You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall-manager/secure-cloud-network.md
+31-27Lines changed: 31 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ services: firewall-manager
5
5
author: vhorne
6
6
ms.service: firewall-manager
7
7
ms.topic: tutorial
8
-
ms.date: 01/12/2023
8
+
ms.date: 03/05/2024
9
9
ms.author: victorh
10
10
---
11
11
@@ -44,29 +44,30 @@ First, create spoke virtual networks where you can place your servers.
44
44
45
45
### Create two spoke virtual networks and subnets
46
46
47
-
The two virtual networks will each have a workload server in them and will be protected by the firewall.
47
+
The two virtual networks each have a workload server in them and are protected by the firewall.
48
48
49
49
1. From the Azure portal home page, select **Create a resource**.
50
-
2. Search for **Virtual network**, and select **Create**.
50
+
2. Search for **Virtual network**, select it, and select **Create**.
51
51
3. For **Subscription**, select your subscription.
52
52
4. For **Resource group**, select **Create new**, and type **fw-manager-rg** for the name and select **OK**.
53
-
5. For **Name**, type **Spoke-01**.
53
+
5. For **Virtual network name**, type **Spoke-01**.
54
54
6. For **Region**, select **East US**.
55
-
7. Select **Next: IP Addresses**.
56
-
8. For **Address space**, accept the default **10.0.0.0/16**.
57
-
9. Select **Add subnet**.
58
-
10. For **Subnet name**, type **Workload-01-SN**.
59
-
11. For **Subnet address range**, type **10.0.1.0/24**.
60
-
12. Select **Add**.
61
-
13. Select **Review + create**.
62
-
14. Select **Create**.
55
+
7. Select **Next**.
56
+
1. On the **Security** page, select **Next**.
57
+
1. Under **Add IPv4 address space**, accept the default **10.0.0.0/16**.
58
+
1. Under **Subnets**, select **default**.
59
+
1. For **Name**, type **Workload-01-SN**.
60
+
1. For **Starting address**, type **10.0.1.0/24**.
61
+
1. Select **Save**.
62
+
1. Select **Review + create**.
63
+
1. Select **Create**.
63
64
64
65
Repeat this procedure to create another similar virtual network in the **fw-manager-rg** resource group:
65
66
66
67
Name: **Spoke-02**<br>
67
68
Address space: **10.1.0.0/16**<br>
68
69
Subnet name: **Workload-02-SN**<br>
69
-
Subnet address range: **10.1.1.0/24**
70
+
Starting address: **10.1.1.0/24**
70
71
71
72
### Create the secured virtual hub
72
73
@@ -101,7 +102,9 @@ Create your secured virtual hub using Firewall Manager.
101
102
102
103
:::image type="content" source="./media/secure-cloud-network/3-azure-firewall-parameters-with-zones.png" alt-text="Screenshot of configuring Azure Firewall parameters." lightbox="./media/secure-cloud-network/3-azure-firewall-parameters-with-zones.png":::
103
104
104
-
16. Select the **Firewall Policy** to apply at the new Azure Firewall instance. Select **Default Deny Policy**, you'll refine your settings later in this article.
105
+
106
+
16. Type **1** in the **Specify number of Public IP addressees** text box.
107
+
16. Under **Firewall Policy** ensure the **Default Deny Policy** is selected. You refine your settings later in this article.
105
108
17. Select **Next: Security Partner Provider**.
106
109
107
110
:::image type="content" source="./media/secure-cloud-network/4-trusted-security-partner.png" alt-text="Screenshot of configuring Trusted Partners parameters." lightbox="./media/secure-cloud-network/4-trusted-security-partner.png":::
@@ -114,13 +117,13 @@ Create your secured virtual hub using Firewall Manager.
114
117
> [!NOTE]
115
118
> It may take up to 30 minutes to create a secured virtual hub.
116
119
117
-
You can get the firewall public IP address after the deployment completes.
120
+
You can find the firewall public IP address after the deployment completes.
118
121
119
122
1. Open **Firewall Manager**.
120
123
2. Select **Virtual hubs**.
121
124
3. Select **hub-01**.
122
-
4. Under**Azure Firewall**, select **Public IP configuration**.
123
-
5. Note the public IP address to use later.
125
+
1. Select**AzureFirewall_Hub-01**.
126
+
1. Note the public IP address to use later.
124
127
125
128
### Connect the hub and spoke virtual networks
126
129
@@ -137,7 +140,7 @@ Now you can peer the hub and spoke virtual networks.
