How to deploy NG Firewall in Microsoft Azure
Overview
NG Firewall supports deployment via Microsoft Azure. NG Firewall for Microsoft Azure is a 64-bit Linux based virtual machine that is launched and managed from the Microsoft Azure Portal. This deployment option is useful for example in decentralized network environments that need to route through a remote VPN gateway to enforce policy management, reporting, content filtering, and other types of network security.
Before you begin
You need a valid Microsoft Azure account before you can deploy NG Firewall in Azure. If you do not have an Azure account you can register here.
Getting Started
Step 1: Select an instance type
Before launching NG Firewall for Microsoft Azure, it is necessary to determine the type of licensing model and infrastructure that is appropriate for your intended usage.
Licensing
NG Firewall for Microsoft Azure is available as either a Pay-As-You-Go (PAYG) subscription or Bring-Your-Own-License (BYOL). The PAYG option combines the cost of software licensing and infrastructure into one monthly bill. The BYOL option enables you to deploy an unlicensed version of NG Firewall for Microsoft Azure.
Infrastructure
Both licensing options require the selection of Microsoft Azure infrastructure in the form of an instance type. Microsoft Azure instances are available in different sizes to accommodate the performance requirements of your deployment. The sizing table below outlines recommended instance types and their designed usage.
Sizing table
Instance Type |
Specifications |
Recommended max devices |
Recommended storage |
D1V2 |
1 vCPU core 3.5 GB memory |
Up to 50 devices |
64 GiB Standard SSD |
D2V3 |
2 vCPU cores 8 GB memory |
Up to 150 devices |
128 GiB Standard SSD |
D4V3 |
4 vCPU cores 16 GB memory |
Up to 500 devices |
256 GiB Standard SSD |
D8V3 |
8 vCPU cores |
Up to 3000 devices |
512 GiB Standard SSD |
If you have different infrastructure requirements, you can select from an extended list of instance types. All instance sizes and their associated costs are available through the NG Firewall marketplace listing. For pricing of storage refer to managed disk pricing.
Step 2: Prepare your networking environment
Before you deploy NG Firewall to your Microsoft Azure environment, you must prepare the virtual networking components. The following instructions describe how to add these components to an example Resource Group called my-resourcegroup.
Create a Route Table
Before you can create a virtual network you need a route table to direct traffic to the Internet from your virtual network.
To create a Route Table:
- In the Azure Management Portal, click Create a resource.
- Click Networking.
- In the search box type "route table".
- Select the Microsoft Route Table and click Create.
- Assign your route table a name and other basic parameters.
- Click Review and Create.
Assign a default route
After you create your Route Table you must add a default route.
To add a default route:
- Locate your new Route Table resource and edit the configuration.
- In Settings > Routes click Add.
- Assign a Route name
- Choose IP addresses for the Destination type
- Enter 0.0.0.0/0 for the Destination IP addresses value
- Choose Internet for the Next hop type.
- Click Add.
Create a Network Security Group
A network security group is necessary to permit traffic in and out of your virtual network. In most cases you can create an open security group as the security layer is provided by NG Firewall. You may choose to filter inbound traffic for additional security however in this case you must manage policies in both NG Firewall and your Network Security Group.
To create a Network Security Group:
- Click Create a resource.
- Click Networking.
- Locate Network Security Group and click Create.
- Assign your Network Security Group a name and other basic parameters.
- Click Review and Create.
Add Inbound security rules
After you create a Network Security Group you must configure the policy.
To configure security rules in your security group:
- Locate your new Network Security Group resource and edit the configuration.
- In Settings > Inbound security rules click Add.
- To configure an open policy enter * for the Destination port range and keep other values default.
- Click Add.
Create a Virtual Network
A Virtual Network resource enables your virtual machines to communicate with each other and the Internet. When creating a virtual network you must define an Address space and at least one Subnet.
To create a virtual network:
- Click Create a resource.
- Click Networking.
- Locate Virtual network and click Create.
- Configure the virtual network settings to your preference.
