Skip to content

Commit 6c9a79f

Browse files
AnnaMHuffAnnaMHuff
authored
Merge pull request #224967 from asudbring/ddos-firewall
Added article for Azure Firewall with DDoS protection standard
2 parents add14d8 + 589df63 commit 6c9a79f

File tree

2 files changed

+308
-0
lines changed

2 files changed

+308
-0
lines changed

articles/firewall/toc.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,8 @@ items:
3636
href: tutorial-hybrid-portal-policy.md
3737
- name: Filter inbound traffic with DNAT
3838
href: tutorial-firewall-dnat-policy.md
39+
- name: Deploy firewall with DDoS protection
40+
href: tutorial-protect-firewall.md
3941

4042
- name: Samples
4143
items:

articles/firewall/tutorial-protect-firewall.md

Lines changed: 306 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,306 @@
1+
---
2+
title: 'Tutorial: Deploy a firewall with Azure DDoS Protection Standard'
3+
description: In this tutorial, you learn how to deploy and configure Azure Firewall and policy rules using the Azure portal with Azure DDoS protection.
4+
services: firewall
5+
author: asudbring
6+
ms.service: firewall
7+
ms.topic: tutorial
8+
ms.date: 01/24/2022
9+
ms.author: allensu
10+
ms.custom: template-tutorial
11+
#Customer intent: As an administrator new to this service, I want to control outbound network access from resources located in an Azure subnet.
12+
---
13+
14+
# Tutorial: Deploy a firewall with Azure DDoS Protection Standard
15+
16+
This article helps you create an Azure Firewall with a DDoS protected virtual network. Azure DDoS Protection Standard enables enhanced DDoS mitigation capabilities such as adaptive tuning, attack alert notifications, and monitoring to protect your firewall from large scale DDoS attacks.
17+
18+
> [!IMPORTANT]
19+
> Azure DDoS Protection incurs a cost when you use the Standard SKU. Overages charges only apply if more than 100 public IPs are protected in the tenant. Ensure you delete the resources in this tutorial if you aren't using the resources in the future. For information about pricing, see [Azure DDoS Protection Pricing]( https://azure.microsoft.com/pricing/details/ddos-protection/). For more information about Azure DDoS protection, see [What is Azure DDoS Protection?](../ddos-protection/ddos-protection-overview.md).
20+
21+
For this tutorial, you create a simplified single VNet with two subnets for easy deployment. Azure DDoS Protection Standard is enabled for the virtual network.
22+
23+
* **AzureFirewallSubnet** - the firewall is in this subnet.
24+
* **Workload-SN** - the workload server is in this subnet. This subnet's network traffic goes through the firewall.
25+
26+
![Tutorial network infrastructure](media/tutorial-firewall-deploy-portal/tutorial-network.png)
27+
28+
For production deployments, a [hub and spoke model](/azure/architecture/reference-architectures/hybrid-networking/hub-spoke) is recommended, where the firewall is in its own VNet. The workload servers are in peered VNets in the same region with one or more subnets.
29+
30+
In this tutorial, you learn how to:
31+
32+
> [!div class="checklist"]
33+
> * Set up a test network environment
34+
> * Deploy a firewall and firewall policy
35+
> * Create a default route
36+
> * Configure an application rule to allow access to www.google.com
37+
> * Configure a network rule to allow access to external DNS servers
38+
> * Configure a NAT rule to allow a remote desktop to the test server
39+
> * Test the firewall
40+
41+
If you prefer, you can complete this procedure using [Azure PowerShell](deploy-ps-policy.md).
42+
43+
## Prerequisites
44+
45+
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
46+
47+
## Set up the network
48+
49+
First, create a resource group to contain the resources needed to deploy the firewall. Then create a VNet, subnets, and a test server.
50+
51+
### Create a resource group
52+
53+
The resource group contains all the resources for the tutorial.
