You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/tutorial-hybrid-ps.md
+63-63Lines changed: 63 additions & 63 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,33 +1,45 @@
1
1
---
2
-
title: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell
2
+
title: 'Tutorial: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell'
3
3
description: In this tutorial, you learn how to deploy and configure Azure Firewall using the Azure portal.
4
4
services: firewall
5
5
author: vhorne
6
6
ms.service: firewall
7
7
ms.topic: tutorial
8
8
ms.date: 10/27/2018
9
9
ms.author: victorh
10
-
#Customer intent: As an administrator, I want to deploy and configure Azure Firewall in a hybrid network so that I can control access from an on-premise network to an Azure VNet.
10
+
#Customer intent: As an administrator, I want to control network access from an on-premises network to an Azure virtual network.
11
11
---
12
12
# Tutorial: Deploy and configure Azure Firewall in a hybrid network using Azure PowerShell
13
13
14
+
When you connect your on-premises network to an Azure virtual network to create a hybrid network, the ability to control access to your Azure network resources is an important part of an overall security plan.
15
+
16
+
You can use Azure Firewall to control network access in a hybrid network using rules that define allowed and denied network traffic.
17
+
18
+
For this tutorial, you create three virtual networks:
19
+
20
+
-**VNet-Hub** - the firewall is in this virtual network.
21
+
-**VNet-Spoke** - the spoke virtual network represents the workload located on Azure.
22
+
-**VNet-Onprem** - The on-premises virtual network represents an on-premises network. In an actual deployment, it can be connected by either a VPN or Express Route connection. For simplicity, this tutorial uses a VPN gateway connection, and an Azure-located virtual network is used to represent an on-premises network.
23
+
24
+

25
+
14
26
In this tutorial, you learn how to:
15
27
16
28
> [!div class="checklist"]
17
-
> * Set up the network environment
29
+
> * Declare the variables
30
+
> * Create the firewall hub virtual network
31
+
> * Create the spoke virtual network
32
+
> * Create the on-premises virtual network
18
33
> * Configure and deploy the firewall
34
+
> * Create and connect the VPN gateways
35
+
> * Peer the hub and spoke virtual networks
19
36
> * Create the routes
20
37
> * Create the virtual machines
21
38
> * Test the firewall
22
39
23
-
For this tutorial, you create three VNets:
24
-
-**VNet-Hub** - the firewall is in this VNet.
25
-
-**VNet-Spoke** - the spoke VNet represents the workload located on Azure.
26
-
-**VNet-Onprem** - The OnPrem VNet represents an on-premise network. In an actual deployment, it can be connected by either a VPN or Express Route connection. For simplicity, this tutorial uses a VPN gateway connection, and an Azure-located VNet is used to represent an on-premise network.
27
-
28
-

40
+
## Prerequisites
29
41
30
-
## Key requirements
42
+
This tutorial requires that you run PowerShell locally. You must have Azure PowerShell module version 6.12.0 or later installed. Run `Get-Module -ListAvailable AzureRM` to find the version. If you need to upgrade, see [Install Azure PowerShell module](https://docs.microsoft.com/powershell/azure/install-azurerm-ps). After you verify the PowerShell version, run `Login-AzureRmAccount` to create a connection with Azure.
31
43
32
44
There are three key requirements for this scenario to work correctly:
33
45
@@ -40,11 +52,9 @@ See the [Create Routes](#create-routes) section in this tutorial to see how thes
40
52
41
53
If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free/?WT.mc_id=A261C142F) before you begin.
The following example declares the variables using the values for this tutorial. In most cases, you should replace the values with your own. However, you can use these variables if you are running through the steps to become familiar with this type of configuration. Modify the variables if needed, then copy and paste them into your PowerShell console.
57
+
The following example declares the variables using the values for this tutorial. In some cases, you might need to replace some values with your ownto work in your subscription. Modify the variables if needed, then copy and paste them into your PowerShell console.
Request a public IP address to be allocated to the VPN gateway you will create for your VNet. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your VPN gateway.
121
+
Request a public IP address to be allocated to the VPN gateway you will create for your virtual network. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your VPN gateway.
Request a public IP address to be allocated to the gateway you will create for the VNet. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your gateway.
160
+
Request a public IP address to be allocated to the gateway you will create for the virtual network. Notice that the *AllocationMethod* is **Dynamic**. You cannot specify the IP address that you want to use. It's dynamically allocated to your gateway.
The hub and OnPrem VNets are connected via VPN gateways.
205
+
The hub and on-premises virtual networks are connected via VPN gateways.
197
206
198
-
### Create a VPN gateway for the hub VNet
207
+
### Create a VPN gateway for the hub virtual network
199
208
200
209
Create the VPN gateway configuration. The VPN gateway configuration defines the subnet and the public IP address to use.
201
210
@@ -206,15 +215,15 @@ Create the VPN gateway configuration. The VPN gateway configuration defines the
206
215
-Subnet $subnet1 -PublicIpAddress $gwpip1
207
216
```
208
217
209
-
Now create the VPN gateway for the hub VNet. VNet-to-VNet configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
218
+
Now create the VPN gateway for the hub virtual network. Network-to-network configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
Now create the VPN gateway for the OnPrem VNet. VNet-to-VNet configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
237
+
Now create the VPN gateway for the on-premises virtual network. Network-to-network configurations require a RouteBased VpnType. Creating a VPN gateway can often take 45 minutes or more, depending on the selected VPN gateway SKU.