- In the IP Addresses tab configure your IP address space and default subnet.
- Edit the default subnet.
- In the Security section choose the Network Security Group and Route Table you created in the previous steps.
- Click Review and Create.
See the table below for essential values and descriptions.
Setting |
Example value |
Description |
Virtual network name |
my-vnet |
The name of your virtual network (e.g. my-vnet). |
IPv4 Address space |
10.2.0.0/16 |
The IP address space for your virtual network in CIDR notation. |
Subscription |
Pay-As-You-Go |
A subscription associated with your Microsoft Azure account. |
Resource group |
my-resourcegroup |
The resource group to contain your resources. |
Region |
Central US |
The geographic location that contains this resource. |
Subnet Name |
WAN |
The name of your primary, Internet facing subnet. |
Address range |
10.2.0.0/24 |
The address range of your primary subnet in CIDR notation. |
DDoS protection |
Basic |
Optional premium paid service to mitigate the impact of DDoS attacks. |
Service endpoints |
Disabled |
Provides a direct connection to Microsoft Azure services. Learn more. |
Firewall |
Disabled |
Creates a Microsoft Azure virtual firewall. This option must be disabled to avoid a conflict with NG Firewall. |
Step 3: Deploy NG Firewall
Launch the instance
- Navigate to the NG Firewall listing in the Microsoft Azure Marketplace.
- Review the plans and pricing and take note of your selection.
- Click Get it now.
- Select either the PAYG or BYOL software plan and click Continue.
- Click Create.
Configure the instance
Once you begin the process of creating the instance, you must define its parameters. The Basics and Networking steps require attention. The sections below describe the necessary configuration for these steps. All other steps should be reviewed but do not require modification of the default values.
Basics
Setting |
Example value |
Description |
Subscription |
Pay-As-You-Go |
The subscription option. Choose either PAYG or BYOL. |
Resource group |
my-resourcegroup |
The name of the resource group that this image belongs to. This must be the same resource group as your virtual network. |
Virtual machine name |
NGFW |
The name of this virtual machine. |
Region |
Central US |
The geographic location of this resource. This must be the same region / location as your virtual network. |
Availability options |
No infrastructure redundancy required |
Select if you require redundancy (optional). |
Image |
Arista NG Firewall PAYG |
The image must match the Subscription type (PAYG or BYOL). |
Size |
Standard F1 |
Click Change size to select the image size that suits your needs. Refer to the sizing table for guidance. |
Authentication type |
Password |
Choose whether to authenticate via a Certificate or a username and password. |
Public inbound ports |
None |
Choose None. This setting is managed a subsequent step. |
Select inbound ports |
- |
This option is disabled when None is set for the public inbound ports. |
Networking
Setting |
Example value |
Description |
Virtual network |
my-vnet |
Select the virtual network you created in the previous step. |
Subnet |
WAN (10.2.0.0/24) |
Select the primary WAN subnet you created in the previous step. |
Public IP |
(new) NGFWip350 |
Allow Microsoft Azure to designate a new public IP address. This is the default option. |
NIC network security group |
None |
Set the NIC network security group to none. NG Firewall uses its own set of inbound firewall rules. |
Accelerated networking |
Off |
This option is not available. |
Load Balancing |
No |
Select whether to use load balancing. Note this option may incur additional costs. |
Review + create
Proceed to the Review + create step. Review your configuration including the pricing and terms. If everything is correct, click Create.
Note: It may take several minutes to create your new instance. Wait until the process is complete before proceeding to the next step.
Expand your OS disk size
NG Firewall deploys with a 3 GiB Operating System volume. It is necessary to increase this disk size to suit your needs. The minimum suggested disk size is 32 GiB. Refer to the managed disk pricing for associated costs.
To increase the disk size:
- Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
- Click Stop to deallocate your virtual machine.
- Click Disks to access the OS disk for your instance.
- Click the OS disk item.
- Click Configuration to access its settings.
- Enter the size you want to use. Refer to the sizing guide for recommended sizes based on the number of devices.