54+
55+
1. Sign in to the Azure portal at [https://portal.azure.com](https://portal.azure.com).
56+
1. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page, then select **Add**. Enter or select the following values:
57+
58+
| Setting | Value |
59+
| -------- | ------ |
60+
| Subscription | Select your Azure subscription. |
61+
| Resource group | Enter *Test-FW-RG*. |
62+
| Region | Select a region. All other resources that you create must be in the same region. |
63+
64+
1. Select **Review + create**.
65+
1. Select **Create**.
66+
67+
### Create a DDoS protection plan
68+
69+
1. In the search box at the top of the portal, enter **DDoS protection**. Select **DDoS protection plans** in the search results and then select **+ Create**.
70+
71+
1. In the **Basics** tab of **Create a DDoS protection plan** page, enter or select the following information:
72+
73+
| Setting | Value |
74+
|--|--|
75+
| **Project details** | |
76+
| Subscription | Select your Azure subscription. |
77+
| Resource group | Select **Test-FW-RG**. |
78+
| **Instance details** | |
79+
| Name | Enter **myDDoSProtectionPlan**. |
80+
| Region | Select the region. |
81+
82+
1. Select **Review + create** and then select **Create** to deploy the DDoS protection plan.
83+
84+
### Create a VNet
85+
86+
This VNet will have two subnets.
87+
88+
> [!NOTE]
89+
> The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see [Azure Firewall FAQ](firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).
90+
91+
1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
92+
1. Select **Networking**.
93+
1. Search for **Virtual network** and select it.
94+
1. Select **Create**, then enter or select the following values:
95+
96+
| Setting | Value |
97+
| -------- | ------ |
98+
| Subscription | Select your Azure subscription. |
99+
| Resource group | Select **Test-FW-RG**. |
100+
| Name | Enter *Test-FW-VN*. |
101+
| Region | Select the same location that you used previously. |
102+
103+
1. Select **Next: IP addresses**.
104+
1. For **IPv4 Address space**, accept the default **10.1.0.0/16**.
105+
1. Under **Subnet**, select **default**.
106+
1. For **Subnet name** change the name to **AzureFirewallSubnet**. The firewall will be in this subnet, and the subnet name **must** be AzureFirewallSubnet.
107+
1. For **Address range**, type **10.1.1.0/26**.
108+
1. Select **Save**.
109+
110+
Next, create a subnet for the workload server.
111+
112+
1. Select **Add subnet**.
113+
1. For **Subnet name**, type **Workload-SN**.
114+
1. For **Subnet address range**, type **10.1.2.0/24**.
115+
1. Select **Add**.
116+
1. Select **Next: Security**.
117+
1. In **DDoS Protection Standard** select **Enable**.
118+
1. Select **myDDoSProtectionPlan** in **DDoS protection plan**.
119+
1. Select **Review + create**.
120+
1. Select **Create**.
121+
122+
### Create a virtual machine
123+
124+
Now create the workload virtual machine, and place it in the **Workload-SN** subnet.
125+
126+
1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
127+
1. Select **Windows Server 2019 Datacenter**.
128+
1. Enter or select these values for the virtual machine:
129+
130+
| Setting | Value |
131+
| ------- | ----- |
132+
| Subscription | Select your Azure subscription. |
133+
| Resource group | Select **Test-FW-RG**. |
134+
| Virtual machine name | Enter *Srv-Work*.|
135+
| Region | Select the same location that you used previously. |
136+
| Username | Enter a username. |
137+
| Password | Enter a password. |
138+
139+
1. Under **Inbound port rules**, **Public inbound ports**, select **None**.
140+
1. Accept the other defaults and select **Next: Disks**.
141+
1. Accept the disk defaults and select **Next: Networking**.
142+
1. Make sure that **Test-FW-VN** is selected for the virtual network and the subnet is **Workload-SN**.
143+
1. For **Public IP**, select **None**.
144+
1. Accept the other defaults and select **Next: Management**.
