In this chapter, you will learn how to secure Azure assets and public endpoints by controlling network traffic to and from Azure.
Microsoft Defender for Cloud is a security monitoring platform that unifies infrastructure monitoring and advanced threat protection, while getting you secured faster, protecting you against threats, and strengthening the security posture of your workloads.
The Microsoft Defender for Cloud Overview dashboard shows six central tiles – Secure Score, Regulatory Compliance, Workload protections, Inventory, Information protection, and Firewall Manager.
The Firewall Manager tile shows the status of networks and hubs and, while separate products, Azure Firewall and Firewall Manager are crucial network protection services that safeguard Azure assets.
The prominent Firewall Manager position in Microsoft Defender for Cloud, and its importance in protecting Azure workloads, requires knowing how to operate Firewall Manager and deploy an Azure firewall, Azure firewall policies, secured networks, and hubs.
Note
At the time of writing, Azure Firewall Premium was still in preview, so changes as regards product functionality and features, as well as Azure portal changes, are possible.
We will cover the following recipes in this chapter:
To complete the recipes in this chapter, the following are required:
The code samples can be found at https://github.com/PacktPublishing/Microsoft-Defender-for-Cloud-Cookbook.
An Azure firewall is a managed Platform-as-a-Service (PaaS) solution that protects resources residing on Azure Virtual Network. The Microsoft Defender for Cloud Overview page supports and displays the status of Firewall Manager and its supported services, firewalls, and hubs. In this recipe, you will create an Azure Firewall Standard SKU.
In these examples, you can choose your own user-defined values instead of the examples provided.
To get ready for an Azure firewall deployment and to complete the preliminary steps, perform the following steps:
Note
This subnet will host an Azure firewall instance and the subnet name must be AzureFirewallSubnet, which is a reserved subnet name.
To create a Standard tier Azure firewall, complete the following steps:
An Azure firewall is a fully stateful firewall as a service, or a PaaS, cloud-based network security service that protects resources in Azure virtual networks. To create an Azure firewall, the first step is to create a virtual network containing a virtual network subnet using a reserved subnet name, AzureFirewallSubnet. An Azure firewall requires a public IP address, created as a static, Standard SKU tier IP address. You can only associate an Azure firewall with a virtual network and IP address from the same Azure Region.
You can use firewall rules or a firewall policy to manage a Standard tier firewall, and a firewall policy to manage a Premium tier firewall. After you create an Azure firewall, you have to configure firewall rules or a firewall policy to control network traffic.
In this recipe, you created a Standard tier Azure firewall, and used a classic method, firewall rules, to manage the firewall.
After you have created an Azure firewall, in the Azure portal, open Microsoft Defender for Cloud. On the Overview page, observe the Firewall Manager tile that shows information pertaining to firewalls, firewall policies, Regions with firewalls, and network protection status.
In scenarios where interactivity in the Azure portal is minimized and deployments are automated and scripted, creating an Azure firewall using PowerShell is the choice of many Azure administrators. In this recipe, you will create an Azure Firewall Standard SKU using PowerShell.
Open your preferred PowerShell tool – this could be Visual Studio Code, Windows PowerShell ISE, the PowerShell console, or something else.
Sign in to your Azure account: Connect-AzAccount.
To create an Azure firewall using PowerShell, complete the following steps:
$RGName="Firewall"
$Location="West Europe"
$VNetName="PacktPublishing"
$ProdSubnetName="Production"
$FWSubnetName="AzureFirewallSubnet"
$FWpipName="PacktFirewall-PIP"
$FWname="PackFirewall"
New-AzResourceGroup -Name $RGName -Location $Location
$ProdSubnet=New-AzVirtualNetworkSubnetConfig '
-Name $ProdSubnetName -AddressPrefix 172.16.0.0/24
$FWSubnet=New-AzVirtualNetworkSubnetConfig '
-Name ' $FWSubnetName -AddressPrefix 172.16.1.0/26
$VNet=New-AzVirtualNetwork -Name $VNetName '
-ResourceGroupName $RGName -Location $Location '
-AddressPrefix 172.16.0.0/16 -Subnet
$ProdSubnet,$FWSubnet
$FWpip = New-AzPublicIpAddress -Name $FWpipName '
-ResourceGroupName $RGName -Location $Location '
-AllocationMethod Static -Sku Standard
$Azfw = New-AzFirewall -Name $FWname '
-ResourceGroupName $RGName -Location $Location '
-VirtualNetworkName $VNetName -PublicIpName $FWpipName
Creating an Azure firewall using PowerShell is like creating an Azure firewall in the Azure portal. First, we defined variables containing names of the resources that will be used in later commands. Prior to creating a virtual network, we created two virtual network subnets, one of them named AzureFirewallSubnet, a requirement for deploying a firewall. Then, we created a virtual network containing two previously defined subnets and proceeded with creating a public IP address. In the last step, we created an Azure firewall using an IP address created as a public endpoint.