- Click Save.
- Return to the Overview screen of your virtual appliance and click Start.
Note: After increasing the disk size, the virtual machine may take a while to boot. During this time the operating system expands the partition into the available space. Depending on the size of the disk, this operation may take up to an hour or more.
Assign a hostname to the instance
In order to use services such as VPN, your instance must have a fully qualified hostname. The easiest way to create a hostname is to use a DNS name label through the Microsoft Azure DNS service.
To create a DNS name label:
- Locate your new virtual machine resource in the Virtual Machines page of the Microsoft Azure management portal.
- Click Networking.
- Click your NIC Public IP (e.g. NGFWip350).
- Click Configuration to access the IP and DNS configuration for your public IP address.
- Enter a DNS name label and click Save.
NOTE: You can also use a fully qualified hostname based on your own domain. For this type of configuration, consider choosing the static IP address assignment option and pointing your hostname to the static IP address. Alternatively, you can set up dynamic DNS.
Add an internal network
You can protect other Azure instances by adding a subnet and an internal network interface to your NG Firewall instance. This use case involves multiple steps. Refer to Configuring NG Firewall to protect instances in Microsoft Azure for detailed guidance.
Step 4. Connect to your instance
After the deployment is complete and you have assigned a hostname, you can connect to your NG Firewall instance.
- In the Overview page of your virtual machine, locate and copy the DNS name.
- In a web browser go to the DNS name using HTTPS.
- Proceed through the security certificate warning to access the NG Firewall login page.
- Enter the instance name as the password and click Login.
NOTE: The default password is the name you assigned to the instance. For example NGFW.
Step 5. Configure NG Firewall for Microsoft Azure
After you log in to your NG Firewall for the first time, select the language and proceed with the initial configuration provided by the Setup Wizard.
Internet Hostname
Components such as location services, notifications, and VPN profiles require knowledge of the Internet routable IP address that associates to the external interface of your instance. In Microsoft Azure, instances use privately routable IP addresses and do not attach directly to the Internet. Therefore you must configure NG Firewall with the hostname you designated to your instance.
To configure your NG Firewall hostname:
- Navigate to Config > Network in the NG Firewall web administration.
- In the Hostname field, set the unqualified part of your hostname (e.g. my-ngfw).
- In the Domain Name field, set the qualified part of your Public DNS (e.g. centralus.cloudapp.azure.com).
NOTE: If you set up a hostname using your own domain name, enter it here.
- Select Use Hostname.
VPN Server
After you complete the setup wizard and define a hostname, you can begin the VPN configuration of NG Firewall for Microsoft Azure. The VPN server enables remote hosts and networks to create a secure tunnel that routes traffic through the NG Firewall to access the Internet.
You can configure WireGuard, IPsec VPN, and OpenVPN.
- To set up WireGuard VPN see Setting up WireGuard VPN Site-to-Site Connections in NG Firewall and Setting up WireGuard VPN on roaming devices.
- To set up IPsec VPN see configuring NG Firewall for IPsec Tunnels.
- To set up OpenVPN see Configure and deploy OpenVPN clients for remote users.
Next steps
Once you have set up the basic configuration, you can proceed to configure other apps to control bandwidth, filter content, block malware, detect intrusions, and so on. The following links provide additional information.
- Firewall
- Application Control
- Web Filter
- Reports
- Policy Manager
- Intrusion Prevention
- Bandwidth Control
Comments
2 comments
Please sign in to leave a comment.
It seems that it may be necessary to resize the OS disk to something larger than the default after the initial deployment, otherwise you end up with only 3 GB of total disk space of which only around 900 MB are available (maybe less depending on installed apps). It seems this is the case regardless of which vm "size" option is selected, however in my case I've selected an Azure D4v3 deployment.
Thanks Steven, yes you're right. I'll see if we can adjust the deployment to use the corresponding disk size for the instance type. I tested the process to modify the size of the disk in the configuration and NGFW did expand the partition to fit the disk size. I will add this information to the article.