Deploy Azure Firewall with Azure virtual WAN (Manual)
In the past blog I showed you how to deploy Azure Virtual WAN with a HUB (Deploy Azure Virtual WAN with Virtual HUB (Manual) | 2 Azure). Today we will continue the journey with the deployment of the Azure Firewall.
Prerequisites:
- Azure Virtual WAN with a HUB
- No existing VPN Site to Site connections on the HUB you want to provision the Firewall to.
STEP 1: Deploy Azure Firewall policy
From the Azure Portal go to Firewall Policies
Click on Create
Now give your new policy a name. Select a resource group and select a Region. Make sure to select the same region as your HUB. Last select the pricing tier. (More information about pricing: Pricing – Azure Firewall | Microsoft Azure)
On the next page select your DNS Settings. You may leave this default, but if you want to customize DNS or if you are using Domain Controllers in Azure you might want to configure custom DNS servers.
When you did select Premium Firewall you can enable TLS inspection. With the Standard edition you cannot select the option. You can always upgrade the firewall tier and enable it later on.
On the Rules tab we are going to create a default deny all rule to make sure that you will only allow authorized traffic.
Now create the Deny rule collection with a Deny priority for everything with the lowest priority. This way you can create allow rules with a higher priority when deployed.
IDPS is a network intrusion detection and prevention system (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. Again you need the Premium tier to enable this feature.
Threat intelligence can be enabled for your firewall to alert and block traffic to/from known malicious IP addresses and domains. I recommend to change the setting from the default Alert Only to Alert and Deny when deploying the firewall to a new HUB.
Now verify and deploy your new Firewall Policy
STEP 2: Deploy Firewall
From your Virtual WANs go to your HUB. On the left side go to Azure Firewall and Firewall manager. Now check the box left to your HUB and click on Manage security, and then on Deploy a firewall with an existing policy
Now select the Azure Firewall tier, make sure to use the same tier as your Firewall Policy. Choose a number of Public IP addresses. These can be used for in and outgoing NAT. When using outgoing NAT you cannot select which public IP is used. The IP can change between the available IP addresses. Last select the create firewall policy from Step 1.
The result should look like this:
Possible errors:
When you deploy the firewall, you might get the following error:
The resource write operation failed to complete successfully, because it reached terminal provisioning state ‘Failed’. (Code: ResourceDeploymentFailure)
- -An error occurred. (Code: InternalServerError)
I received this error when I tried to connect the Firewall when there where VPN Site to Site tunnels present. After deleting the tunnels the deployment succeeded.
Read more:
Azure Firewall Premium Features: https://learn.microsoft.com/en-us/azure/firewall/premium-features