Deploy Azure Firewall with Azure virtual WAN (Manual)

In the past blog I showed you how to deploy Azure Virtual WAN with a HUB (Deploy Azure Virtual WAN with Virtual HUB (Manual) | 2 Azure). Today we will continue the journey with the deployment of the Azure Firewall.

image 26


  • Azure Virtual WAN with a HUB
  • No existing VPN Site to Site connections on the HUB you want to provision the Firewall to.

STEP 1: Deploy Azure Firewall policy

From the Azure Portal go to Firewall Policies

image 13

Click on Create

image 14

Now give your new policy a name. Select a resource group and select a Region. Make sure to select the same region as your HUB. Last select the pricing tier. (More information about pricing: Pricing – Azure Firewall | Microsoft Azure)

image 15

On the next page select your DNS Settings. You may leave this default, but if you want to customize DNS or if you are using Domain Controllers in Azure you might want to configure custom DNS servers.

image 16

When you did select Premium Firewall you can enable TLS inspection. With the Standard edition you cannot select the option. You can always upgrade the firewall tier and enable it later on.

image 17

On the Rules tab we are going to create a default deny all rule to make sure that you will only allow authorized traffic.

image 18

Now create the Deny rule collection with a Deny priority for everything with the lowest priority. This way you can create allow rules with a higher priority when deployed.

image 20

IDPS is a network intrusion detection and prevention system (IDPS) allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it. Again you need the Premium tier to enable this feature.

image 21

Threat intelligence can be enabled for your firewall to alert and block traffic to/from known malicious IP addresses and domains. I recommend to change the setting from the default Alert Only to Alert and Deny when deploying the firewall to a new HUB.

image 22

Now verify and deploy your new Firewall Policy

image 23

STEP 2: Deploy Firewall

From your Virtual WANs go to your HUB. On the left side go to Azure Firewall and Firewall manager. Now check the box left to your HUB and click on Manage security, and then on Deploy a firewall with an existing policy

image 24

Now select the Azure Firewall tier, make sure to use the same tier as your Firewall Policy. Choose a number of Public IP addresses. These can be used for in and outgoing NAT. When using outgoing NAT you cannot select which public IP is used. The IP can change between the available IP addresses. Last select the create firewall policy from Step 1.

image 25

The result should look like this:

image 28

Possible errors:

When you deploy the firewall, you might get the following error:

The resource write operation failed to complete successfully, because it reached terminal provisioning state ‘Failed’. (Code: ResourceDeploymentFailure)

  • -An error occurred. (Code: InternalServerError)

I received this error when I tried to connect the Firewall when there where VPN Site to Site tunnels present. After deleting the tunnels the deployment succeeded.

image 29

Read more:

Azure Firewall Premium Features:

Add a Comment

Your email address will not be published. Required fields are marked *