WEBVTT 0:00:03.020000 --> 0:00:08.100000 Secure access to your workloads running in Azure is, of course, absolutely 0:00:08.100000 --> 0:00:12.760000 paramount. What we're going to do in this video is talk about one of the 0:00:12.760000 --> 0:00:18.960000 tools that we can use within Azure to provide and really control at a 0:00:18.960000 --> 0:00:23.100000 very granular level access, both incoming and actually outbound access 0:00:23.100000 --> 0:00:25.620000 to our workloads. 0:00:25.620000 --> 0:00:28.200000 Now, I will tell you, we're going to talk about the Azure Firewall, which 0:00:28.200000 --> 0:00:30.760000 is really platform as a service. 0:00:30.760000 --> 0:00:34.520000 I do want to let you know that there are quite a number of infrastructure 0:00:34.520000 --> 0:00:37.940000 solutions from pretty much all the major vendors. 0:00:37.940000 --> 0:00:44.300000 I'm not going to mention them all, but just F5, Palo Alto, Cisco, etc. 0:00:44.300000 --> 0:00:47.060000 And again, that's just a very brief list of them. 0:00:47.060000 --> 0:00:53.720000 So if you're already using a firewall, PF sense is one I use, then you'll 0:00:53.720000 --> 0:00:55.780000 probably find that firewall available to you. 0:00:55.780000 --> 0:00:58.940000 This is the service though that if you don't already have a firewall or 0:00:58.940000 --> 0:01:02.620000 just want to simplify the process of really managing the firewall and 0:01:02.620000 --> 0:01:06.100000 Azure, that's what this is. 0:01:06.100000 --> 0:01:09.080000 And what we're going to talk about pretty simple, we're going to talk 0:01:09.080000 --> 0:01:11.360000 about what the Azure Firewall is. 0:01:11.360000 --> 0:01:14.820000 We'll go through a list of the features of the Azure Firewall. 0:01:14.820000 --> 0:01:20.040000 And then I'm going to demonstrate an Azure firewall pretty straightforward. 0:01:20.040000 --> 0:01:23.380000 So what is the Azure Firewall? 0:01:23.380000 --> 0:01:27.880000 Let's go ahead and kind of draw that out and think about it a little bit. 0:01:27.880000 --> 0:01:30.500000 I've got a workload. 0:01:30.500000 --> 0:01:35.280000 And let's say I've got a workload that's running in a virtual network. 0:01:35.280000 --> 0:01:37.080000 So here's my VNet. 0:01:37.080000 --> 0:01:45.580000 And let's say within that VNet, I've got a virtual machine. 0:01:45.580000 --> 0:01:53.180000 Let's say that virtual machine is running a web app. 0:01:53.180000 --> 0:01:58.620000 Okay, now I've got a user over here that needs to access the web app. 0:01:58.620000 --> 0:02:03.680000 They're happy, they're got baseball cap on. 0:02:03.680000 --> 0:02:06.160000 Okay, but they need to get to the web app. 0:02:06.160000 --> 0:02:10.180000 Now, traditionally what I'm going to do is I'm going to create a public 0:02:10.180000 --> 0:02:11.500000 IP endpoint, right? 0:02:11.500000 --> 0:02:15.500000 And so then that user has access to that public IP endpoint and effectively 0:02:15.500000 --> 0:02:19.200000 direct access to that virtual machine, right? 0:02:19.200000 --> 0:02:21.520000 And that can be a little bit troublesome. 0:02:21.520000 --> 0:02:26.160000 So we have traditionally had the ability to apply network security groups. 0:02:26.160000 --> 0:02:28.660000 But those are really fairly basic. 0:02:28.660000 --> 0:02:32.560000 Those are point to point tuples that allow us to define traffic based 0:02:32.560000 --> 0:02:37.180000 on the source IP address range and ports and the destination IP address 0:02:37.180000 --> 0:02:40.460000 range and ports and the protocol. 