145+
1. Select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.
146+
1. Review the settings on the summary page, and then select **Create**.
147+
1. After the deployment completes, select the **Srv-Work** resource and note the private IP address for later use.
148+
149+
## Deploy the firewall and policy
150+
151+
Deploy the firewall into the VNet.
152+
153+
1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
154+
2. Type **firewall** in the search box and press **Enter**.
155+
3. Select **Firewall** and then select **Create**.
156+
4. On the **Create a Firewall** page, use the following table to configure the firewall:
157+
158+
| Setting | Value |
159+
| ------- | ----- |
160+
| Subscription | Select your Azure subscription. |
161+
| Resource group | Select **Test-FW-RG**. |
162+
| Name | Enter *Test-FW01*. |
163+
| Region | Select the same location that you used previously. |
164+
| Firewall management | Select **Use a Firewall Policy to manage this firewall**. |
165+
| Firewall policy | Select **Add new**, and enter *fw-test-pol*. <br> Select the same region that you used previously.
166+
| Choose a virtual network | Select **Use existing**, and then select **Test-FW-VN**. |
167+
| Public IP address | Select **Add new**, and enter *fw-pip* for the **Name**. |
168+
169+
5. Accept the other default values, then select **Review + create**.
170+
6. Review the summary, and then select **Create** to create the firewall.
171+
172+
This will take a few minutes to deploy.
173+
7. After deployment completes, go to the **Test-FW-RG** resource group, and select the **Test-FW01** firewall.
174+
8. Note the firewall private and public IP addresses. You'll use these addresses later.
175+
176+
## Create a default route
177+
178+
For the **Workload-SN** subnet, configure the outbound default route to go through the firewall.
179+
180+
1. On the Azure portal menu, select **All services** or search for and select *All services* from any page.
181+
1. Under **Networking**, select **Route tables**.
182+
1. Select **Create**, then enter or select the following values:
183+
184+
| Setting | Value |
185+
| ------- | ----- |
186+
| Subscription | Select your Azure subscription. |
187+
| Resource group | Select **Test-FW-RG**. |
188+
| Region | Select the same location that you used previously. |
189+
| Name | Enter *Firewall-route*. |
190+
191+
1. Select **Review + create**.
192+
1. Select **Create**.
193+
194+
After deployment completes, select **Go to resource**.
195+
196+
1. On the **Firewall-route** page, select **Subnets** and then select **Associate**.
197+
1. Select **Virtual network** > **Test-FW-VN**.
198+
1. For **Subnet**, select **Workload-SN**. Make sure that you select only the **Workload-SN** subnet for this route, otherwise your firewall won't work correctly.
199+
1. Select **OK**.
200+
1. Select **Routes** and then select **Add**.
201+
1. For **Route name**, enter *fw-dg*.
202+
1. For **Address prefix**, enter *0.0.0.0/0*.
203+
1. For **Next hop type**, select **Virtual appliance**.
204+
Azure Firewall is actually a managed service, but virtual appliance works in this situation.
205+
1. For **Next hop address**, enter the private IP address for the firewall that you noted previously.
206+
1. Select **OK**.
207+
208+
## Configure an application rule
209+
210+
This is the application rule that allows outbound access to `www.google.com`.
211+
212+
1. Open the **Test-FW-RG** resource group, and select the **fw-test-pol** firewall policy.
213+
1. Select **Application rules**.
214+
1. Select **Add a rule collection**.
215+
1. For **Name**, enter *App-Coll01*.
216+
1. For **Priority**, enter *200*.
217+
1. For **Rule collection action**, select **Allow**.
218+
1. Under **Rules**, for **Name**, enter *Allow-Google*.
219+
1. For **Source type**, select **IP address**.
220+
1. For **Source**, enter *10.0.2.0/24*.
221+