137
140
6. For **Resource group**, select **fw-manager-rg**.
138
141
7. For **Virtual network**, select **Spoke-01**.
139
142
8. Select **Create**.
140
-
9. Repeat to connect the **Spoke-02** virtual network: connection name - **hub-spoke-02**
143
+
9. Repeat to connect the **Spoke-02** virtual network: connection name - **hub-spoke-02**.
141
144
142
145
## Deploy the servers
143
146
@@ -174,7 +177,7 @@ After the servers are deployed, select a server resource, and in **Networking**
174
177
175
178
## Create a firewall policy and secure your hub
176
179
177
-
A firewall policy defines collections of rules to direct traffic on one or more Secured virtual hubs. You'll create your firewall policy and then secure your hub.
180
+
A firewall policy defines collections of rules to direct traffic on one or more Secured virtual hubs. You create your firewall policy and then secure your hub.
178
181
179
182
1. From Firewall Manager, select **Azure Firewall policies**.
180
183
@@ -204,7 +207,7 @@ A firewall policy defines collections of rules to direct traffic on one or more
204
207
11. For **Rule collection type**, select **Application**.
205
208
12. For **Priority**, type **100**.
206
209
13. Ensure **Rule collection action** is **Allow**.
207
-
14. For the rule **Name** type **Allow-msft**.
210
+
14. For the rule **Name**, type **Allow-msft**.
208
211
15. For the **Source type**, select **IP address**.
209
212
16. For **Source**, type **\***.
210
213
17. For **Protocol**, type **http,https**.
@@ -214,16 +217,15 @@ A firewall policy defines collections of rules to direct traffic on one or more
214
217
215
218
21. Add a **DNAT rule** so you can connect a remote desktop to the **Srv-Workload-01** virtual machine.
216
219
217
-
1. Select **Add/Rule collection**.
220
+
1. Select **Add a rule collection**.
218
221
2. For **Name**, type **dnat-rdp**.
219
222
3. For **Rule collection type**, select **DNAT**.
220
223
4. For **Priority**, type **100**.
221
-
5. For the rule **Name** type **Allow-rdp**.
224
+
5. For the rule **Name**, type **Allow-rdp**.
222
225
6. For the **Source type**, select **IP address**.
223
226
7. For **Source**, type **\***.
224
227
8. For **Protocol**, select **TCP**.
225
228
9. For **Destination Ports**, type **3389**.
226
-
10. For **Destination Type**, select **IP Address**.
227
229
11. For **Destination**, type the firewall public IP address that you noted previously.
228
230
1. For **Translated type**, select **IP Address**.
229
231
1. For **Translated address**, type the private IP address for **Srv-Workload-01** that you noted previously.
@@ -289,17 +291,19 @@ Now you must ensure that network traffic gets routed through your firewall.
289
291
9. Select **OK** on the **Warning** dialog.
290
292
291
293
:::image type="content" source="./media/secure-cloud-network/9a-firewall-warning.png" alt-text="Screenshot of Secure Connections." lightbox="./media/secure-cloud-network/9a-firewall-warning.png":::
294
+
9. Select **OK** on the **Migrate to use inter-hub** dialog.
292
295
293
296
> [!NOTE]
294
297
> It takes a few minutes to update the route tables.
295
298
299
+
296
300
8. Verify that the two connections show Azure Firewall secures both Internet and private traffic.
297
301
298
302
:::image type="content" source="./media/secure-cloud-network/9b-secured-connections.png" alt-text="Screenshot of Secure Connections final status." lightbox="./media/secure-cloud-network/9b-secured-connections.png":::
299
303
300
304
## Test the firewall
301
305
302
-
To test the firewall rules, you'll connect a remote desktop using the firewall public IP address, which is NATed to **Srv-Workload-01**. From there you'll use a browser to test the application rule and connect a remote desktop to **Srv-Workload-02** to test the network rule.
306
+
To test the firewall rules, connect a remote desktop using the firewall public IP address, which is NATed to **Srv-Workload-01**. From there, use a browser to test the application rule and connect a remote desktop to **Srv-Workload-02** to test the network rule.
303
307
304
308
### Test the application rule
305
309
@@ -314,9 +318,9 @@ Now, test the firewall rules to confirm that it works as expected.
314
318
315
319
4. Browse to `https://www.google.com`.
316
320
317
-
You should be blocked by the firewall.
321
+
The firewall should block this.
318
322
319
-
So now you've verified that the firewall application rule is working:
323
+
So now you verified that the firewall application rule is working:
320
324
321
325
* You can browse to the one allowed FQDN, but not to any others.
322
326
@@ -328,7 +332,7 @@ Now test the network rule.
328
332
329
333
A remote desktop should connect to Srv-Workload-02.
330
334
331
-
So now you've verified that the firewall network rule is working:
335
+
So now you verified that the firewall network rule is working:
332
336
* You can connect a remote desktop to a server located in another virtual network.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments