You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/tutorial-hybrid-ps.md
+30-21Lines changed: 30 additions & 21 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -7,28 +7,40 @@ ms.service: firewall
7
7
ms.topic: tutorial
8
8
ms.date: 10/27/2018
9
9
ms.author: victorh
10
-
#Customer intent: As an administrator, I want to deploy and configure Azure Firewall in a hybrid network so that I can control access from an on-premises network to an Azure virtual network.
10
+
#Customer intent: As an administrator, I want to control network access from an on-premises network to an Azure virtual network.
11
11
---
12
12
# Tutorial: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell
13
13
14
-
In this tutorial, you learn how to:
14
+
When you connect your on-premises network to an Azure virtual network to create a hybrid network, the ability to control access to your Azure network resources is an important part of an overall security plan.
15
15
16
-
> [!div class="checklist"]
17
-
> * Set up the network environment
18
-
> * Configure and deploy the firewall
19
-
> * Create the routes
20
-
> * Create the virtual machines
21
-
> * Test the firewall
16
+
You can use Azure Firewall to control network access in a hybrid network using rules that define allowed and denied network traffic.
22
17
23
18
For this tutorial, you create three virtual networks:
19
+
24
20
-**VNet-Hub** - the firewall is in this virtual network.
25
21
-**VNet-Spoke** - the spoke virtual network represents the workload located on Azure.
26
22
-**VNet-Onprem** - The on-premises virtual network represents an on-premises network. In an actual deployment, it can be connected by either a VPN or Express Route connection. For simplicity, this tutorial uses a VPN gateway connection, and an Azure-located virtual network is used to represent an on-premises network.
27
23
28
24

29
25
26
+
In this tutorial, you learn how to:
27
+
28
+
> [!div class="checklist"]
29
+
> * Declare the variables
30
+
> * Create the firewall hub virtual network
31
+
> * Create the spoke virtual network
32
+
> * Create the on-premises virtual network
33
+
> * Configure and deploy the firewall
34
+
> * Create and connect the VPN gateways
35
+
> * Peer the hub and spoke virtual networks
36
+
> * Create the routes
37
+
> * Create the virtual machines
38
+
> * Test the firewall
39
+
30
40
## Prerequisites
31
41
42
+
This tutorial requires that you run PowerShell locally. You must have Azure PowerShell module version 6.12.0 or later installed. Run `Get-Module -ListAvailable AzureRM` to find the version. If you need to upgrade, see [Install Azure PowerShell module](https://docs.microsoft.com/powershell/azure/install-azurerm-ps). After you verify the PowerShell version, run `Login-AzureRmAccount` to create a connection with Azure.
43
+
32
44
There are three key requirements for this scenario to work correctly:
33
45
34
46
- A User Defined Route on the spoke subnet that points to the Azure Firewall IP address as the default gateway. BGP route propagation must be **Disabled** on this route table.
@@ -40,11 +52,9 @@ See the [Create Routes](#create-routes) section in this tutorial to see how thes
40
52
41
53
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
The following example declares the variables using the values for this tutorial. In most cases, you should replace the values with your own. However, you can use these variables if you are running through the steps to become familiar with this type of configuration. Modify the variables if needed, then copy and paste them into your PowerShell console.
57
+
The following example declares the variables using the values for this tutorial. In some cases, you might need to replace some values with your ownto work in your subscription. Modify the variables if needed, then copy and paste them into your PowerShell console.
- A route from the hub gateway subnet to the spoke subnet through the firewall IP address
298
307
- A default route from the spoke subnet through the firewall IP address
299
308
300
309
> [!NOTE]
301
-
> Azure Firewall learns your on-premises networks using BGP. This may include a default route, which will route Internet traffic back through your on-premises network. If instead you want Internet traffic to be sent directly from the firewall to the Internet, add a user-defined default route (0.0.0.0/0) on the AzureFirewallSubnet with next hop type **Internet**. Your on-premises destined traffic is still forced-tunneled through the VPN/ExpressRoute gateway using the more specific routes learned from BGP.
310
+
> Azure Firewall learns your on-premises networks using BGP. This may include a default route, which routes Internet traffic back through your on-premises network. In a production deployment, you might want Internet traffic to be sent directly from the firewall to the Internet. You could add a user-defined default route (0.0.0.0/0) on the AzureFirewallSubnet with next hop type **Internet**. Your on-premises destined traffic is still forced-tunneled through the VPN/ExpressRoute gateway using the more specific routes learned from BGP.
302
311
303
312
```azurepowershell
304
313
#Create a route table
@@ -413,7 +422,7 @@ Set-AzureRmVMExtension `
413
422
414
423
### Create the on-premises virtual machine
415
424
416
-
This is a simple virtual machine that you can connect to using Remote Desktop to the public IP address. From there, you can then connect to the on-premises server through the firewall. When prompted, type a user name and password for the virtual machine.
425
+
This is a simple virtual machine that you use to connect using Remote Desktop to the public IP address. From there, you then connect to the on-premises server through the firewall. When prompted, type a user name and password for the virtual machine.
417
426
418
427
```azurepowershell
419
428
New-AzureRmVm `
@@ -428,7 +437,7 @@ New-AzureRmVm `
428
437
429
438
## Test the firewall
430
439
431
-
First, get and note the private IP address for **VM-spoke-01** virtual machine.
440
+
First, get and then note the private IP address for **VM-spoke-01** virtual machine.
0 commit comments