0:02:40.460000 --> 0:02:43.700000 And look, if I can just use that, that's fine. 0:02:43.700000 --> 0:02:47.340000 But I still have that direct access and that still makes myself and others 0:02:47.340000 --> 0:02:48.520000 a bit uncomfortable. 0:02:48.520000 --> 0:02:53.240000 Right, and so another option would be to have either in the same vnet 0:02:53.240000 --> 0:02:56.340000 or in another virtual network. 0:02:56.340000 --> 0:03:06.620000 I could have an appliance, okay, so a network virtual appliance that is 0:03:06.620000 --> 0:03:08.940000 acting as a firewall. 0:03:08.940000 --> 0:03:14.600000 All right, and I could set that up and set up my own route tables and 0:03:14.600000 --> 0:03:17.860000 have traffic coming through here. 0:03:17.860000 --> 0:03:22.520000 So the user's going to that instead, but that's going to be a fair bit 0:03:22.520000 --> 0:03:29.620000 of management. And so what I can do now is I can have the Azure firewall. 0:03:29.620000 --> 0:03:42.560000 And the Azure firewall does sit in a virtual network. 0:03:42.560000 --> 0:03:44.920000 I'm typing that in there. 0:03:44.920000 --> 0:03:47.720000 It does sit in a virtual network, can be in the same virtual network or 0:03:47.720000 --> 0:03:49.360000 different virtual network. 0:03:49.360000 --> 0:03:53.800000 And with a relationship, peer in relationship, for example, okay. 0:03:53.800000 --> 0:03:56.980000 And now instead of the user's going to that endpoint, the user's going 0:03:56.980000 --> 0:04:02.700000 to go to the endpoint of the Azure firewall, right? 0:04:02.700000 --> 0:04:05.600000 And then that Azure firewall is going to do things like network address 0:04:05.600000 --> 0:04:09.900000 translation. And it's going to have sophisticated rules that are going 0:04:09.900000 --> 0:04:14.900000 to allow or deny traffic based not only on IP address, but I can also 0:04:14.900000 --> 0:04:18.520000 use FQDN. I can control inbound and outbound traffic. 0:04:18.520000 --> 0:04:20.420000 I can set up NAT rules. 0:04:20.420000 --> 0:04:24.380000 And it's just managed for me, okay? 0:04:24.380000 --> 0:04:28.780000 And so that's what the Azure firewall does. 0:04:28.780000 --> 0:04:36.100000 Now, let's talk about some of the features of the Azure firewall. 0:04:36.100000 --> 0:04:41.980000 Okay, now first of all, the Azure firewall supports features at the, if 0:04:41.980000 --> 0:04:46.660000 you're familiar with the OSI networking model, layer three through layer 0:04:46.660000 --> 0:04:49.160000 seven policies, okay? 0:04:49.160000 --> 0:04:54.420000 So it's kind of cool because it integrates what you would do in two different 0:04:54.420000 --> 0:05:00.100000 ways in Azure traditionally through NSGs or through the application gateway 0:05:00.100000 --> 0:05:03.440000 and also really through the application load balancer. 0:05:03.440000 --> 0:05:07.500000 I can kind of use this to do, to some extent, all three of those. 0:05:07.500000 --> 0:05:12.440000 It's not really a load balancer, but again, features from all three of 0:05:12.440000 --> 0:05:15.120000 those are really kind of built into the Azure firewall. 0:05:15.120000 --> 0:05:18.340000 Also, it has automatic threat detection. 0:05:18.340000 --> 0:05:23.120000 So Microsoft threat detection, which they use for their own services, 0:05:23.120000 --> 0:05:26.580000 that is available to you as well. 0:05:26.580000 --> 0:05:31.160000 It is highly available and highly scalable. 