Configuring Azure Firewall for Advanced Network Protection

08/08/2024

This technical and educational article aims to guide security analysts, IT administrators, and systems engineers in configuring and using Azure Firewall for advanced network protection. Azure Firewall is a managed, cloud-based network security service that provides Layer 4 and Layer 7 threat protection for Azure network resources, enabling centralization of network control and implementation of consistent security policies across cloud environments [1].

Introduction

In an ever-growing cloud landscape, network security is a fundamental pillar for protecting applications and data. Azure Firewall provides a robust solution for inspecting and controlling network traffic, acting as a central point of enforcement for security policies. It goes beyond basic Network Security Groups (NSGs) by providing advanced features such as Fully Qualified Domain Name (FQDN)-based traffic filtering, threat intelligence, Intrusion Detection and Prevention System (IDPS), and TLS inspection, making it essential for secure network architectures in Azure, especially in Hub-and-Spoke models [2].

This practical guide will cover deploying Azure Firewall, configuring network and application rules, enabling threat intelligence and IDPS, integrating with other Azure services, and best practices for network governance. Step-by-step instructions, example Azure CLI commands, and examples will be provided so that the reader can implement and validate an effective network protection strategy, reducing the attack surface and strengthening the cyber resilience of their Azure infrastructure.

Why is Azure Firewall crucial for Advanced Network Protection?

• Advanced Traffic Filtering: Allows you to filter network traffic based on IP addresses, ports, protocols, FQDNs and URLs, offering granular control.
• Threat Intelligence: Automatically blocks traffic to and from known malicious domains and IP addresses based on Microsoft threat intelligence feeds.
• IDPS (Intrusion Detection and Prevention System): Detects and blocks real-time signature-based attacks, including vulnerability exploits and malware.
• TLS Inspection: Decrypts outgoing TLS/SSL traffic to inspect hidden threats and enforce security policies, re-encrypting it before sending it to the destination.
• Centralized Deployment: Can be deployed in a hub virtual network to protect multiple spoke virtual networks, simplifying management and policy enforcement.
• High Availability and Scalability: It is a fully managed service, with integrated high availability and automatic scalability to handle traffic spikes.
• Azure Ecosystem Integration: Seamlessly integrates with Azure Monitor, Azure Sentinel, and Azure Firewall Manager for centralized monitoring, analysis, and management.

Prerequisites

To configure Azure Firewall for advanced network protection, you will need the following items:

1. Active Azure Subscription: An Azure subscription to create and manage resources.
2. Administrative Access: An account with the role of Owner or Contributor in the Azure subscription, or in the resource group where the Firewall and VNets will be deployed.
3. Azure Virtual Networks (VNets): At least one VNet to deploy Azure Firewall and ideally a Hub-and-Spoke architecture for demonstration.
4. Optional: Virtual Machines (VMs): VMs deployed in spoke VNets to test firewall rules.
5. Azure CLI or Azure PowerShell: Installed and configured command-line tools to interact with Azure.

Step by Step: Configuring Azure Firewall for Advanced Protection

Let's deploy an Azure Firewall and configure its main features.

1. Preparing the Hub-and-Spoke Architecture

A Hub-and-Spoke architecture is a common network topology in Azure, where the hub VNet contains shared services (such as Azure Firewall) and the spoke VNets contain the workloads. Traffic between the spokes and to the internet is routed through the hub.

1. Create Resource Group: Create a resource group for all resources. bash az group create --name RG-Firewall-Artigos --location eastus
2. Create VNet Hub: Create a VNet for the hub with a dedicated subnet for Azure Firewall (AzureFirewallSubnet). bash az network vnet create --name VNet-Hub --resource-group RG-Firewall-Artigos --address-prefix 10.0.0.0/16 --location eastus az network vnet subnet create --name AzureFirewallSubnet --vnet-name VNet-Hub --resource-group RG-Firewall-Articles --address-prefix 10.0.1.0/24
3. Create VNet Spoke: Create a VNet for the spoke with a subnet for the VMs. bash az network vnet create --name VNet-Spoke --resource-group RG-Firewall-Artigos --address-prefix 10.1.0.0/16 --location eastus az network vnet subnet create --name WorkloadSubnet --vnet-name VNet-Spoke --resource-group RG-Firewall-Articles --address-prefix 10.1.1.0/24
4. Configure VNet Peering: Connect the hub VNet and the spoke VNet via peering. bash az network vnet peering create --name HubToSpoke --resource-group RG-Firewall-Articles --vnet-name VNet-Hub --remote-vnet VNet-Spoke --allow-vnet-access az network vnet peering create --name SpokeToHub --resource-group RG-Firewall-Articles --vnet-name VNet-Spoke --remote-vnet VNet-Hub --allow-vnet-access