In this step, you create the connection from the hub VNet to the OnPrem VNet. You'll see a shared key referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.
258
+
In this step, you create the connection from the hub virtual network to the on-premises virtual network. You'll see a shared key referenced in the examples. You can use your own values for the shared key. The important thing is that the shared key must match for both connections. Creating a connection can take a short while to complete.
Create the OnPrem to hub VNet connection. This step is similar to the previous one, except you create the connection from Vnet-Onprem to VNet-hub. Make sure the shared keys match. The connection will be established after a few minutes.
265
+
Create the on-premises to hub virtual network connection. This step is similar to the previous one, except you create the connection from VNet-Onprem to VNet-hub. Make sure the shared keys match. The connection will be established after a few minutes.
- A route from the hub gateway subnet to the spoke subnet through the firewall IP address
298
307
- A default route from the spoke subnet through the firewall IP address
299
308
300
309
> [!NOTE]
301
-
> Azure Firewall learns your on-premise networks using BGP. This may include a default route, which will route Internet traffic back through your on-premise network. If instead you want Internet traffic to be sent directly from the firewall to the Internet, add a user-defined default route (0.0.0.0/0) on the AzureFirewallSubnet with next hop type **Internet**. Your on-premise destined traffic is still forced-tunneled through the VPN/ExpressRoute gateway using the more specific routes learned from BGP.
310
+
> Azure Firewall learns your on-premises networks using BGP. This may include a default route, which routes Internet traffic back through your on-premises network. In a production deployment, you might want Internet traffic to be sent directly from the firewall to the Internet. You could add a user-defined default route (0.0.0.0/0) on the AzureFirewallSubnet with next hop type **Internet**. Your on-premises destined traffic is still forced-tunneled through the VPN/ExpressRoute gateway using the more specific routes learned from BGP.
302
311
303
312
```azurepowershell
304
313
#Create a route table
@@ -359,11 +368,11 @@ Set-AzureRmVirtualNetwork
359
368
360
369
## Create virtual machines
361
370
362
-
Now create the spoke workload and OnPrem virtual machines, and place them in the appropriate subnets.
371
+
Now create the spoke workload and on-premises virtual machines, and place them in the appropriate subnets.
363
372
364
373
### Create the workload virtual machine
365
374
366
-
Create a virtual machine in the spoke VNet, running IIS, with no public IP address, and allows pings in.
375
+
Create a virtual machine in the spoke virtual network, running IIS, with no public IP address, and allows pings in.
367
376
When prompted, type a user name and password for the virtual machine.
This is a simple virtual machine that you can connect to using Remote Desktop to the public IP address. From there, you can then connect to the OnPrem server through the firewall. When prompted, type a user name and password for the virtual machine.
425
+
This is a simple virtual machine that you use to connect using Remote Desktop to the public IP address. From there, you then connect to the on-premises server through the firewall. When prompted, type a user name and password for the virtual machine.
417
426
418
427
```azurepowershell
419
428
New-AzureRmVm `
@@ -428,29 +437,29 @@ New-AzureRmVm `
428
437
429
438
## Test the firewall
430
439
431
-
First, get and note the private IP address for **VM-spoke-01** virtual machine.
440
+
First, get and then note the private IP address for **VM-spoke-01** virtual machine.
432
441
433
442
```azurepowershell
434
443
$NIC.IpConfigurations.privateipaddress
435
444
```
436
445
437
-
1.From the Azure portal, connect to the **VM-Onprem** virtual machine.
446
+
From the Azure portal, connect to the **VM-Onprem** virtual machine.
438
447
<!---2. Open a Windows PowerShell command prompt on **VM-Onprem**, and ping the private IP for **VM-spoke-01**.
439
448
440
449
You should get a reply.--->
441
-
2.Open a web browser on **VM-Onprem**, and browse to http://\<VM-spoke-01 private IP\>
450
+
Open a web browser on **VM-Onprem**, and browse to http://\<VM-spoke-01 private IP\>.
442
451
443
-
You should see the Internet Information Services default page.
452
+
You should see the Internet Information Services default page.
444
453
445
-
3.From **VM-Onprem**, open a remote desktop to **VM-spoke-01** at the private IP address.
454
+
From **VM-Onprem**, open a remote desktop to **VM-spoke-01** at the private IP address.
446
455
447
-
Your connection should succeed, and you should be able to sign in using your chosen username and password.
456
+
Your connection should succeed, and you should be able to sign in using your chosen username and password.
448
457
449
458
So now you have verified that the firewall rules are working:
450
459
451
460
<!---- You can ping the server on the spoke VNet.--->
452
-
- You can browse web server on the spoke VNet.
453
-
- You can connect to the server on the spoke VNet using RDP.
461
+
- You can browse web server on the spoke virtual network.
462
+
- You can connect to the server on the spoke virtual network using RDP.
454
463
455
464
Next, change the firewall network rule collection action to **Deny** to verify that the firewall rules work as expected. Run the following script to change the rule collection action to **Deny**.
456
465
@@ -469,15 +478,6 @@ You can keep your firewall resources for the next tutorial, or if no longer need
0 commit comments