Azure Firewall : Deploy, Configure & Control network access

In this article we will see how to manage or restrict network access for a Azure VMs using Azure Firewall. We will also see how to restrict or limit access to websites, outbound IP, ports, protocols, etc., I have made a step by step tutorial of a test environment creation for learning purpose – you can follow the same, deploy the test setup and play with the rules to become familiar. Below is the high level design of the test environment that we will deploy in Azure

Deployment Approach

Here is the high level deployment approach for deploying Single V-Net test environment with azure firewall.

Create Resource Group

  • Sign in to the Azure portal at
  • On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Then select Add.
  • For Resource group name, enter <Jasparrow>
  • For Subscription, select your subscription.
  • For Resource group location, select a location. All other resources that you create must be in the same location.
  • Select Create.

Create Virtual Network & Add Subnet

  • On the Azure portal menu or from the Home page, select Create a resource.
  • Select Networking > Virtual network.
  • For Subscription, select your subscription.
  • For Resource group, select <jasparrow>.
  • For Name, type Test-FW-VN.
  • For Region, select the same location that you used previously.
  • Select Next: IP addresses.
  • For IPv4 Address space, type
  • Under Subnet, select default.
  • For Subnet name type AzureFirewallSubnet. The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.
  • For Address range, type
  • Select Save.

Next, create a subnet for the workload server.

  • Select Add subnet.
  • For Subnet name, type Workload-SN.
  • For Subnet address range, type
  • Select Add.
  • Select Review + create.
  • Select Create.

Create Virtual Machine

Now create the workload virtual machine, and place it in the Workload-SN subnet.

  • On the Azure portal menu or from the Home page, select Create a resource.
  • Select Compute and then select Virtual machine.
  • Windows Server 2019 Datacenter in the Featured list.
  • Enter these values for the virtual machine:
  • Under Inbound port rulesPublic inbound ports, select None.
  • Accept the other defaults and select Next: Disks.
  • Accept the disk defaults and select Next: Networking.
  • Make sure that Test-FW-VN is selected for the virtual network and the subnet is Workload-SN.
  • For Public IP, select None.
  • Accept the other defaults and select Next: Management.
  • Select Off to disable boot diagnostics. Accept the other defaults and select Review + create.
  • Review the settings on the summary page, and then select Create.

Deploy Firewall in V-Net

  • On the Azure portal menu or from the Home page, select Create a resource.
  • Type firewall in the search box and press Enter.
  • Select Firewall and then select Create.
  • On the Create a Firewall page, use the following table to configure the firewall:
  • Select Review + create.
  • Review the summary, and then select Create to create the firewall.This will take a few minutes to deploy.
  • After deployment completes, go to the <jasparrow> resource group, and select the Test-FW01 firewall.
  • Note the firewall private and public IP addresses. You’ll use these addresses later.

Creating a Default Route

For the Workload-SN subnet, configure the outbound default route to go through the firewall.

  • On the Azure portal menu, select All services or search for and select All services from any page.
  • Under Networking, select Route tables.
  • Select Add.
  • For Name, type Firewall-route.
  • For Subscription, select your subscription.
  • For Resource group, select <jasparrow>.
  • For Location, select the same location that you used previously.
  • Select Create.
  • Select Refresh, and then select the Firewall-route route table.
  • Select Subnets and then select Associate.
  • Select Virtual network > Test-FW-VN.
  • For Subnet, select Workload-SN. Make sure that you select only the Workload-SN subnet for this route, otherwise your firewall won’t work correctly.
  • Select OK.
  • Select Routes and then select Add.
  • For Route name, type fw-dg.
  • For Address prefix, type
  • For Next hop type, select Virtual appliance.Azure Firewall is actually a managed service, but virtual appliance works in this situation.
  • For Next hop address, type the private IP address for the firewall that you noted previously.
  • Select OK.

Creating Application Rule

This is the application rule that allows outbound access to

  • Open the <jasparrow>, and select the Test-FW01 firewall.
  • On the Test-FW01 page, under Settings, select Rules.
  • Select the Application rule collection tab.
  • Select Add application rule collection.
  • For Name, type App-Coll01.
  • For Priority, type 200.
  • For Action, select Allow.
  • Under RulesTarget FQDNs, for Name, type Allow-Google.
  • For Source type, select IP address.
  • For Source, type
  • For Protocol:port, type http, https.
  • For Target FQDNS, type
  • Select Add.

Creating Network Rule

This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).

  • Select the Network rule collection tab.
  • Select Add network rule collection.
  • For Name, type Net-Coll01.
  • For Priority, type 200.
  • For Action, select Allow.
  • Under RulesIP addresses, for Name, type Allow-DNS.
  • For Protocol, select UDP.
  • For Source type, select IP address.
  • For Source, type
  • For Destination type select IP address.
  • For Destination address, type, are public DNS servers operated by CenturyLink.
  • For Destination Ports, type 53.
  • Select Add.

Creating NAT Rule Testing Traffic

This rule allows you to connect a remote desktop to the Srv-Work virtual machine through the firewall.

  • Select the NAT rule collection tab.
  • Select Add NAT rule collection.
  • For Name, type rdp.
  • For Priority, type 200.
  • Under Rules, for Name, type rdp-nat.
  • For Protocol, select TCP.
  • For Source type, select IP address.
  • For Source, type *.
  • For Destination address, type the firewall public IP address.
  • For Destination Ports, type 3389.
  • For Translated address, type the Srv-work private IP address.
  • For Translated port, type 3389.
  • Select Add.

DNS Configuration & Testing

For testing purposes in this tutorial, configure the server’s primary and secondary DNS addresses. This isn’t a general Azure Firewall requirement.

  • On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Select the <jasparrow>resource group.
  • Select the network interface for the Srv-Work virtual machine.
  • Under Settings, select DNS servers.
  • Under DNS servers, select Custom.
  • Type in the Add DNS server text box, and in the next text box.
  • Select Save.
  • Restart the Srv-Work virtual machine.

Test the firewall

Now, test the firewall to confirm that it works as expected.

  • Connect a remote desktop to firewall public IP address and sign in to the Srv-Work virtual machine.
  • Open Internet Explorer and browse to
  • Select OK > Close on the Internet Explorer security alerts.You should see the Google home page.
  • Browse to should be blocked by the firewall.

So now you’ve verified that the firewall rules are working:

  • You can browse to the one allowed FQDN, but not to any others.
  • You can resolve DNS names using the configured external DNS server.

6 thoughts on “Azure Firewall : Deploy, Configure & Control network access

  1. Tremendous issues here. I’m very satisfied to peer your post. Thank you so much and I am taking a look ahead to contact you. Will you kindly drop me a mail?|

  2. Asking questions are really pleasant thing if you are not understanding anything totally, but this post offers fastidious understanding even.|

  3. I used to be suggested this web site by way of my cousin. I am no longer certain whether or not this post is written by means of him as no one else realize such specified about my problem. You are wonderful! Thank you!|

  4. wonderful points altogether, you just gained a logo new reader.
    What might you suggest about your publish that you just made some
    days in the past? Any sure?

  5. Very welll done and written my friend.
    I’ve only just bbegun writingg a blog myself very recently and have seesn that many peiple simply rework old content but add very
    little of worth. It’s terrific to read an educational article of some actual value to your readers and me.

    It’s going down on the list of factors I need to emulate being a new blogger.
    Audience engagement aand material value are king.

    Many great ideas; you’ve certainly ggot onn my list of blogs to watch!

    Carry on the great work!
    All the best,

Leave a Reply

Your email address will not be published. Required fields are marked *