0:05:31.160000 --> 0:05:38.040000 Okay? This is really built on top of Azure, of course, and all the scalability 0:05:38.040000 --> 0:05:41.040000 and availability is built in. 0:05:41.040000 --> 0:05:45.040000 Of course, you're going to pay for it, but you don't have to set it up. 0:05:45.040000 --> 0:05:50.000000 Okay? You have the ability to implement multiple IP addresses. 0:05:50.000000 --> 0:05:53.420000 You have D NAT for incoming and S NAT for outgoing. 0:05:53.420000 --> 0:05:58.540000 So your access, if I've got a virtual machine back here and I've got the 0:05:58.540000 --> 0:06:01.920000 firewall in front of it, that virtual machine is going to have some kind 0:06:01.920000 --> 0:06:04.920000 of IP address. Right? 0:06:04.920000 --> 0:06:12.280000 Maybe 10.0.0.4. Ooh, just put that in. 0:06:12.280000 --> 0:06:17.260000 Right? But that's not going to be what people are going to see. 0:06:17.260000 --> 0:06:20.280000 I'll have a public access, a public IP address here and this is not going 0:06:20.280000 --> 0:06:26.520000 to be a valid 152.2.5.2.5. 0:06:26.520000 --> 0:06:31.640000 And that is, if you will, the IP address that you would see, only not 0:06:31.640000 --> 0:06:34.320000 two dots in front of that two. 0:06:34.320000 --> 0:06:37.960000 That would only be one. 0:06:37.960000 --> 0:06:39.800000 So you've got that. 0:06:39.800000 --> 0:06:43.120000 It's got monitoring as you would expect, built in. 0:06:43.120000 --> 0:06:45.920000 Okay? And it is compliant. 0:06:45.920000 --> 0:06:48.540000 It is compliant with PCI. 0:06:48.540000 --> 0:06:51.340000 It's compliant with SOCs. 0:06:51.340000 --> 0:06:56.460000 It's compliant with ISO and there's more information on that on Microsoft's 0:06:56.460000 --> 0:07:00.760000 website. But it is compliant with many standards. 0:07:00.760000 --> 0:07:05.100000 Okay? And that's really what the Azure Firewall is and what it does. 0:07:05.100000 --> 0:07:08.320000 And so what I'm going to do is take you through a brief demonstration 0:07:08.320000 --> 0:07:10.340000 of the Azure Firewall. 0:07:10.340000 --> 0:07:12.760000 I'm not going to go through all of the features of the firewall, just 0:07:12.760000 --> 0:07:16.760000 some of the basics. 0:07:16.760000 --> 0:07:21.020000 And I'm going to deploy, well, not really deploy, I'm going to sort of 0:07:21.020000 --> 0:07:23.720000 provision an Azure Firewall, already have an Azure Firewall set up. 0:07:23.720000 --> 0:07:26.520000 So we're not going to have to wait for it, but I will show you what you 0:07:26.520000 --> 0:07:29.200000 would do to deploy an Azure Firewall. 0:07:29.200000 --> 0:07:32.360000 So let's go ahead and bring up. 0:07:32.360000 --> 0:07:38.980000 All right. Here's my Azure and what I'm going to do. 0:07:38.980000 --> 0:07:40.400000 This is my portal, of course. 0:07:40.400000 --> 0:07:45.440000 If I wanted to create a firewall, just go ahead and say I want a firewall 0:07:45.440000 --> 0:07:51.560000 and create. And here are the settings. 0:07:51.560000 --> 0:07:54.120000 So I've got a subscription and a resource group. 0:07:54.120000 --> 0:07:59.740000 Doesn't matter what I do where I put that instance details. 0:07:59.740000 --> 0:08:02.080000 I'm going to give this a name. 0:08:02.080000 --> 0:08:08.000000 Give it a location. 0:08:08.000000 --> 0:08:15.280000 Now, because I put it in the East US, I can set this up with availability 0:08:15.280000 --> 0:08:19.880000 zones. I can set up across all three or just none for now. 0:08:19.880000 --> 0:08:22.660000 I can create a new virtual network or use an existing. 