You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/tutorial-hybrid-ps.md
+43-52Lines changed: 43 additions & 52 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,13 @@
1
1
---
2
-
title: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell
2
+
title: 'Tutorial: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell'
3
3
description: In this tutorial, you learn how to deploy and configure Azure Firewall using the Azure portal.
4
4
services: firewall
5
5
author: vhorne
6
6
ms.service: firewall
7
7
ms.topic: tutorial
8
8
ms.date: 10/27/2018
9
9
ms.author: victorh
10
-
#Customer intent: As an administrator, I want to deploy and configure Azure Firewall in a hybrid network so that I can control access from an on-premise network to an Azure VNet.
10
+
#Customer intent: As an administrator, I want to deploy and configure Azure Firewall in a hybrid network so that I can control access from an on-premises network to an Azure virtual network.
11
11
---
12
12
# Tutorial: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell
13
13
@@ -20,14 +20,14 @@ In this tutorial, you learn how to:
20
20
> * Create the virtual machines
21
21
> * Test the firewall
22
22
23
-
For this tutorial, you create three VNets:
24
-
-**VNet-Hub** - the firewall is in this VNet.
25
-
-**VNet-Spoke** - the spoke VNet represents the workload located on Azure.
26
-
-**VNet-Onprem** - The OnPrem VNet represents an on-premise network. In an actual deployment, it can be connected by either a VPN or Express Route connection. For simplicity, this tutorial uses a VPN gateway connection, and an Azure-located VNet is used to represent an on-premise network.
23
+
For this tutorial, you create three virtual networks:
24
+
-**VNet-Hub** - the firewall is in this virtual network.
25
+
-**VNet-Spoke** - the spoke virtual network represents the workload located on Azure.
26
+
-**VNet-Onprem** - The on-premises virtual network represents an on-premises network. In an actual deployment, it can be connected by either a VPN or Express Route connection. For simplicity, this tutorial uses a VPN gateway connection, and an Azure-located virtual network is used to represent an on-premises network.
27
27
28
28

29
29
30
-
## Key requirements
30
+
## Prerequisites
31
31
32
32
There are three key requirements for this scenario to work correctly:
Request a public IP address to be allocated to the VPN gateway you will create for your VNet. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your VPN gateway.
112
+
Request a public IP address to be allocated to the VPN gateway you will create for your virtual network. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your VPN gateway.
Request a public IP address to be allocated to the gateway you will create for the VNet. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your gateway.
151
+
Request a public IP address to be allocated to the gateway you will create for the virtual network. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your gateway.
The hub and OnPrem VNets are connected via VPN gateways.
196
+
The hub and on-premises virtual networks are connected via VPN gateways.
197
197
198
-
### Create a VPN gateway for the hub VNet
198
+
### Create a VPN gateway for the hub virtual network
199
199
200
200
Create the VPN gateway configuration. The VPN gateway configuration defines the subnet and the public IP address to use.
201
201
@@ -206,15 +206,15 @@ Create the VPN gateway configuration. The VPN gateway configuration defines the
206
206
-Subnet $subnet1 -PublicIpAddress $gwpip1
207
207
```
208
208
209
-
Now create the VPN gateway for the hub VNet. VNet-to-VNet configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
209
+
Now create the VPN gateway for the hub virtual network. Network-to-network configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
Now create the VPN gateway for the OnPrem VNet. VNet-to-VNet configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
228
+
Now create the VPN gateway for the on-premises virtual network. Network-to-network configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
In this step, you create the connection from the hub VNet to the OnPrem VNet. You'll see a shared key referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.
249
+
In this step, you create the connection from the hub virtual network to the on-premises virtual network. You'll see a shared key referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.
Create the OnPrem to hub VNet connection. This step is similar to the previous one, except you create the connection from Vnet-Onprem to VNet-hub. Make sure the shared keys match. The connection will be established after a few minutes.
256
+
Create the on-premises to hub virtual network connection. This step is similar to the previous one, except you create the connection from VNet-Onprem to VNet-hub. Make sure the shared keys match. The connection will be established after a few minutes.
@@ -278,9 +278,9 @@ After the cmdlet finishes, view the values. In the following example, the connec
278
278
"egressBytesTransferred": 4142431
279
279
```
280
280
281
-
## Peer the hub and spoke VNets
281
+
## Peer the hub and spoke virtual networks
282
282
283
-
Now peer the spoke and hub VNets.
