This demonstrates that your firewall rules are operating as expected.
+
+So now you've verified that the firewall rules are working:
+
+* You can resolve DNS names using the configured external DNS server.
+* You can browse to the one allowed FQDN, but not to any others.
+
+## Clean up resources
+
+You can keep your firewall resources for the next tutorial, or if no longer needed, delete the **Test-FW-RG** resource group to delete all firewall-related resources:
+
+```azurepowershell
+Remove-AzResourceGroup -Name Test-FW-RG
+```
+
+## Next steps
+
+* [Tutorial: Monitor Azure Firewall logs](./tutorial-diagnostics.md)