0:08:22.660000 --> 0:08:28.660000 Now, if I choose to use an existing virtual network, it has to have an 0:08:28.660000 --> 0:08:33.320000 available subnet named Azure Firewall subnet, which I don't have. 0:08:33.320000 --> 0:08:38.340000 So you can pre create that or I can go here and create a new one. 0:08:38.340000 --> 0:08:51.200000 Firewall vnet address space. 0:08:51.200000 --> 0:09:00.220000 16. And then that's going to be 10.10.0.0 slash 24. 0:09:00.220000 --> 0:09:02.040000 Actually, I'm going to go ahead and create this. 0:09:02.040000 --> 0:09:14.440000 I'm going to create a new public IP address for this. 0:09:14.440000 --> 0:09:16.640000 And I'm not going to set up forced tunneling. 0:09:16.640000 --> 0:09:18.880000 I'm going to go ahead and review and create this. 0:09:18.880000 --> 0:09:24.760000 And so those are the settings to create a firewall. 0:09:24.760000 --> 0:09:27.480000 Now, once that gets started, here we go. 0:09:27.480000 --> 0:09:28.520000 It's now deploying. 0:09:28.520000 --> 0:09:33.720000 We're not going to wait for that because I already have an existing firewall. 0:09:33.720000 --> 0:09:41.740000 So I already have provisioned this firewall. 0:09:41.740000 --> 0:09:45.880000 And we can see it's in this AZ-1044. 0:09:45.880000 --> 0:09:48.940000 It's in the Azure Firewall subnet. 0:09:48.940000 --> 0:09:54.320000 And if I take a look at that, that's under this really oddly named virtual 0:09:54.320000 --> 0:09:58.160000 network. It's because I just deployed things kind of quick and dirty. 0:09:58.160000 --> 0:10:04.220000 And what I'm going to do is go and actually take a look at that resource 0:10:04.220000 --> 0:10:08.980000 group. And I'm actually going to go into the virtual network for the resource 0:10:08.980000 --> 0:10:16.680000 group. And I can see these different devices here. 0:10:16.680000 --> 0:10:23.520000 But what I want to do with the diagram. 0:10:23.520000 --> 0:10:27.940000 I'm going to show you how these are all set up. 0:10:27.940000 --> 0:10:32.280000 All right. So it's actually not showing the firewall. 0:10:32.280000 --> 0:10:34.140000 I've got a virtual network. 0:10:34.140000 --> 0:10:38.100000 The virtual network actually has four different subnets. 0:10:38.100000 --> 0:10:42.860000 It's got some virtual machines out here on the edge. 0:10:42.860000 --> 0:10:46.540000 And it's got the firewall subnet, which has a firewall associated with 0:10:46.540000 --> 0:10:50.180000 it. I've got these other subnets that I'm not doing anything with. 0:10:50.180000 --> 0:10:53.100000 It's just kind of a generic deployment that I have. 0:10:53.100000 --> 0:10:59.400000 Okay. Now, I want to take a look at one of my virtual machines. 0:10:59.400000 --> 0:11:03.560000 I've got virtual machines and these have installed on them. 0:11:03.560000 --> 0:11:07.640000 And I should be able to pull this up if I take this public IP address 0:11:07.640000 --> 0:11:14.120000 and copy it. Now, I've got access, direct access to this. 0:11:14.120000 --> 0:11:16.200000 And I only have direct access to this. 0:11:16.200000 --> 0:11:18.580000 So I kind of demonstrate what this does. 0:11:18.580000 --> 0:11:20.140000 And here's what this does. 0:11:20.140000 --> 0:11:21.120000 This is the web app. 0:11:21.120000 --> 0:11:24.960000 It just returns the name of the server that that web app is running on. 0:11:24.960000 --> 0:11:29.180000 Very, very simple web app. 0:11:29.180000 --> 0:11:31.260000 That's the whole point of having the firewall. 0:11:31.260000 --> 0:11:34.020000 But I am going to be interested in that public IP address. 0:11:34.020000 --> 0:11:35.520000 We'll get back to that. 0:11:35.520000 --> 0:11:41.500000 And now I'm going to open up another tab to the portal if I could spell. 