How to deploy NG Firewall in Microsoft Azure

Overview

NG Firewall supports deployment via Microsoft Azure. NG Firewall for Microsoft Azure is a 64-bit Linux based virtual machine that is launched and managed from the Microsoft Azure Portal. This deployment option is useful for example in decentralized network environments that need to route through a remote VPN gateway to enforce policy management, reporting, content filtering, and other types of network security.

Before you begin

You need a valid Microsoft Azure account before you can deploy NG Firewall in Azure. If you do not have an Azure account you can register here.

Getting Started

Step 1: Select an instance type

Before launching NG Firewall for Microsoft Azure, it is necessary to determine the type of licensing model and infrastructure that is appropriate for your intended usage.

Licensing

NG Firewall for Microsoft Azure is available as either a Pay-As-You-Go (PAYG) subscription or Bring-Your-Own-License (BYOL). The PAYG option combines the cost of software licensing and infrastructure into one monthly bill. The BYOL option enables you to deploy an unlicensed version of NG Firewall for Microsoft Azure.

Infrastructure

Both licensing options require the selection of Microsoft Azure infrastructure in the form of an instance type. Microsoft Azure instances are available in different sizes to accommodate the performance requirements of your deployment. The sizing table below outlines recommended instance types and their designed usage.

Sizing table

Instance Type	Specifications	Recommended max devices	Recommended storage
D1V2	1 vCPU core 3.5 GB memory	Up to 50 devices	64 GiB Standard SSD
D2V3	2 vCPU cores 8 GB memory	Up to 150 devices	128 GiB Standard SSD
D4V3	4 vCPU cores 16 GB memory	Up to 500 devices	256 GiB Standard SSD
D8V3	8 vCPU cores 32 GB memory	Up to 3000 devices	512 GiB Standard SSD

If you have different infrastructure requirements, you can select from an extended list of instance types. All instance sizes and their associated costs are available through the NG Firewall marketplace listing. For pricing of storage refer to managed disk pricing. 

Step 2: Prepare your networking environment

Before you deploy NG Firewall to your Microsoft Azure environment, you must prepare the virtual networking components. The following instructions describe how to add these components to an example Resource Group called my-resourcegroup.

Create a Route Table

Before you can create a virtual network you need a route table to direct traffic to the Internet from your virtual network. 

To create a Route Table:

1. In the Azure Management Portal, click Create a resource.
2. Click Networking.
3. In the search box type "route table".
4. Select the Microsoft Route Table and click Create.
5. Assign your route table a name and other basic parameters. 
6. Click Review and Create. 

Assign a default route

After you create your Route Table you must add a default route.

To add a default route:

1. Locate your new Route Table resource and edit the configuration.
2. In Settings > Routes click Add.
3. Assign a Route name
4. Choose IP addresses for the Destination type
5. Enter 0.0.0.0/0 for the Destination IP addresses value
6. Choose Internet for the Next hop type.
7. Click Add. 

Create a Network Security Group

A network security group is necessary to permit traffic in and out of your virtual network. In most cases you can create an open security group as the security layer is provided by NG Firewall. You may choose to filter inbound traffic for additional security however in this case you must manage policies in both NG Firewall and your Network Security Group. 

To create a Network Security Group:

1. Click Create a resource.
2. Click Networking.
3. Locate Network Security Group and click Create.
4. Assign your Network Security Group a name and other basic parameters. 
5. Click Review and Create. 

Add Inbound security rules

After you create a Network Security Group you must configure the policy.

To configure security rules in your security group:

1. Locate your new Network Security Group resource and edit the configuration.
2. In Settings > Inbound security rules click Add.
3. To configure an open policy enter * for the Destination port range and keep other values default. 
4. Click Add. 

Create a Virtual Network

A Virtual Network resource enables your virtual machines to communicate with each other and the Internet. When creating a virtual network you must define an Address space and at least one Subnet.

To create a virtual network:

1. Click Create a resource.
2. Click Networking.
3. Locate Virtual network and click Create.

   

4. Configure the virtual network settings to your preference.
5. In the IP Addresses tab configure your IP address space and default subnet.
6. Edit the default subnet.
7. In the Security section choose the Network Security Group and Route Table you created in the previous steps.
8. Click Review and Create.

See the table below for essential values and descriptions.

Setting	Example value	Description
Virtual network name	my-vnet	The name of your virtual network (e.g. my-vnet).
IPv4 Address space	10.2.0.0/16	The IP address space for your virtual network in CIDR notation.
Subscription	Pay-As-You-Go	A subscription associated with your Microsoft Azure account.
Resource group	my-resourcegroup	The resource group to contain your resources.
Region	Central US	The geographic location that contains this resource.
Subnet Name	WAN	The name of your primary, Internet facing subnet.
Address range	10.2.0.0/24	The address range of your primary subnet in CIDR notation.
DDoS protection	Basic	Optional premium paid service to mitigate the impact of DDoS attacks.
Service endpoints	Disabled	Provides a direct connection to Microsoft Azure services. Learn more.
Firewall	Disabled	Creates a Microsoft Azure virtual firewall. This option must be disabled to avoid a conflict with NG Firewall.

Step 3: Deploy NG Firewall

Launch the instance

1. Navigate to the NG Firewall listing in the Microsoft Azure Marketplace.
2. Review the plans and pricing and take note of your selection.
3. Click Get it now.
4. Select either the PAYG or BYOL software plan and click Continue.
5. Click Create.

Configure the instance

Once you begin the process of creating the instance, you must define its parameters. The Basics and Networking steps require attention. The sections below describe the necessary configuration for these steps. All other steps should be reviewed but do not require modification of the default values.

