In this article, I will be showing the steps to take to protect the web application from malicious traffic and block unauthorized access.
We will start by creating an Azure Firewall subnet in our existing virtual network
In the search box at the top of the portal, enter Virtual networks.
- Select Virtual networks in the search results.
- Select app-vnet.
- Select Subnets.
- Select + Subnet.
- Enter the following information and select Save.
Property Value
Name AzureFirewallSubnet
Address range 10.1.63.0/26
Note: Leave all other settings as default.
Next, we create an Azure Firewall
- In the search box at the portal's top, enter Firewall. Select Firewall in the search results.
Select + Create.
Create a firewall by using the following values. For any property that is not specified, use the default value.
Note: Azure Firewall can take a few minutes to deploy.
Property Value
Resource group YOUR RESOURCE GROUP
Name app-vnet-firewall
Firewall SKU Standard
Firewall management Use a Firewall Policy to manage this firewall
Firewall policy select Add new
Policy name fw-policy
Region East US
Policy Tier Standard
Choose a virtual network Use existing
Virtual network app-vnet (YOUR RESOURCE GROUP)
Public IP address Add new: fwpip
- Select Review + Create and then select Create.
We update the Firewall Policy next.
- In the search box at the portal's top, enter Firewall Policy. Select Firewall Policies in the search results.
- Select fw-policy.
- Select Application rules.
- Select on ”+ Application rule collection”.
- Use the values in the following table. For any property that is not specified, use the default value.
Property Value
Name app-vnet-fw-rule-collection
Rule collection type Application
Priority 200
Rule collection action Allow
Rule collection group DefaultApplicationRuleCollectionGroup
a. Under Rules use the values in the below
Property Value
Name AllowAzurePipelines
Source type IP address
Source 10.1.0.0/23
Protocol https
Destination type FQDN
Destination dev.azure.com, azure.microsoft.com
and select Add
Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.
- Create a network rule collection that contains a single IP Address rule by using the values in the following table. For any property that is not specified, use the default value.
- Select Network rules.
- Select on ”+ Network rule collection”.
- Use the values in the following table. For any property that is not specified, use the default value.
Property Value
Name app-vnet-fw-nrc-dns
Rule collection type Network
Priority 200
Rule collection action Allow
Rule collection group DefaultNetworkRuleCollectionGroup
a. Under Rules use the values in the following table
Property Value
Rule AllowDns
Source 10.1.0.0/23
Protocol UDP
Destination ports 53
Destination addresses 1.1.1.1, 1.0.0.1
And select Add.
- To verify that the Azure Firewall and Firewall Policy provisioning state shows Succeeded.
- In the search box at the portal's top, enter Firewall. Select Firewall in the search results.
- Select app-vnet-firewall.
- Validate that the Provisioning state has Succeeded.
- In the search box at the portal's top, enter Firewall policies. Select Firewall policies in the search results
- Select fw-policy.
- Validate that the Provisioning state is Succeeded