0:11:41.500000 --> 0:11:50.420000 And I'm going to go in to that firewall again. 0:11:50.420000 --> 0:11:56.500000 I've got two of them now. 0:11:56.500000 --> 0:11:58.540000 My INE firewall. 0:11:58.540000 --> 0:12:04.140000 Okay. And what I'm going to do is I'm going to take a look now at the 0:12:04.140000 --> 0:12:10.040000 firewall. First of all, the firewall has a public IP address right there. 0:12:10.040000 --> 0:12:11.720000 I'm going to actually copy that. 0:12:11.720000 --> 0:12:14.080000 I'm going to need that. 0:12:14.080000 --> 0:12:16.540000 Copy if I could copy. 0:12:16.540000 --> 0:12:19.220000 All right. Well, we'll copy this. 0:12:19.220000 --> 0:12:25.340000 Darn it. All right. 0:12:25.340000 --> 0:12:27.420000 17th time is a charm. 0:12:27.420000 --> 0:12:30.720000 Got it. Now, you can see I've got threat intelligence. 0:12:30.720000 --> 0:12:32.180000 There's an advanced firewall manager. 0:12:32.180000 --> 0:12:34.560000 We're not going to pop over to that right at the moment. 0:12:34.560000 --> 0:12:40.580000 But if I go to threat intelligence right now, I've got alerting based 0:12:40.580000 --> 0:12:45.200000 on the threat intelligence. 0:12:45.200000 --> 0:12:49.220000 So this is based on Microsoft's artificial intelligence. 0:12:49.220000 --> 0:12:59.240000 They use the threat intelligence. 0:12:59.240000 --> 0:13:02.060000 And I'm going to go into that right now. 0:13:02.060000 --> 0:13:04.880000 Okay. And there's really doesn't look like there's that much more. 0:13:04.880000 --> 0:13:05.940000 There's monitoring. 0:13:05.940000 --> 0:13:08.300000 So where would I go and set this up? 0:13:08.300000 --> 0:13:11.260000 Well, really all of the power is here in the rules. 0:13:11.260000 --> 0:13:12.840000 And there's three types of rules. 0:13:12.840000 --> 0:13:17.380000 I've got net rules, network rules and application rules. 0:13:17.380000 --> 0:13:19.680000 Okay. And I can add a net rule and then I can add a net rule. 0:13:19.680000 --> 0:13:21.340000 And that's going to do exactly what it sounds like. 0:13:21.340000 --> 0:13:24.720000 It's going to define inbound netting. 0:13:24.720000 --> 0:13:29.560000 Okay. And so this is going to be two web app. 0:13:29.560000 --> 0:13:33.180000 A priority is going to be 100. 0:13:33.180000 --> 0:13:35.680000 So this should be the first thing that gets hit. 0:13:35.680000 --> 0:13:39.620000 Okay. The action is destination network address translation. 0:13:39.620000 --> 0:13:42.460000 So D NAT. And I have to have a rule. 0:13:42.460000 --> 0:13:43.480000 So this is a rule collection. 0:13:43.480000 --> 0:13:52.020000 I need to define a rule inbound to web app. 0:13:52.020000 --> 0:13:58.800000 Okay. And the protocol is going to be TCP web based. 0:13:58.800000 --> 0:14:01.120000 All right. I can use an IP address or group. 0:14:01.120000 --> 0:14:05.260000 You can predefined groups, but I haven't predefined a group. 0:14:05.260000 --> 0:14:08.360000 That's actually its own resource, but we'll just do IP address. 0:14:08.360000 --> 0:14:10.600000 And frankly, we're going to say everything. 0:14:10.600000 --> 0:14:12.760000 So we're just going to net in anything coming in. 0:14:12.760000 --> 0:14:18.860000 And if it's coming in to that public endpoint, the public IP address, 0:14:18.860000 --> 0:14:29.260000 and it's coming in on port 80, then I want to translate that over to this 0:14:29.260000 --> 0:14:31.940000 private IP address. 0:14:31.940000 --> 0:14:36.500000 That's on the of its accessible. 