2. Deploying Azure Firewall

1. Create Azure Firewall: Deploy the Azure Firewall on the AzureFirewallSubnet of the hub VNet. bash az network firewall create --name AzureFirewall-01 --resource-group RG-Firewall-Artigos --location eastus --sku Standard az network firewall ip-config create --firewall-name AzureFirewall-01 --name AzureFirewall-IP --resource-group RG-Firewall-Articles --vnet-name VNet-Hub --public-ip-address az-firewall-pip

   • Note: The az network firewall ip-config create command will automatically create a Public IP for the Firewall if you provide a name (e.g. az-firewall-pip).

2. Get Firewall Private IP: Note down the Azure Firewall private IP as it will be used for routing. bash az network firewall show --name AzureFirewall-01 --resource-group RG-Firewall-Artigos --query ipConfigurations[0].privateIpAddress -o tsv

3. Configuring Routing for Azure Firewall

For spoke VNet traffic to pass through Azure Firewall, we need to create a Route Table and associate it with the spoke subnet.

1. Create Route Table: Create a route table. bash az network route-table create --name FirewallRouteTable --resource-group RG-Firewall-Artigos --location eastus
2. Add Default Route: Add a default route (0.0.0.0/0) that directs all traffic to the Azure Firewall private IP. bash # Replace <FIREWALL_PRIVATE_IP> with the private IP obtained in the previous step FIREWALL_PRIVATE_IP=$(az network firewall show --name AzureFirewall-01 --resource-group RG-Firewall-Artigos --query ipConfigurations[0].privateIpAddress -o tsv) az network route-table route create --name DefaultRouteToFirewall --resource-group RG-Firewall-Artigos --route-table-name FirewallRouteTable --address-prefix 0.0.0.0/0 --next-hop-type VirtualAppliance --next-hop-ip-address $FIREWALL_PRIVATE_IP
3. Associate Route Table to Spoke Subnet: Associate the route table to the WorkloadSubnet of VNet-Spoke. bash az network vnet subnet update --name WorkloadSubnet --vnet-name VNet-Spoke --resource-group RG-Firewall-Articles --route-table FirewallRouteTable

4. Configuring Azure Firewall Rules

Azure Firewall uses collections of rules to control traffic. There are three types of rules: Network Rules, Application Rules and NAT Rules.

4.1. Network Rules

Control Layer 3 and Layer 4 traffic (IP, ports, protocols).

1. Allow Outbound Traffic for DNS: Essential for name resolution. bash az network firewall network-rule create --firewall-name AzureFirewall-01 --collection-name "Allow-DNS" --name "Allow-DNS-Outbound" --resource-group RG-Firewall-Articles --priority 100 --action Allow --source-addresses "*" --destination-addresses "*" --protocols UDP --destination-ports 53

2. Allow Outgoing Traffic to a Specific IP: Example: allow access to a patch server. bash az network firewall network-rule create --firewall-name AzureFirewall-01 --collection-name "Allow-Patch-Server" --name "Allow-Patch-Server-Outbound" --resource-group RG-Firewall-Articles --priority 110 --actionAllow --source-addresses "10.1.1.0/24" --destination-addresses "20.1.2.3" --protocols TCP --destination-ports 443

4.2. Application Rules

Control Layer 7 traffic (HTTP/HTTPS) based on FQDNs.

1. Allow Access to Microsoft Sites: Example: allow access to learn.microsoft.com. bash az network firewall application-rule create --firewall-name AzureFirewall-01 --collection-name "Allow-Microsoft-Sites" --name "Allow-Learn-Microsoft" --resource-group RG-Firewall-Articles --priority 100 --action Allow --source-addresses "10.1.1.0/24" --protocols Http=80 Https=443 --fqdn-tags "Microsoft.Websites" --target-fqdns "learn.microsoft.com"

   • Tip: Fqdn-tags are groups of FQDNs pre-defined by Microsoft for common services.

2. Block Access to Malicious Websites: By default, Azure Firewall blocks everything that is not explicitly allowed. However, you can create explicit deny rules for specific FQDNs. bash az network firewall application-rule create --firewall-name AzureFirewall-01 --collection-name "Block-Malicious-Sites" --name "Block-Bad-Site" --resource-group RG-Firewall-Articles --priority 200 --action Deny --source-addresses "10.1.1.0/24" --protocols Https=443 --target-fqdns "badsite.com"

4.3. NAT (Network Address Translation) rules

Allow you to direct incoming traffic to internal resources (DNAT - Destination NAT).

