0
0
Azurecloud~5 mins

Azure Firewall for centralized security - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
When you have many apps and services in Azure, you need a way to protect them all from bad traffic. Azure Firewall helps by acting like a security guard that watches and controls all the network traffic in one place.
When you want to control internet access for all your Azure resources from one place.
When you need to block harmful traffic before it reaches your apps or servers.
When you want to log and monitor all network traffic for security audits.
When you have multiple virtual networks and want a single firewall to protect them.
When you want to create rules that allow or deny traffic based on IP addresses, ports, or protocols.
Config File - azure-firewall-template.json
azure-firewall-template.json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "firewallName": {
      "type": "string",
      "defaultValue": "myAzureFirewall"
    },
    "firewallPublicIpName": {
      "type": "string",
      "defaultValue": "myFirewallPublicIP"
    },
    "location": {
      "type": "string",
      "defaultValue": "eastus"
    },
    "virtualNetworkName": {
      "type": "string",
      "defaultValue": "myFirewallVNet"
    },
    "subnetName": {
      "type": "string",
      "defaultValue": "AzureFirewallSubnet"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2021-05-01",
      "name": "[parameters('firewallPublicIpName')]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "publicIPAllocationMethod": "Static"
      }
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2021-05-01",
      "name": "[parameters('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "10.0.0.0/16"
          ]
        },
        "subnets": [
          {
            "name": "[parameters('subnetName')]",
            "properties": {
              "addressPrefix": "10.0.1.0/26"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/azureFirewalls",
      "apiVersion": "2021-05-01",
      "name": "[parameters('firewallName')]",
      "location": "[parameters('location')]",
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPAddresses', parameters('firewallPublicIpName'))]",
        "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
      ],
      "properties": {
        "sku": {
          "name": "AZFW_VNet",
          "tier": "Standard"
        },
        "ipConfigurations": [
          {
            "name": "azureFirewallIpConfig",
            "properties": {
              "subnet": {
                "id": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('subnetName'))]"
              },
              "publicIPAddress": {
                "id": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('firewallPublicIpName'))]"
              }
            }
          }
        ],
        "threatIntelMode": "Alert"
      }
    }
  ]
}

This template creates three main things:

  • Public IP Address: A static IP that the firewall uses to communicate with the internet.
  • Virtual Network: A private network in Azure with a special subnet named AzureFirewallSubnet where the firewall lives.
  • Azure Firewall: The firewall resource itself, connected to the subnet and public IP, set to alert on threat intelligence.

Each section has parameters to customize names and location. The firewall uses the standard SKU for basic protection.

Commands
Create a resource group to hold all firewall resources in the East US region.
Terminal
az group create --name myResourceGroup --location eastus
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup", "location": "eastus", "managedBy": null, "name": "myResourceGroup", "properties": { "provisioningState": "Succeeded" }, "tags": {}, "type": "Microsoft.Resources/resourceGroups" }
--location - Specifies the Azure region where resources will be created
Deploy the Azure Firewall and its supporting resources using the ARM template.
Terminal
az deployment group create --resource-group myResourceGroup --template-file azure-firewall-template.json
Expected OutputExpected
{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Resources/deployments/azureFirewallDeployment", "name": "azureFirewallDeployment", "properties": { "provisioningState": "Succeeded", "outputs": {} } }
--resource-group - Specifies the resource group to deploy into
--template-file - Points to the ARM template file to deploy
Check the details of the deployed Azure Firewall to confirm it is created and running.
Terminal
az network firewall show --name myAzureFirewall --resource-group myResourceGroup
Expected OutputExpected
{ "name": "myAzureFirewall", "location": "eastus", "provisioningState": "Succeeded", "sku": { "name": "AZFW_VNet", "tier": "Standard" }, "ipConfigurations": [ { "name": "azureFirewallIpConfig", "properties": { "privateIPAddress": "10.0.1.4", "publicIPAddress": { "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/publicIPAddresses/myFirewallPublicIP" } } } ] }
Create a network rule to allow HTTP traffic through the firewall from any source to any destination on port 80.
Terminal
az network firewall network-rule create --firewall-name myAzureFirewall --resource-group myResourceGroup --collection-name AllowWeb --name AllowHTTP --protocols TCP --source-addresses '*' --destination-addresses '*' --destination-ports 80 --action Allow --priority 100
Expected OutputExpected
No output (command runs silently)
--firewall-name - Specifies which firewall to add the rule to
--collection-name - Groups rules for easier management
--priority - Determines the order rules are processed; lower numbers run first
List all network rules configured on the firewall to verify the new rule is active.
Terminal
az network firewall network-rule list --firewall-name myAzureFirewall --resource-group myResourceGroup
Expected OutputExpected
[ { "name": "AllowHTTP", "protocols": [ "TCP" ], "sourceAddresses": [ "*" ], "destinationAddresses": [ "*" ], "destinationPorts": [ "80" ], "action": "Allow", "priority": 100 } ]
Key Concept

If you remember nothing else from this pattern, remember: Azure Firewall acts as a central gatekeeper controlling and protecting all your network traffic in Azure.

Common Mistakes
Not creating the subnet named 'AzureFirewallSubnet' in the virtual network.
Azure Firewall requires this exact subnet name to deploy correctly; otherwise, deployment fails.
Always create a subnet named 'AzureFirewallSubnet' with at least /26 address space before deploying the firewall.
Using a Basic SKU public IP instead of Standard SKU for the firewall's public IP.
Azure Firewall requires a Standard SKU public IP for proper functionality and availability.
Specify 'Standard' SKU when creating the public IP address for the firewall.
Not setting any network rules after deploying the firewall.
Without rules, the firewall blocks all traffic by default, causing connectivity issues.
Create appropriate network rules to allow desired traffic through the firewall.
Summary
Create a resource group to organize Azure resources.
Deploy Azure Firewall with a public IP and virtual network subnet named 'AzureFirewallSubnet'.
Verify the firewall deployment and configure network rules to allow or block traffic.