Azure application has added new functionalities to Microsoft Azure Firewall, and in this post let’s see how can we deploy an Azure Firewall and configure Application rules to block and allow a website access to a subnet. In this post, I have deployed single vnet and three subnets for Azure Firewall, Workload and Public access to the internal workload subnet. The main reason behind creating a public subnet is once we created and configure the Azure Firewall we are not able to directly RDP in to the Workload Virtual Machines.

A simple diagram has created to explain the current topology of my cloud network.

I hope, it is not necessary to show how to create a vnet, subnet and relevant Virtual Machines in the Portal. Let’s start directly with the Azure Firewall.

Just click on the “Create a resource“, Search “Firewall” and select the Firewall listed

Click on “Create” to create the firewall. Make sure to select “Microsoft” as the publisher

Provide the relevant information and deploy the firewall in your vnet, make sure to deploy the firewall in the same location

Create the Firewall

Make sure to create a separate subnet for the firewall with the name of “AzureFirewallSubnet” otherwise it will not allow you to proceed and asked to create one

Create The Route TableLet’s create a route table to access the internet through the created firewall for the “Workload_Subnet“, go to “All Services” and select “Route tables“

Add a route table and provide the required information, create the route table

Associate the “Workload_Subnet” in order to route the traffic

Select the correct vnet and the subnet

Add a route to the route table

In the next configuration is quite important. Just provide an appropriate name, address prefix as 0.0.0.0/0, “Next hop type” as “Virtual appliance” and the “Private IP address” of the appliance.

Specify The DNS Servers ManuallyI’m going to allow DNS resolution only from Google servers (8.8.8.8 and 8.8.4.4), to add the DNS Servers to the interface of the Virtual Machine(running in the “Workload_Subnet”), go to the Virtual Machine and click on the interface

Update the DNS Servers and save the settings, reboot the Virtual Machine to apply the changes

With the Firewall configuration you might not be able to access the Virtual Machine which is in the “Workload_Subnet“, you need to use the Virtual Machine which is in the “Public_Access_Subnet“

RDP in to the Workload Virtual machine and check the DNS configuration and the access to the facebook.com. It will not allow you to access the facebook

Configure Rules In Azure FirewallPublic DNS servers have been added manually to the vnet and allowing in the Firewall is required to the DNS resolution.

Go to the Firewall , select the “Rules“, select “Network rule collection” and add the “Add network rule collection“

Add a Rule name, Priority and the Action status (Allow/Deny) also, Rule name as “AllowDNS“, Protocol as UDP, Source Address as my “Worker_Subnet” subnet, Destination addresses as Google DNS Servers separating in commas and the port as 53

Let’s move in to the “Application Rule” to allow the exact FQDN, also you can use the tags in application rules. Add a name to the rule source subnet which traffic going out, the protocols (comma separated) and the target FQDN as www.facebook.com. Save the rule

Now, try to access the facebook.com from the Virtual machine which is in the “Worker_Subnet”. You can see the webpage. I’m really sorry my Internet explorer does not load the facebook page properly. But my rules are working perfectly.