Implementing Azure Firewall to Safeguard Your Server

Introduction

In today’s ever-evolving digital landscape, the protection of network infrastructure has become paramount for organizations. Among the various security measures, one crucial aspect is the implementation of a robust firewall to control outgoing traffic from servers. In this blog post, we will delve into a practical solution that addresses this requirement, focusing on the implementation of Azure Firewall. This powerful tool empowers organizations to effectively manage and regulate outbound traffic.

Our primary objective is to meet the organization’s request of restricting users from accessing any websites except for “https://microsoft.com,” while also blocking outbound port 53. By adopting this approach, organizations can bolster their network security, enforce stringent access controls, and mitigate potential risks associated with unauthorized outbound traffic.

Join us as we explore the intricate implementation details and delve into the multitude of benefits this solution offers. By following our guidance, organizations can create and maintain a robust, secure network environment that safeguards critical assets and ensures uninterrupted operations.

Solution

We will create an Azure firewall and connect it to our virtual network as a solution.

Create a Firewall

1. In the search bar at the top, enter firewall.
2. Select Firewalls in the search results dropdown.
3. Click Create.
4. Set the following values:
   • Resource group: Select your resource group
   • Name: FW-TAKI-01
   • Region: Select the same region as your resource group.
   • Firewall SKU: Standard
   • Firewall management: Use Firewall rules (classic) to manage this firewall
   • Choose a virtual network: Use your existing virtual network
   • Virtual network: Select your existing virtual network
   • Public IP address: Add new, name it FW-IP, and click OK
5. Click Review + create.
6. Click Create.Note: It may take up to 15 minutes for the deployment to complete.

Create a Route Table

1. Click on Go to resource.
2. Copy the Firewall private IP
3. In the search bar, enter route table.
4. Select Route tables in the search results.
5. Click Create.
6. Set the following values:
   • Resource group: Select the existing one in the dropdown
   • Region: Select the same region as the existing resources
   • Name: routetable1
   • Propagate gateway routes: Yes
7. Click Review + create.
8. Click Create.
9. Click Go to resource.
10. Click Routes.
11. Click Add.
12. Set the following values:
    • Route name: route1
    • Address prefix: 0.0.0.0/0
    • Next hop type: Virtual appliance
    • Next hop address: Paste your Azure firewall’s private IP
13. Click OK.
14. Click Subnets
15. Click Associate.
16. For Virtual network, select lab-VM-VNET.
17. For Subnet, select default.
18. Click OK.

Configure Rule Collections for Firewall

Note: Please use the Classic Rules, otherwise the lab will not grade correctly.

1. In the search bar at the top, enter firewalls.
2. Select Firewalls in the search results dropdown.
3. Select the fw-1 firewall.
4. In the left-hand menu under Settings, click on Rules (classic) .
5. Click Add NAT rule collection.
6. In the section at the top, set the following values:
   • Name: natcollection
   • Priority: 200
7. In the Rules section, set the following values:
   • name: rdp
   • Protocol: TCP
   • Source type: IP address
   • Source: * (one asterisk)
   • Destination Address: The public IP of your Azure firewall (you can get it by navigating to Resource groups > FW-1 > Public IP configuration in a new browser tab)
   • Destination Ports: 3389
   • Translated address: The private IP of your virtual machine (you can get it by navigating to Resource groups > service-VM in another browser tab)
   • Translated port: 3389
8. Click Add.
9. Click Network rule collection.
10. Click Add network rule collection.
11. In the section at the top, set the following values:
    • Name: netcollection
    • Priority: 200
    • Action: Allow
12. In the Rules section, under IP Addresses, set the following values:
    • name: dns
    • Protocol: UDP
    • Source type: IP address
    • Source: The IPv4 of the default subnet (you can get it by navigating to Resource groups > Networking > lab-VM-VNET > Subnets in a new browser tab)
    • Destination type: IP address
    • Destination Address: 8.8.8.8, 8.8.4.4
    • Destination Ports: 53
13. Click Add.
14. Click Application rule collection.
15. Click Add application rule collection.
16. In the section at the top, set the following values:
    • Name: appcollection
    • Priority: 200
    • Action: Allow
17. In the Rules section, under Target FQDNs, set the following values:
    • name: microsoftcom
    • Source type: IP address
    • Source: The IPv4 of the default subnet (you can get it by navigating to Resource groups > lab-VM-VNET > Subnets in a new browser tab)
    • Protocol:Port: http, https
    • Target FQDNs: www.microsoft.com
18. Click Add.

Test Connectivity

1. Navigate to Resource groups, click on your resource group, and click on service-VM in the new browser tab.
2. Click Networking.
3. Click the listed network interface.
4. Click DNS servers.
5. Select Custom.
6. In the box that appears, enter 8.8.8.8.
7. In the second box that appears, enter 8.8.4.4.
8. Click Save.
9. In another browser tab, navigate to Firewalls > FW-1 > Public IP configuration.
10. Copy the listed public IP address.
11. Open a remote desktop app.
12. Double-click on the virtual machine and log in using the service-VM credentials provided on the lab guide page.
13. Click Continue.
14. Minimize the Server Manager.
15. Open Internet Explorer and click OK.
16. Navigate to microsoft.com. You will see that you cannot browse to the site.
17. Navigate to www.microsoft.com. You will see that you can now successfully browse to that site. (As long as you see some content using the old IE browser, that validates the firewall rule).
18. Open PowerShell.
19. Test DNS:nslookup -type=TXT test.dns.google.com. dns.google. You should see a message saying, “Thanks for using Google Public DNS.”

Conclusion

To address the requirement of restricting outgoing traffic from your organization’s server using a firewall, the recommended solution is to implement an Azure Firewall and connect it to your virtual network. This solution will enable you to enforce the desired restrictions effectively.

By configuring the Azure Firewall, you can set up rules that allow access only to the specific domain, in this case, “https://microsoft.com.” All outgoing traffic to other destinations will be blocked, ensuring that users are restricted from visiting anything besides the specified domain.

Additionally, you can configure the firewall to block outbound port 53, which is typically used for DNS requests. This will prevent users from making DNS queries outside of your network, providing an additional layer of security.

Implementing an Azure Firewall provides a centralized and scalable solution for controlling outbound traffic from your server, ensuring compliance with your organization’s requirements and enhancing network security.

Please note that the actual implementation process may require additional steps and considerations, depending on your specific Azure environment and requirements. It is recommended to consult Azure documentation or seek assistance from Azure experts for a detailed implementation plan.