0:14:36.500000 --> 0:14:41.060000 So we'll put that in and. 0:14:41.060000 --> 0:14:43.700000 Go over to port 80 for that. 0:14:43.700000 --> 0:14:47.940000 Okay. Now I could, for example, add more NAT rules. 0:14:47.940000 --> 0:14:50.900000 Oftentimes, instead of netting directly to a virtual machine, you may 0:14:50.900000 --> 0:14:54.440000 have a load balancer, and you're going to net to the load balancer. 0:14:54.440000 --> 0:14:58.880000 Okay. But in this case, I'm going directly to the virtual machine. 0:14:58.880000 --> 0:15:00.500000 I'm going to add that. 0:15:00.500000 --> 0:15:07.300000 Okay. And while that's adding, I should be able to check out my network 0:15:07.300000 --> 0:15:14.080000 rules. So I'm going to go in to my network. 0:15:14.080000 --> 0:15:17.360000 And so these are kind of standard networking rules. 0:15:17.360000 --> 0:15:19.560000 So I've got IP address. 0:15:19.560000 --> 0:15:22.760000 I could say, here's a rule collection. 0:15:22.760000 --> 0:15:31.380000 It's my primary networking rules that are priority of 120. 0:15:31.380000 --> 0:15:34.020000 All right. And so this is going to allow traffic. 0:15:34.020000 --> 0:15:36.340000 Now this is not, not netting. 0:15:36.340000 --> 0:15:39.900000 This is actually allowing traffic. 0:15:39.900000 --> 0:15:44.020000 And so, okay, this is going to be just called demo. 0:15:44.020000 --> 0:15:46.280000 What traffic am I going to allow? 0:15:46.280000 --> 0:15:49.420000 I'm going to allow TCP traffic. 0:15:49.420000 --> 0:15:54.260000 Source address is going to be IP address or range and say, you know what? 0:15:54.260000 --> 0:16:02.320000 I only want to allow traffic that's coming in from say 52.2.3.0 slash 0:16:02.320000 --> 0:16:06.840000 24. Right? Destination. 0:16:06.840000 --> 0:16:08.280000 Allow that traffic. 0:16:08.280000 --> 0:16:12.740000 Anything that's going through from that. 0:16:12.740000 --> 0:16:14.960000 And on port 80, I'm going to allow that. 0:16:14.960000 --> 0:16:18.880000 Now I'm not actually going to save this because I just put that source 0:16:18.880000 --> 0:16:22.040000 IP address range in there kind of blindly. 0:16:22.040000 --> 0:16:27.660000 I can also allow traffic to or from specific service tags. 0:16:27.660000 --> 0:16:36.380000 And let's say TCP. 0:16:36.380000 --> 0:16:40.740000 Source IP address. 0:16:40.740000 --> 0:16:42.600000 I'm going to put in the asterisk there. 0:16:42.600000 --> 0:16:48.040000 But I'm then going to say, all right, this is only going to allow, let's 0:16:48.040000 --> 0:16:52.900000 say, from app services. 0:16:52.900000 --> 0:16:59.220000 And destination port is going to be 80 or maybe 443. 0:16:59.220000 --> 0:17:04.140000 So these service tags, these are well known Azure services. 0:17:04.140000 --> 0:17:08.680000 So I can set up IP ranges. 0:17:08.680000 --> 0:17:12.600000 I can also set up service tags. 0:17:12.600000 --> 0:17:16.840000 And we're not going to actually save that. 0:17:16.840000 --> 0:17:20.720000 I can also go over here to application rules. 0:17:20.720000 --> 0:17:25.040000 I can add an application rule. 0:17:25.040000 --> 0:17:34.560000 Now application rule is going to limit my HTTPS outbound traffic or Azure 0:17:34.560000 --> 0:17:36.840000 SQL traffic. Those are the two things right now. 0:17:36.840000 --> 0:17:41.680000 Azure SQL traffic is in preview to a list of fully qualified domain names. 