1. Allow External RDP Access to a VM (with caution!): Example: Allow RDP to a VM from a specific public IP. ```bash # Create a VM on the WorkloadSubnet to test az vm create --name TestVM --resource-group RG-Firewall-Articles --image UbuntuLTS --size Standard_B1s --vnet-name VNet-Spoke --subnet WorkloadSubnet --admin-username azureuser --admin-password "P@ssw0rd12345!" --no-wait

   Get the VM's private IP

   VM_PRIVATE_IP=$(az vm show --name TestVM --resource-group RG-Firewall-Artigos --query privateIps -o tsv)

   Get the Firewall public IP

   FIREWALL_PUBLIC_IP=$(az network public-ip show --name az-firewall-pip --resource-group RG-Firewall-Artigos --query ipAddress -o tsv)

   Create the DNAT rule

   az network firewall nat-rule create --firewall-name AzureFirewall-01 --collection-name "Allow-RDP-Inbound" --name "RDP-to-TestVM" --resource-group RG-Firewall-Articles --priority 100 --action Dnat --source-addresses "YOUR_PUBLIC_IP" --destination-addresses $FIREWALL_PUBLIC_IP --protocols TCP --destination-ports 3389 --translated-address $VM_PRIVATE_IP --translated-port 3389 `` * **WARNING**: ReplaceYOUR_PUBLIC_IP` with your real public IP address to restrict access. Do not use "*" in production for DNAT rules.

5. Configuring Azure Firewall Premium (IDPS and TLS Inspection)

For advanced protection features like IDPS and TLS Inspection, you need Azure Firewall Premium.

1. Upgrade Firewall SKU (if necessary): If you have created a Standard Firewall, you can upgrade it to Premium. bash az network firewall update --name AzureFirewall-01 --resource-group RG-Firewall-Artigos --sku Premium

2. Configure TLS Inspection: For TLS inspection, you need an SSL/TLS certificate issued by a corporate or public CA, stored in Azure Key Vault.

   • Prerequisite: Certified in Azure Key Vault (see previous article on Azure Key Vault for details).
   • Create a Firewall Policy and associate it with the Firewall. bash az network firewall policy create --name FirewallPolicy-01 --resource-group RG-Firewall-Artigos --location eastus az network firewall policy update --name FirewallPolicy-01 --resource-group RG-Firewall-Artigos --threat-intel-mode Alert az network firewall update --name AzureFirewall-01 --resource-group RG-Firewall-Artigos --firewall-policy FirewallPolicy-01
   • In the Azure portal, navigate to Firewall Policy -> Settings -> TLS Inspection.
   • Enable TLS inspection and select the root certificate for your Key Vault.

3. Configure IDPS: IDPS is enabled and configured through the Firewall Policy.

   • In the Azure portal, navigate to Firewall Policy -> Settings -> IDPS.
   • You can configure IDPS mode (Alert or Alert and Deny) and create custom IDPS signature rules.

6. Activating Intelligenceof Threats

Azure Firewall threat intelligence can be configured to Alert or Alert and Deny traffic to/from known malicious IP addresses and FQDNs.

1. In the Azure portal, navigate to your Azure Firewall (AzureFirewall-01).
2. In the left navigation pane, select Threat Intelligence.
3. Set the Mode to Alert and Deny.

Validation and Testing

Validating your Azure Firewall configuration is crucial to ensure security policies are being applied correctly.

1. Testing Network Rules

1. DNS Connectivity Test: From a VM on WorkloadSubnet, try to resolve a domain name. This should work if the DNS rule is configured. bash nslookup google.com

   • Expected Result: DNS resolution successful.

2. Port Blocking Test: Try to access a port that is not allowed for an external IP. bash nc -vz 8.8.8.8 80

   • Expected Result: Connection refused or timeout.

2. Testing Application Rules

1. FQDN Access Allowed Test: From a VM on WorkloadSubnet, try to access learn.microsoft.com via browser.

   • Expected Result: Access successful.

2. FQDN Blocking Test: Try accessing badsite.com (if you have configured the deny rule for it).

   • Expected Result: Access blocked by the firewall, with an error message in the browser.

3. Testing NAT Rules (DNAT)

1. From a computer outside of Azure (with the public IP you specified in the DNAT rule), try to connect via RDP/SSH to the Azure Firewall public IP on port 3389/22.
   • Expected Result: Successful connection to internal VM.

