Introduction
As cloud applications scale, simple subnet-level filtering isn't enough to defend against sophisticated attack vectors. This project demonstrates how to implement a centralized network security strategy in Microsoft Azure by deploying Azure Firewall to protect corporate workloads (app-vnet). Moving beyond basic port restrictions, this guide covers how to design and enforce Firewall Policies,including Layer 7 Application Rules to securely lock down egress traffic to Azure DevOps pipelines (dev.azure.com) and Network Rules to safeguard core infrastructure traffic like DNS resolution.
Scenario
Your organization requires centralized network security for the application virtual network. As the application usage increases, more granular application-level filtering and advanced threat protection will be needed. Also, it is expected the application will need continuous updates from Azure DevOps pipelines. You identify these requirements.
- Azure Firewall is required for additional security in the app-vnet.
- A firewall policy should be configured to help manage access to the application.
- A firewall policy application rule is required. This rule will allow the application access to Azure DevOps so the application code can be updated.
- A firewall policy network rule is required. This rule will allow DNS resolution.
Skilling tasks
- Create an Azure Firewall.
- Create and configure a firewall policy
- Create an application rule collection.
- Create a network rule collection.
Create Azure Firewall subnet in our existing virtual network
1.In the search box at the top of the portal, enter Virtual networks. Select Virtual networks in the search results.
2.Select app-vnet.
3.Select Subnets.
4.Select + Subnet.
5.Enter the following information and select Add.
| Property | Value |
|---|---|
| Name | AzureFirewallSubnet |
| Address range | 10.1.63.0/26 |
Note: Leave all other settings as default.
Create an Azure Firewall
1.In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.
2.Select + Create.
3.Create a firewall by using the values in the following table. For any property that is not specified, use the default value.
Note: Azure Firewall can take a few minutes to deploy.
| Property | Value |
|---|---|
| Resource group | RG1 |
| Name | app-vnet-firewall |
| Firewall SKU | Standard |
| Firewall management | Use a Firewall Policy to manage this firewall |
| Firewall policy | select Add new |
| Policy name | fw-policy |
| Region | East US |
| Policy Tier | Standard |
| Choose a virtual network | Use existing |
| Virtual network | app-vnet (RG1) |
| Public IP address | Add new: fwpip |
| Enable Firewall Management NIC | uncheck the box |
4.Select Review + create and then select Create.
Update the Firewall Policy
1.In the portal, search for and select Firewall Policies.
2.Select fw-policy.
Add an application rule
1.In the Rules blade, select Application rules and then Add a rule collection.
2.Configure the application rule collection and then select Add.
| Property | Value |
|---|---|
| Name | app-vnet-fw-rule-collection |
| Rule collection type | Application |
| Priority | 200 |
| Rule collection action | Allow |
| Rule collection group | DefaultApplicationRuleCollectionGroup |
| Name | AllowAzurePipelines |
| Source type | IP address |
| Source | 10.1.0.0/23 |
| Protocol | https |
| Destination type | FQDN |
| Destination | dev.azure.com, azure.microsoft.com |
Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.
Add a network rule
1.In the Rules blade, select Network rules and then Add a rule collection.
2.Configure the network rule and then select Add.
| Property | Value |
|---|---|
| Name | app-vnet-fw-nrc-dns |
| Rule collection type | Network |
| Priority | 200 |
| Rule collection action | Allow |
| Rule collection group | DefaultNetworkRuleCollectionGroup |
| Rule | AllowDns |
| Source | 10.1.0.0/23 |
| Protocol | UDP |
| Destination ports | 53 |
| Destination addresses | 1.1.1.1, 1.0.0.1 |
Verify the firewall and firewall policy status
1.In the portal search for and select Firewall.
2.View the app-vnet-firewall and ensure the Provisioning state is Succeeded. This may take a few minutes.
3.In the portal serach for and select Firewall policies.
4.View the fw-policy and ensure the Provisioning state is Succeeded. This may take a few minutes.
Summary
This project demonstrates the implementation of a centralized network security perimeter within Microsoft Azure using Azure Firewall and Firewall Policies. By shifting from decentralized security rules to a unified firewall model, this architecture enforces granular Layer 4 (network) and Layer 7 (application) filtering to protect cloud workloads from malicious egress traffic while enabling secure CI/CD automation.