Basics

Setting	Example value	Description
Subscription	Pay-As-You-Go	The subscription option. Choose either PAYG or BYOL.
Resource group	my-resourcegroup	The name of the resource group that this image belongs to. This must be the same resource group as your virtual network.
Virtual machine name	NGFW	The name of this virtual machine.
Region	Central US	The geographic location of this resource. This must be the same region / location as your virtual network.
Availability options	No infrastructure redundancy required	Select if you require redundancy (optional).
Image	Arista NG Firewall PAYG	The image must match the Subscription type (PAYG or BYOL).
Size	Standard F1	Click Change size to select the image size that suits your needs. Refer to the sizing table for guidance.
Authentication type	Password	Choose whether to authenticate via a Certificate or a username and password.
Public inbound ports	None	Choose None. This setting is managed a subsequent step.
Select inbound ports	-	This option is disabled when None is set for the public inbound ports.

Networking

Setting	Example value	Description
Virtual network	my-vnet	Select the virtual network you created in the previous step.
Subnet	WAN (10.2.0.0/24)	Select the primary WAN subnet you created in the previous step.
Public IP	(new) NGFWip350	Allow Microsoft Azure to designate a new public IP address. This is the default option.
NIC network security group	None	Set the NIC network security group to none. NG Firewall uses its own set of inbound firewall rules.
Accelerated networking	Off	This option is not available.
Load Balancing	No	Select whether to use load balancing. Note this option may incur additional costs.

Review + create

Proceed to the Review + create step. Review your configuration including the pricing and terms. If everything is correct, click Create.

Note: It may take several minutes to create your new instance. Wait until the process is complete before proceeding to the next step.

Expand your OS disk size

NG Firewall deploys with a 3 GiB Operating System volume. It is necessary to increase this disk size to suit your needs. The minimum suggested disk size is 32 GiB. Refer to the managed disk pricing for associated costs.

To increase the disk size:

1. Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
2. Click Stop to deallocate your virtual machine.
3. Click Disks to access the OS disk for your instance. 
4. Click the OS disk item.
5. Click Configuration to access its settings.
6. Enter the size you want to use. Refer to the sizing guide for recommended sizes based on the number of devices. 
7. Click Save. 
8. Return to the Overview screen of your virtual appliance and click Start.

Note: After increasing the disk size, the virtual machine may take a while to boot. During this time the operating system expands the partition into the available space. Depending on the size of the disk, this operation may take up to an hour or more.

Assign a hostname to the instance

In order to use services such as VPN, your instance must have a fully qualified hostname. The easiest way to create a hostname is to use a DNS name label through the Microsoft Azure DNS service.

To create a DNS name label:

1. Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
2. Click Networking.
3. Click your NIC Public IP (e.g. NGFWip350).
4. Click Configuration to access the IP and DNS configuration for your public IP address.
5. Enter a DNS name label and click Save.

NOTE: You can also use a fully qualified hostname based on your own domain. For this type of configuration, consider choosing the static IP address assignment option and pointing your hostname to the static IP address. Alternatively, you can set up dynamic DNS.

Add an internal network

You can protect other Azure instances by adding a subnet and an internal network interface to your NG Firewall instance. This use case involves multiple steps. Refer to Configuring NG Firewall to protect instances in Microsoft Azure for detailed guidance. 

Step 4. Connect to your instance

After the deployment is complete and you have assigned a hostname, you can connect to your NG Firewall instance.

1. In the Overview page of your virtual machine, locate and copy the DNS name.
2. In a web browser go to the DNS name using HTTPS.
3. Proceed through the security certificate warning to access the NG Firewall login page.
4. Enter the instance name as the password and click Login.

NOTE: The default password is the name you assigned to the instance. For example NGFW.

Step 5. Configure NG Firewall for Microsoft Azure

After you log in to your NG Firewall for the first time, select the language and proceed with the initial configuration provided by the Setup Wizard.

Internet Hostname

Components such as location services, notifications, and VPN profiles require knowledge of the Internet routable IP address that associates to the external interface of your instance. In Microsoft Azure, instances use privately routable IP addresses and do not attach directly to the Internet. Therefore you must configure NG Firewall with the hostname you designated to your instance.

To configure your NG Firewall hostname:

1. Navigate to Config > Network in the NG Firewall web administration.
2. In the Hostname field, set the unqualified part of your hostname (e.g. my-ngfw).
3. In the Domain Name field, set the qualified part of your Public DNS (e.g. centralus.cloudapp.azure.com).

NOTE: If you set up a hostname using your own domain name, enter it here.

4. Select Use Hostname.

VPN Server

After you complete the setup wizard and define a hostname, you can begin the VPN configuration of NG Firewall for Microsoft Azure. The VPN server enables remote hosts and networks to create a secure tunnel that routes traffic through the NG Firewall to access the Internet.

You can configure WireGuard, IPsec VPN, and OpenVPN.

• To set up WireGuard VPN see Setting up WireGuard VPN Site-to-Site Connections in NG Firewall and Setting up WireGuard VPN on roaming devices. 
• To set up IPsec VPN see configuring NG Firewall for IPsec Tunnels.
• To set up OpenVPN see Configure and deploy OpenVPN clients for remote users.

Next steps

Once you have set up the basic configuration, you can proceed to configure other apps to control bandwidth, filter content, block malware, detect intrusions, and so on. The following links provide additional information.

• Firewall
• Application Control
• Web Filter
• Reports
• Policy Manager
• Intrusion Prevention
• Bandwidth Control

Follow