Microsoft has launched a new service called Azure Firewall, at present it is in preview. Azure Firewall is a network security service that provides stateful firewall service for both network and application layer. However, at present it is only for outbound traffic. As this is not a virtual appliance, therefore customers don’t have to worry about the scalability, availability and performance of this service. This service works along with Network Security Group and Application Gateway. It also supports SNAT for source network address translation that translate all VNet IP addresses to the Azure Firewall public ip address. Customer can monitor all the logs and perform the analytics using Azure Monitor.
As this service is in preview right now, therefore we need to run a PowerShell command to enable it explicitly.
Before, I start with deployment process; let me show you “what error will you get if you don’t enable it explicitly.” It is only for preview and will be removed once GA.
Login to Azure Portal and try to create Azure Firewall.
You will get the following error highlighted in the snap below:
Now, let me explain you that how to do it step-by-step.
Login to the Azure Portal and open Azure Cloud Shell. You can use PowerShell as well.
If you are using it first time, you need to create a storage account so that it can persist files in Azure file share. Select any environment. For simplicity, select PowerShell that is needed for this demo.
Select subscription and click on storage.
Now, it will setup your environment.
You can switch between PowerShell and Bash, any time.
Before you proceed just make sure you are going to use the right Azure subscription. To check the current subscription run the following command:
If you are not using the right subscription, select the subscription that you would like to use for Azure Firewall.
Select-AzureRmSubscription -SubscriptionId <Subscription Id>
Now run the following commands to register Azure Firewall.
Register-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network
Register-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network
It may take up to 30 minutes for the registering Azure Firewall. You can run the following commands to verify the registration state.
Get-AzureRmProviderFeature -FeatureName AllowRegionalGatewayManagerForSecureGateway -ProviderNamespace Microsoft.Network
Get-AzureRmProviderFeature -FeatureName AllowAzureFirewall -ProviderNamespace Microsoft.Network
Once registered, run the following command to complete the process.
Now, you go back to Azure Portal and try to create the Azure Firewall.
Now fill the information to create Azure Firewall.
Once filled all the necessary information, click on “Review + create”.
It will take you to the summary page.
Click on create to deploy an Azure Fiewall.
Deployment will take some time to complete. Will look at the Azure Firewall configuration in next article.