0:17:41.680000 --> 0:17:42.780000 So this is going to be okay. 0:17:42.780000 --> 0:17:43.620000 Where am I going to? 0:17:43.620000 --> 0:17:56.500000 I can do demo priority 150 action allow or deny my FQDN tag. 0:17:56.500000 --> 0:18:08.180000 Give it a name. IP address star. 0:18:08.180000 --> 0:18:11.120000 And then these are well known tags. 0:18:11.120000 --> 0:18:15.340000 So this would be, let's say for example, that my VMs need to reach out 0:18:15.340000 --> 0:18:16.940000 to Windows update. 0:18:16.940000 --> 0:18:20.480000 And this would allow me to do that. 0:18:20.480000 --> 0:18:24.920000 If you have custom FQDNs that you want to allow access to, you could add 0:18:24.920000 --> 0:18:28.800000 those here as well. 0:18:28.800000 --> 0:18:32.760000 Again, I'm not going to add this, but that does allow. 0:18:32.760000 --> 0:18:38.600000 So the application is going to allow for outbound connectivity network 0:18:38.600000 --> 0:18:42.480000 rules really controlling any kind of connectivity. 0:18:42.480000 --> 0:18:45.920000 And I've got my NAT rule, which is really the only one I really wanted 0:18:45.920000 --> 0:18:49.300000 to set up. So a little bit, if this all goes well, it's going to be very 0:18:49.300000 --> 0:18:54.560000 anticlimactic. Go back to my public IP address and we'll try and copy 0:18:54.560000 --> 0:19:00.200000 that again. As I keep hitting the right click button. 0:19:00.200000 --> 0:19:06.920000 I mean to so I'm going to copy that. 0:19:06.920000 --> 0:19:09.420000 And paste it and go to it. 0:19:09.420000 --> 0:19:11.600000 Wait a moment here. 0:19:11.600000 --> 0:19:18.400000 Sometimes the web app that's running is actually not very sophisticated. 0:19:18.400000 --> 0:19:20.360000 So sometimes it drops out and needs to pick back up. 0:19:20.360000 --> 0:19:22.360000 So we're going to wait for that to come back. 0:19:22.360000 --> 0:19:26.740000 And once it does, the big reveal is it's going to give you the name of 0:19:26.740000 --> 0:19:30.240000 the server that it's running on. 0:19:30.240000 --> 0:19:32.680000 Okay, so here we go. 0:19:32.680000 --> 0:19:37.760000 I am now accessing this and we can see that's our, the name of the web 0:19:37.760000 --> 0:19:40.280000 app that it's actually running on, but it's going through the public IP 0:19:40.280000 --> 0:19:42.020000 address of the firewall. 0:19:42.020000 --> 0:19:46.140000 Now what I would do next is I would actually drop the public IP address 0:19:46.140000 --> 0:19:51.600000 that I've got associated with the virtual machine itself. 0:19:51.600000 --> 0:19:52.400000 Because I don't want that. 0:19:52.400000 --> 0:19:54.120000 I don't want any direct access, right? 0:19:54.120000 --> 0:19:57.340000 Now I'm going through a firewall and then that firewall is communicating 0:19:57.340000 --> 0:20:01.140000 over to the virtual machine. 0:20:01.140000 --> 0:20:05.220000 Now typically what you'll usually do with an architecture for this is 0:20:05.220000 --> 0:20:10.740000 you'll set up your, you'll set up your firewall, probably in its own virtual 0:20:10.740000 --> 0:20:14.960000 network. You'll set up peer relationships and then just, you know, set 0:20:14.960000 --> 0:20:18.660000 up your rules to distribute traffic to the appropriate locations via the 0:20:18.660000 --> 0:20:19.860000 peer in relationships. 0:20:19.860000 --> 0:20:22.220000 But that's what you can do with the firewall. 0:20:22.220000 --> 0:20:24.060000 It's set up, it's running. 0:20:24.060000 --> 0:20:26.720000 I don't have to worry about configuring it. 0:20:26.720000 --> 0:20:29.340000 That's going to be taking care of for me. 0:20:29.340000 --> 0:20:33.060000 I'm just going through and I'm setting up the rules to define traffic 0:20:33.060000 --> 0:20:36.680000 that's going across the firewall to those back end end points.