4. Checking Azure Firewall Logs

Azure Firewall logs are essential for monitoring traffic and validating rules.

1. In the Azure portal, navigate to your Azure Firewall (AzureFirewall-01).
2. In the left navigation pane, select Logs.
3. You can use Log Analytics to query Firewall logs. Look for AzureFirewallNetworkRule and AzureFirewallApplicationRule events to see which rules were triggered and whether traffic was allowed or denied.

5. Testing Threat Intelligence and IDPS (Premium)

1. Threat Intelligence: Try accessing an IP or FQDN known to be malicious (use a secure malware testing site such as test.malware.testing.com or a threat intelligence testing IP). The Firewall must block access.
2. IDPS: Try to simulate an attack that would be detected by IDPS (e.g. use a vulnerability testing tool to attempt a SQL injection on a web application on the spoke VM, if applicable). The Firewall must generate an alert and/or block traffic.

Security Tips and Best Practices

• Hub-and-Spoke Model: Whenever possible, use the Hub-and-Spoke model with Azure Firewall in the hub to centralize network control and simplify policy management.
• Principle of Least Privilege: Create firewall rules with the least privilege possible, allowing only essential traffic. Block all traffic by default and explicitly allow whatever is necessary.
• Rule Prioritization: Understand the rule processing order (NAT > Network > Application) and priority within each collection to avoid conflicts and ensure that the desired rules are applied.
• Threat Intelligence Enabled: Keep threat intelligence enabled in Alert and Deny mode for automatic protection against known malicious sources.
• Azure Firewall Premium: For environments that require advanced protection, use the Premium SKU to take advantage of features such as IDPS and TLS Inspection.
• TLS Inspection: Implement TLS inspection for outbound traffic to detect threats hidden in encrypted sessions, but plan carefully for certificate management.
• Monitoring and Auditing: Integrate Azure Firewall logs with Azure Monitor and Azure Sentinel for continuous monitoring, security analysis, and incident response.
• Azure Firewall Manager: For environments with multiple Firewalls and complex policies, use Azure Firewall Manager for centralized, hierarchical policy management.
• Documentation: Maintain clear documentation of your firewall rules and the rationale for each.

Common Troubleshooting

• Traffic Blocksfrom Unexpectedly: Check Azure Firewall logs in Log Analytics. They will indicate which rule (whether network, application, or threat intelligence) blocked the traffic. Adjust the rule as needed.
• Slow Connectivity: If your traffic is slow, check Firewall CPU usage in Azure Monitor. The Firewall may be reaching its performance limits. Consider scaling the SKU or optimizing the rules.
• NAT rules not working: Check that the public IP and destination and translated ports are correct. Make sure the source IP in the NAT rule is correct (if restricted). Check the target VM for NSGs that might be blocking traffic.
• TLS Inspection Issues: Make sure the root certificate is correctly configured in Key Vault and Firewall Policy. Verify that clients trust the root CA used for TLS inspection.
• IDPS does not detect attacks: Check that IDPS is in Alert and Deny mode and that relevant signatures are enabled. Make sure the traffic is actually passing through the Firewall.
• Incorrect Routing: Check the route table associated with your VM's subnet. Make sure the default route (0.0.0.0/0) points to the Azure Firewall private IP.

Conclusion

Azure Firewall is a powerful and essential tool for establishing a robust network security posture in Azure. By implementing advanced traffic filtering, threat intelligence, IDPS, and TLS inspection, organizations can protect their workloads against a wide range of cyber threats. Adopting a Hub-and-Spoke model with Azure Firewall at the center, along with applying best practices and continuous monitoring, ensures that network traffic is effectively inspected and controlled. With this practical guide, security professionals will be well-equipped to configure and manage Azure Firewall, strengthening the network security and resilience of their Azure environments against the latest threats.

---

References:

[1] Microsoft Learn. What is Azure Firewall?. Available at: https://learn.microsoft.com/pt-br/azure/firewall/overview [2] Microsoft Learn. Azure Firewall architectural overview. Available at: https://learn.microsoft.com/pt-br/azure/firewall/firewall-architecture [3] Microsoft Learn. Azure Firewall Premium Features. Available at: https://learn.microsoft.com/pt-br/azure/firewall/premium-features [4] Microsoft Learn. Filtering based on Azure Firewall threat intelligence. Available at: https://learn.microsoft.com/pt-br/azure/firewall/threat-intel