How to deploy NG Firewall in Microsoft Azure

Overview

NG Firewall supports deployment via Microsoft Azure. NG Firewall for Microsoft Azure is a 64-bit Linux based virtual machine that is launched and managed from the Microsoft Azure Portal. This deployment option is useful for example in decentralized network environments that need to route through a remote VPN gateway to enforce policy management, reporting, content filtering, and other types of network security.

Before you begin

You need a valid Microsoft Azure account before you can deploy NG Firewall in Azure. If you do not have an Azure account you can register here.

Getting Started

Step 1: Select an instance type

Before launching NG Firewall for Microsoft Azure, it is necessary to determine the type of licensing model and infrastructure that is appropriate for your intended usage.

Licensing

NG Firewall for Microsoft Azure is available as either a Pay-As-You-Go (PAYG) subscription or Bring-Your-Own-License (BYOL). The PAYG option combines the cost of software licensing and infrastructure into one monthly bill. The BYOL option enables you to deploy an unlicensed version of NG Firewall for Microsoft Azure.

Infrastructure

Both licensing options require the selection of Microsoft Azure infrastructure in the form of an instance type. Microsoft Azure instances are available in different sizes to accommodate the performance requirements of your deployment. The sizing table below outlines recommended instance types and their designed usage.

Sizing table

Instance Type

Specifications

Recommended max devices

Recommended storage

D1V2

1 vCPU core

3.5 GB memory

Up to 50 devices

64 GiB Standard SSD

D2V3

2 vCPU cores

8 GB memory

Up to 150 devices

128 GiB Standard SSD

D4V3

4 vCPU cores

16 GB memory

Up to 500 devices

256 GiB Standard SSD

D8V3

8 vCPU cores
32 GB memory

Up to 3000 devices

512 GiB Standard SSD

If you have different infrastructure requirements, you can select from an extended list of instance types. All instance sizes and their associated costs are available through the NG Firewall marketplace listing. For pricing of storage refer to managed disk pricing

Step 2: Prepare your networking environment

Before you deploy NG Firewall to your Microsoft Azure environment, you must prepare the virtual networking components. The following instructions describe how to add these components to an example Resource Group called my-resourcegroup.

Create a Route Table

Before you can create a virtual network you need a route table to direct traffic to the Internet from your virtual network. 

To create a Route Table:

  1. In the Azure Management Portal, click Create a resource.
  2. Click Networking.
  3. In the search box type "route table".
  4. Select the Microsoft Route Table and click Create.
  5. Assign your route table a name and other basic parameters. 
  6. Click Review and Create

azure-route-table.png

Assign a default route

After you create your Route Table you must add a default route.

To add a default route:

  1. Locate your new Route Table resource and edit the configuration.
  2. In Settings > Routes click Add.
  3. Assign a Route name
  4. Choose IP addresses for the Destination type
  5. Enter 0.0.0.0/0 for the Destination IP addresses value
  6. Choose Internet for the Next hop type.
  7. Click Add. 

azure-routes.png

Create a Network Security Group

A network security group is necessary to permit traffic in and out of your virtual network. In most cases you can create an open security group as the security layer is provided by NG Firewall. You may choose to filter inbound traffic for additional security however in this case you must manage policies in both NG Firewall and your Network Security Group. 

To create a Network Security Group:

  1. Click Create a resource.
  2. Click Networking.
  3. Locate Network Security Group and click Create.
  4. Assign your Network Security Group a name and other basic parameters. 
  5. Click Review and Create

Add Inbound security rules

After you create a Network Security Group you must configure the policy.

To configure security rules in your security group:

  1. Locate your new Network Security Group resource and edit the configuration.
  2. In Settings > Inbound security rules click Add.
  3. To configure an open policy enter * for the Destination port range and keep other values default. 
  4. Click Add

Create a Virtual Network

A Virtual Network resource enables your virtual machines to communicate with each other and the Internet. When creating a virtual network you must define an Address space and at least one Subnet.