283
+
Now peer the hub and spoke virtual networks.
284
284
285
285
```azurepowershell
286
286
# Peer hub to spoke
@@ -298,7 +298,7 @@ Next, create a couple routes:
298
298
- A default route from the spoke subnet through the firewall IP address
299
299
300
300
> [!NOTE]
301
-
> Azure Firewall learns your on-premise networks using BGP. This may include a default route, which will route Internet traffic back through your on-premise network. If instead you want Internet traffic to be sent directly from the firewall to the Internet, add a user-defined default route (0.0.0.0/0) on the AzureFirewallSubnet with next hop type **Internet**. Your on-premise destined traffic is still forced-tunneled through the VPN/ExpressRoute gateway using the more specific routes learned from BGP.
301
+
> Azure Firewall learns your on-premises networks using BGP. This may include a default route, which will route Internet traffic back through your on-premises network. If instead you want Internet traffic to be sent directly from the firewall to the Internet, add a user-defined default route (0.0.0.0/0) on the AzureFirewallSubnet with next hop type **Internet**. Your on-premises destined traffic is still forced-tunneled through the VPN/ExpressRoute gateway using the more specific routes learned from BGP.
302
302
303
303
```azurepowershell
304
304
#Create a route table
@@ -359,11 +359,11 @@ Set-AzureRmVirtualNetwork
359
359
360
360
## Create virtual machines
361
361
362
-
Now create the spoke workload and OnPrem virtual machines, and place them in the appropriate subnets.
362
+
Now create the spoke workload and on-premises virtual machines, and place them in the appropriate subnets.
363
363
364
364
### Create the workload virtual machine
365
365
366
-
Create a virtual machine in the spoke VNet, running IIS, with no public IP address, and allows pings in.
366
+
Create a virtual machine in the spoke virtual network, running IIS, with no public IP address, and allows pings in.
367
367
When prompted, type a user name and password for the virtual machine.
This is a simple virtual machine that you can connect to using Remote Desktop to the public IP address. From there, you can then connect to the OnPrem server through the firewall. When prompted, type a user name and password for the virtual machine.
416
+
This is a simple virtual machine that you can connect to using Remote Desktop to the public IP address. From there, you can then connect to the on-premises server through the firewall. When prompted, type a user name and password for the virtual machine.
417
417
418
418
```azurepowershell
419
419
New-AzureRmVm `
@@ -434,23 +434,23 @@ First, get and note the private IP address for **VM-spoke-01** virtual machine.
434
434
$NIC.IpConfigurations.privateipaddress
435
435
```
436
436
437
-
1.From the Azure portal, connect to the **VM-Onprem** virtual machine.
437
+
From the Azure portal, connect to the **VM-Onprem** virtual machine.
438
438
<!---2. Open a Windows PowerShell command prompt on **VM-Onprem**, and ping the private IP for **VM-spoke-01**.
439
439
440
440
You should get a reply.--->
441
-
2.Open a web browser on **VM-Onprem**, and browse to http://\<VM-spoke-01 private IP\>
441
+
Open a web browser on **VM-Onprem**, and browse to http://\<VM-spoke-01 private IP\>.
442
442
443
-
You should see the Internet Information Services default page.
443
+
You should see the Internet Information Services default page.
444
444
445
-
3.From **VM-Onprem**, open a remote desktop to **VM-spoke-01** at the private IP address.
445
+
From **VM-Onprem**, open a remote desktop to **VM-spoke-01** at the private IP address.
446
446
447
-
Your connection should succeed, and you should be able to sign in using your chosen username and password.
447
+
Your connection should succeed, and you should be able to sign in using your chosen username and password.
448
448
449
449
So now you have verified that the firewall rules are working:
450
450
451
451
<!---- You can ping the server on the spoke VNet.--->
452
-
- You can browse web server on the spoke VNet.
453
-
- You can connect to the server on the spoke VNet using RDP.
452
+
- You can browse web server on the spoke virtual network.
453
+
- You can connect to the server on the spoke virtual network using RDP.
454
454
455
455
Next, change the firewall network rule collection action to **Deny** to verify that the firewall rules work as expected. Run the following script to change the rule collection action to **Deny**.
456
456
@@ -469,15 +469,6 @@ You can keep your firewall resources for the next tutorial, or if no longer need
0 commit comments