Azure Firewall
Overview
This lab focused on deploying and configuring Azure Firewall to control and monitor inbound and outbound traffic within an Azure virtual network. The goal was to enforce centralized, stateful network security while validating traffic flow through routing, firewall rules, and controlled testing.
Lab Objectives
- Deploy Azure Firewall using a secure virtual network architecture
- Force outbound workload traffic through the firewall using custom routing
- Configure application rules and network rules
- Validate firewall behavior through real-world traffic testing
Environment Architecture
- Virtual Network with two subnets:
- Jump Host Subnet (public access)
- Workload Subnet (protected by firewall)
- Virtual Machines deployed in each subnet
- Azure Firewall deployed with a public IP
- Route Table forcing all outbound traffic (0.0.0.0/0) through the firewall
Security Controls Implemented
- Application Rule Collection
- Allowed outbound HTTP/HTTPS traffic only to www.bing.com
- Network Rule Collection
- Allowed outbound DNS queries (UDP port 53) to approved public DNS servers
- Default Deny Policy
- All other outbound traffic was implicitly blocked
Validation & Testing
- Verified successful access to bing.com from the workload VM
- Confirmed blocked access to unauthorized destinations (e.g., microsoft.com)
- Ensured all workload subnet traffic was inspected via the firewall
Key Takeaways
- Azure Firewall provides centralized, scalable, stateful network protection
- Custom route tables are essential to enforce firewall traffic inspection
- Application and network rules enable granular traffic control
- Jump hosts reduce attack surface by isolating direct access to protected workloads
Tools & Technologies
- Azure Firewall (Standard)
- Azure Virtual Network & Subnets
- ARM Templates (Infrastructure as Code)
- Route Tables & NSGs
- Azure Monitor (logging integration)
Full Technical Report
π Detailed Step-by-Step Lab Report