To create a virtual network:

  1. Click Create a resource.
  2. Click Networking.
  3. Locate Virtual network and click Create.

    image12.png

  4. Configure the virtual network settings to your preference.
  5. In the IP Addresses tab configure your IP address space and default subnet.
  6. Edit the default subnet.
  7. In the Security section choose the Network Security Group and Route Table you created in the previous steps.
  8. Click Review and Create.

azure-subnet-edit.png

See the table below for essential values and descriptions.

Setting

Example value

Description

Virtual network name

my-vnet

The name of your virtual network (e.g. my-vnet).

IPv4 Address space

10.2.0.0/16

The IP address space for your virtual network in CIDR notation.

Subscription

Pay-As-You-Go

A subscription associated with your Microsoft Azure account.

Resource group

my-resourcegroup

The resource group to contain your resources.

Region

Central US

The geographic location that contains this resource.

Subnet Name

WAN

The name of your primary, Internet facing subnet.

Address range

10.2.0.0/24

The address range of your primary subnet in CIDR notation.

DDoS protection

Basic

Optional premium paid service to mitigate the impact of DDoS attacks.

Service endpoints

Disabled

Provides a direct connection to Microsoft Azure services. Learn more.

Firewall

Disabled

Creates a Microsoft Azure virtual firewall. This option must be disabled to avoid a conflict with NG Firewall.

Step 3: Deploy NG Firewall

Launch the instance

  1. Navigate to the NG Firewall listing in the Microsoft Azure Marketplace.
  2. Review the plans and pricing and take note of your selection.
  3. Click Get it now.
  4. Select either the PAYG or BYOL software plan and click Continue.
  5. Click Create.

Configure the instance

Once you begin the process of creating the instance, you must define its parameters. The Basics and Networking steps require attention. The sections below describe the necessary configuration for these steps. All other steps should be reviewed but do not require modification of the default values.

Basics

Setting

Example value

Description

Subscription

Pay-As-You-Go

The subscription option. Choose either PAYG or BYOL.

Resource group

my-resourcegroup

The name of the resource group that this image belongs to. This must be the same resource group as your virtual network.

Virtual machine name

NGFW

The name of this virtual machine.

Region

Central US

The geographic location of this resource. This must be the same region / location as your virtual network.

Availability options

No infrastructure redundancy required

Select if you require redundancy (optional).

Image

Arista NG Firewall PAYG

The image must match the Subscription type (PAYG or BYOL).

Size

Standard F1

Click Change size to select the image size that suits your needs. Refer to the sizing table for guidance.

Authentication type

Password

Choose whether to authenticate via a Certificate or a username and password.

Public inbound ports

None

Choose None. This setting is managed a subsequent step.

Select inbound ports

-

This option is disabled when None is set for the public inbound ports.

image16.png

Networking

Setting

Example value

Description

Virtual network

my-vnet

Select the virtual network you created in the previous step.

Subnet

WAN (10.2.0.0/24)

Select the primary WAN subnet you created in the previous step.

Public IP

(new) NGFWip350

Allow Microsoft Azure to designate a new public IP address. This is the default option.

NIC network security group

None

Set the NIC network security group to none. NG Firewall uses its own set of inbound firewall rules.

Accelerated networking

Off

This option is not available.

Load Balancing

No

Select whether to use load balancing. Note this option may incur additional costs.

image13.png

Review + create

Proceed to the Review + create step. Review your configuration including the pricing and terms. If everything is correct, click Create.

Note: It may take several minutes to create your new instance. Wait until the process is complete before proceeding to the next step.

Expand your OS disk size

NG Firewall deploys with a 3 GiB Operating System volume. It is necessary to increase this disk size to suit your needs. The minimum suggested disk size is 32 GiB. Refer to the managed disk pricing for associated costs.