An Azure firewall policy is an Azure resource that defines application, network, and NAT rule collections, as well as additional settings such as TLS inspection, Intrusion Detection and Prevention System (IDPS), threat intelligence, and DNS settings. Azure Firewall Premium SKU uses an Azure firewall policy that allows the central management of firewalls via Azure Firewall Manager. In this recipe, you will create an Azure firewall policy, Premium tier, using the Azure portal.
Open a web browser and navigate to https://portal.azure.com.
To create an Azure firewall policy, complete the following steps:
Note
TLS 1.2 is supported as TLS 1.0, while TLS 1.1 will be deprecated and no longer supported.
An Azure firewall policy is an Azure resource that defines application, network, and NAT rules and rule collections, along with threat intelligence settings. An Azure firewall policy can be used as a standalone policy, or it can inherit settings from a parent policy.
You can create and associate firewall policies with multiple firewalls using Firewall Manager. If you have deployed virtual WAN, you can associate an Azure firewall and firewall policy with Virtual WAN Hub to make a secured virtual hub, or with a virtual network, making a hub virtual network or secured virtual network.
You can create an Azure firewall policy and rules using different tools: Azure Firewall Manager, PowerShell, CLI, and REST API. In this recipe, you will create an Azure firewall policy and policy rules using PowerShell.
Open your preferred PowerShell tool – this could be Visual Studio Code, Windows PowerShell ISE, the PowerShell console, or something else.
Sign in to your Azure account: Connect-AzAccount.
To create an Azure firewall policy and policy rules using PowerShell, complete the following steps:
$RGName="Firewall"
$Location="West Europe"
$fwPolicyName="FW-policy"
$netCollName="NetworkCollectionGroup"
$netRuleName="AllowGoogleDNS"
$appCollName="AppCollectionGroup"
$appRuleName="Allow-Packt"
New-AzResourceGroup -Name $RGName -Location $Location
$FWpolicy = New-AzFirewallPolicy -Name $fwPolicyName ' -ResourceGroupName $RGName -Location $Location
$nrRCGroup = New-AzFirewallPolicyRuleCollectionGroup '
-Name $netCollName -Priority 1200 '
-FirewallPolicyObject $FWpolicy
$netRule01 = New-AzFirewallPolicyNetworkRule '
-name $netRuleName -protocol UDP '
-sourceaddress 172.17.0.0/24 '
-destinationaddress 8.8.8.8,8.8.4.4 -destinationport 53
The following screenshot shows the firewall policy network rule setting in the Azure portal as a result of completing the PowerShell command:
$netColl01 = New-AzFirewallPolicyFilterRuleCollection '
-Name Net-coll01 -Priority 1200 -Rule $netRule01 '
-ActionType "Allow"
Set-AzFirewallPolicyRuleCollectionGroup '
-Name $nrRCGroup.Name -Priority 1200 '
-RuleCollection $netColl01 -FirewallPolicyObject $FWpolicy
$arRCGroup = New-AzFirewallPolicyRuleCollectionGroup '
-Name $appCollName -Priority 1300 '
-FirewallPolicyObject $FWpolicy
$appRule01 = New-AzFirewallPolicyApplicationRule '
-Name $appRuleName -SourceAddress 172.17.0.0/24 '
-Protocol "http:80","https:443" -TargetFqdn www.packtpub.com
The following screenshot shows the firewall policy application rule setting in the Azure portal as a result of completing the PowerShell command:
$appColl01 = New-AzFirewallPolicyFilterRuleCollection '
-Name App-coll01 -Priority 1300 -Rule $appRule01 '
-ActionType "Allow"
Set-AzFirewallPolicyRuleCollectionGroup '
-Name $arRCGroup.Name -Priority 1300 '
-RuleCollection $appColl01 -FirewallPolicyObject $FWpolicy
To create an Azure firewall policy using PowerShell, first, we defined the resource variables and created a resource group. But, before anything else, we created a firewall policy and proceeded to create rules, rule collections, and rule collection groups.
Rule collection groups contain one or more rule collections, and rule collections contain one or more rules.
We created a network rule collection group, containing a network rule collection, which contains one network rule. Later, we created an application rule collection group, containing an application rule collection, which contains one application rule.