1. For **Protocol:port**, enter *http, https*.
222+
1. For **Destination Type**, select **FQDN**.
223+
1. For **Destination**, enter *`www.google.com`*
224+
1. Select **Add**.
225+
226+
Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. For more information, see [Infrastructure FQDNs](infrastructure-fqdns.md).
227+
228+
## Configure a network rule
229+
230+
This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).
231+
232+
1. Select **Network rules**.
233+
2. Select **Add a rule collection**.
234+
3. For **Name**, enter *Net-Coll01*.
235+
4. For **Priority**, enter *200*.
236+
5. For **Rule collection action**, select **Allow**.
237+
1. For **Rule collection group**, select **DefaultNetworkRuleCollectionGroup**.
238+
1. Under **Rules**, for **Name**, enter *Allow-DNS*.
239+
1. For **Source type**, select **IP Address**.
240+
1. For **Source**, enter *10.0.2.0/24*.
241+
1. For **Protocol**, select **UDP**.
242+
1. For **Destination Ports**, enter *53*.
243+
1. For **Destination type** select **IP address**.
244+
1. For **Destination**, enter *209.244.0.3,209.244.0.4*.<br>These are public DNS servers operated by CenturyLink.
245+
2. Select **Add**.
246+
247+
## Configure a DNAT rule
248+
249+
This rule allows you to connect a remote desktop to the **Srv-Work** virtual machine through the firewall.
250+
251+
1. Select the **DNAT rules**.
252+
2. Select **Add a rule collection**.
253+
3. For **Name**, enter *rdp*.
254+
1. For **Priority**, enter *200*.
255+
1. For **Rule collection group**, select **DefaultDnatRuleCollectionGroup**.
256+
1. Under **Rules**, for **Name**, enter *rdp-nat*.
257+
1. For **Source type**, select **IP address**.
258+
1. For **Source**, enter *\**.
259+
1. For **Protocol**, select **TCP**.
260+
1. For **Destination Ports**, enter *3389*.
261+
1. For **Destination Type**, select **IP Address**.
262+
1. For **Destination**, enter the firewall public IP address.
263+
1. For **Translated address**, enter the **Srv-work** private IP address.
264+
1. For **Translated port**, enter *3389*.
265+
1. Select **Add**.
266+
267+
268+
### Change the primary and secondary DNS address for the **Srv-Work** network interface
269+
270+
For testing purposes in this tutorial, configure the server's primary and secondary DNS addresses. This isn't a general Azure Firewall requirement.
271+
272+
1. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page. Select the **Test-FW-RG** resource group.
273+
2. Select the network interface for the **Srv-Work** virtual machine.
274+
3. Under **Settings**, select **DNS servers**.
275+
4. Under **DNS servers**, select **Custom**.
276+
5. Enter *209.244.0.3* in the **Add DNS server** text box, and *209.244.0.4* in the next text box.
277+
6. Select **Save**.
278+
7. Restart the **Srv-Work** virtual machine.
279+
280+
## Test the firewall
281+
282+
Now, test the firewall to confirm that it works as expected.
283+
284+
1. Connect a remote desktop to firewall public IP address and sign in to the **Srv-Work** virtual machine.
285+
3. Open Internet Explorer and browse to `https://www.google.com`.
286+
4. Select **OK** > **Close** on the Internet Explorer security alerts.
287+
288+
You should see the Google home page.
289+
290+
5. Browse to `https://www.microsoft.com`.
291+
292+
You should be blocked by the firewall.
293+
294+
So now you've verified that the firewall rules are working:
295+
296+
* You can browse to the one allowed FQDN, but not to any others.
297+
* You can resolve DNS names using the configured external DNS server.
298+
299+
## Clean up resources
300+
301+
You can keep your firewall resources for the next tutorial, or if no longer needed, delete the **Test-FW-RG** resource group to delete all firewall-related resources.
302+
303+
## Next steps
304+
305+
> [!div class="nextstepaction"]
306+
> [Deploy and configure Azure Firewall Premium](premium-deploy.md)

0 commit comments

Comments
 (0)