To increase the disk size:

  1. Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
  2. Click Stop to deallocate your virtual machine.
  3. Click Disks to access the OS disk for your instance. Screen_Shot_2019-01-31_at_4.08.20_PM.png
  4. Click the OS disk item.
  5. Click Configuration to access its settings.
  6. Enter the size you want to use. Refer to the sizing guide for recommended sizes based on the number of devices. 
  7. Click SaveScreen_Shot_2019-01-31_at_8.08.42_AM.png
  8. Return to the Overview screen of your virtual appliance and click Start.

Note: After increasing the disk size, the virtual machine may take a while to boot. During this time the operating system expands the partition into the available space. Depending on the size of the disk, this operation may take up to an hour or more.

Assign a hostname to the instance

In order to use services such as VPN, your instance must have a fully qualified hostname. The easiest way to create a hostname is to use a DNS name label through the Microsoft Azure DNS service.

To create a DNS name label:

  1. Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
  2. Click Networking.
  3. Click your NIC Public IP (e.g. NGFWip350).
  4. Click Configuration to access the IP and DNS configuration for your public IP address.
  5. Enter a DNS name label and click Save.image23.png

NOTE: You can also use a fully qualified hostname based on your own domain. For this type of configuration, consider choosing the static IP address assignment option and pointing your hostname to the static IP address. Alternatively, you can set up dynamic DNS.

Add an internal network

You can protect other Azure instances by adding a subnet and an internal network interface to your NG Firewall instance. This use case involves multiple steps. Refer to Configuring NG Firewall to protect instances in Microsoft Azure for detailed guidance. 

Step 4. Connect to your instance

After the deployment is complete and you have assigned a hostname, you can connect to your NG Firewall instance.

  1. In the Overview page of your virtual machine, locate and copy the DNS name.image21.png
  2. In a web browser go to the DNS name using HTTPS.
  3. Proceed through the security certificate warning to access the NG Firewall login page.
  4. Enter the instance name as the password and click Login.

NOTE: The default password is the name you assigned to the instance. For example NGFW.

Step 5. Configure NG Firewall for Microsoft Azure

After you log in to your NG Firewall for the first time, select the language and proceed with the initial configuration provided by the Setup Wizard.

Internet Hostname

Components such as location services, notifications, and VPN profiles require knowledge of the Internet routable IP address that associates to the external interface of your instance. In Microsoft Azure, instances use privately routable IP addresses and do not attach directly to the Internet. Therefore you must configure NG Firewall with the hostname you designated to your instance.

To configure your NG Firewall hostname:

  1. Navigate to Config > Network in the NG Firewall web administration.
  2. In the Hostname field, set the unqualified part of your hostname (e.g. my-ngfw).
  3. In the Domain Name field, set the qualified part of your Public DNS (e.g. centralus.cloudapp.azure.com).

NOTE: If you set up a hostname using your own domain name, enter it here.

  1. Select Use Hostname.

VPN Server

After you complete the setup wizard and define a hostname, you can begin the VPN configuration of NG Firewall for Microsoft Azure. The VPN server enables remote hosts and networks to create a secure tunnel that routes traffic through the NG Firewall to access the Internet.

You can configure WireGuard, IPsec VPN, and OpenVPN.

Next steps

Once you have set up the basic configuration, you can proceed to configure other apps to control bandwidth, filter content, block malware, detect intrusions, and so on. The following links provide additional information.

Follow
Was this article helpful?
2 out of 5 found this helpful
Have more questions? Submit a request

Comments

2 comments

Please sign in to leave a comment.

  • Avatar
    Stevenrpearson

    It seems that it may be necessary to resize the OS disk to something larger than the default after the initial deployment, otherwise you end up with only 3 GB of total disk space of which only around 900 MB are available (maybe less depending on installed apps). It seems this is the case regardless of which vm "size" option is selected, however in my case I've selected an Azure D4v3 deployment.

  • Avatar
    Brian Carmichael

    Thanks Steven, yes you're right. I'll see if we can adjust the deployment to use the corresponding disk size for the instance type. I tested the process to modify the size of the disk in the configuration and NGFW did expand the partition to fit the disk size. I will add this information to the article.

Powered by Zendesk