Estimated time: 20 minutes
In this task you will provision an Azure firewall and configure it to protect a load balanced web application. You will configure rules that route traffic on port 80 to a load balancer and provide port mapping for ssh traffic to two virtual machines.
Note: See pre-requisite setup for the deployment of all necessary resources.
This task requires several Azure resources. To deploy the resources required for this task, run the following from a bash cloud shell:
curl https://inedemoassets.blob.core.windows.net/taskfiles/azure_admin/scripts/deploy-3672T140-pre.sh | shThis script provisions the following resources:
| Resource | Name |
|---|---|
| Resource group | task-fwall-rg |
| Virtual Network | firewall-vnet |
| Virtual machine | firewall-web1-vm |
| Virtual machine | firewall-web2-vm |
| Network security group | firewall-nsg |
| Load balancer | firewall-lb |
Support resources are not shown.
The network diagram is as follows:
To begin this task, you will provision an Azure firewall. To begin with, you will add a subnet named AzureFirewallSubnet to the firewall-vnet virtual network. Then you will provision an Azure firewall associated with the firewall-vnet virtual network. To complete this requirement:
| Setting | Value |
|---|---|
| Subnet name | AzureFirewallSubnet |
| IP Address range | 10.2.100.0/24 |
| Setting | Value |
|---|---|
| Resource group | task-fwall-rg |
| Name | task-firewall |
| Location | East US |
| Virtual network | Use existing |
| Virtual network name | firewall-vnet |
| Public IP address | <new> |
| Public IP name | firewall-pip |
To complete this requirement you will add NAT rules to the firewall to allow web traffic and SSH traffic from the public internet. The web traffic will be over port 80 and will be directed to port 80 on the firewall-lb load balancer. SSH traffic will be to ports 50001 and 50002 and will map to port 22 on the virtual machines. To complete this requirement:
| Setting | Value |
|---|---|
| Rule collection | primary |
| Priority | 100 |
| Rule1 | |
| Name | http |
| Protocol | TCP |
| Source type | IP address |
| Source | * |
| Destination address | <firewall public ip> |
| Destination ports | 80 |
| Translated address | <load balancer front end IP> |
| Translated ports | 80 |
| Rule2 | |
| Name | ssh1 |
| Protocol | TCP |
| Source type | IP address |
| Source | * |
| Destination address | <firewall public ip> |
| Destination ports | 50001 |
| Translated address | <firewall-web1-vm IP> |
| Translated ports | 22 |
| Rule3 | |
| Name | ssh2 |
| Protocol | TCP |
| Source type | IP address |
| Source | * |
| Destination address | <firewall public ip> |
| Destination ports | 50002 |
| Translated address | <firewall-web2-vm IP> |
| Translated ports | 22 |
To complete this task you will validate that HTTP traffic and ssh traffic are being properly routed through the firewall. First, open a browser window and navigate to the public IP address of the firewall. You should return the name of the server that handled the request. Next, open an Azure cloud shell and enter the following command:
ssh student@<public ip address of your firewall>:50001Enter yes when prompted and enter the password: Pa55w.rd!. You should end up at the shell prompt for the firewall-web1-vm virtual machine.
Having trouble completing this task? View the demonstration video to see how to do it.