Configuring NG Firewall to protect instances in Microsoft Azure

Overview

NG Firewall deployment in Azure can manage and secure Internet access for other Azure instances. This scenario is useful if you have for example Windows Virtual Desktops and you need to apply Intrusion Prevention, Content Filtering, Bandwidth Control, and other next generation firewall capabilities to those instances. This type of deployment requires virtual network configuration to establish an internal subnet for Azure instances that routes through NG Firewall.

image10.png

Diagram illustrating NG Firewall in relation to Azure instances and remote networks.

Before you begin

Configuring the virtual network

To secure internet access for other Azure instances, you must configure your virtual network with a private subnet that routes traffic through the NG Firewall instance. This involves the following steps:

Step 1. Create a route table

Create a route table to facilitate routing within your private subnet.

  1. In the Microsoft Azure Portal, click Create a resource.
  2. Type route table into the search and click the resource to open the setup wizard. image7.png
  3. Assign a Name to your route table (e.g. NGFW-route). 
  4. Select the same Subscription, Resource group, and Location as your virtual network (e.g. my-resourcegroup).
  5. Disable BGP route propagation unless you prefer to enable automatic route exchange with your remote networks.
  6. Click Create.

image6.png

Step 2. Create a private subnet

Create a private subnet to allocate address space for instances on the virtual network. The following steps define a new subnet based on an address pool of 10.2.0.0/16 belonging to a virtual network called my-vnet.

  1. In the Microsoft Azure Portal, access the configuration of your virtual network by typing its name (e.g. my-vnet) into the search box at the top.
  2. In the Overview page, take note of the Address space available in your virtual network. image2.png
  3. Click Subnets from the menu of options beneath your virtual network.
  4. Determine a subnet range that is within your address space, does not conflict with an existing subnet, and is large enough to support the number of instances you intend to manage on this network.
  5. Click the option to create a subnet.
  6. Assign a name to your subnet (e.g. Internal).
  7. Enter the Address range you wish to assign (e.g. 10.2.1.0/24).
  8. Choose None for the Network security group.
  9. Select the route table you created in the previous step (e.g. NGFW-route).
  10. Leave the remaining settings with the default values and click OK. 

image9.png

IMPORTANT: By selecting "None" for the Network Security Group, this allows access to services that are specifically allowed by the NG Firewall Access Rules. For Azure deployments, the SSH, HTTP, and HTTPS services are permitted by default. Once your appliance is configured and connected to ETM Dashboard, you may choose to disable these access rules to prevent brute force authentication attempts via these services.

Step 3. Attach a network interface

Attach a new network interface to your NG Firewall instance to connect it to your private subnet. Note that you must stop your instance before you can attach a network interface.

  1. In the Microsoft Azure Portal, access the configuration of your virtual machine instance by typing its name (e.g. NGFW) into the search box at the top.
  2. Click Networking from the menu of options beneath your virtual machine.
  3. Click Attach network interface.
  4. Click Create network interface.
  5. Assign a Name to this interface.
  6. Select the Subnet you created in the previous step (e.g. Internal).
  7. Choose Static IP address assignment and enter an IP address belonging to your subnet (e.g. 10.2.1.254). Note that this IP address is the gateway address and should be either at the beginning or end of the subnet range.
  8. Choose None for the Network security group.
  9. Select the same Resource group as your virtual network (e.g. my-resourcegroup).
  10. Click Create

image11.png

After you create the interface, you can attach it to the instance. Click OK to attach the new interface to your instance.

image8.png

Step 4. Enable IP forwarding

Enable IP forwarding to allow Azure to forward traffic through the NG Firewall instance.

  1. In the Microsoft Azure Portal, access the configuration of the network interface you created in the previous step by typing the name (e.g. interface-internal) into the search box at the top.
  2. Click IP configurations from the menu of options beneath the network interface.
  3. In IP forwarding settings, choose Enabled.
  4. Click Save.

image4.png

Step 5. Add a default route

Add a default route to the route table to set your NG Firewall instance as the Internet gateway.

  1. In the Microsoft Azure Portal, access the configuration of the route table you created in the previous step by typing the name (e.g. NGFW-route) into the search box at the top.
  2. Click Routes from the menu of options beneath the route table.
  3. Click the option to add a route. 
    image1.png
  4. Assign a name to this route (e.g. gw-route).
  5. Enter the Address prefix 0.0.0.0/0.
  6. Select Virtual appliance for the Next hop type.
  7. In Next hop address, enter the IP address of the internal network interface attached to the the NG Firewall instance (e.g. 10.2.1.254).
  8. Click OK.

image5.png

Configuring NG Firewall

After you link the private subnet to your virtual machine via a virtual network interface, you can assign the corresponding network configuration in NG Firewall.

  1. In the Microsoft Azure Portal, access the configuration of your virtual machine instance by typing its name (e.g. NGFW) into the search box at the top.
  2. Click Start and wait several minutes for the instance to become operational.
  3. In the Overview page, copy the IP address of your instance.
  4. In a new browser window, go to your NG Firewall administration using the IP address on HTTPS. Alternatively, if you connected your instance to ETM Dashboard, you can access your instance using the Remote Access feature.
  5. Log in and go to Config > Network.
  6. In the Interfaces screen, locate your new network interface and click the edit icon.
  7. Choose Addressed for the Config Typeimage3.png
  8. Enter an Interface Name (e.g. LAN) and the static IP Address you reserved for the network interface (e.g. 10.2.1.254).
  9. Click Done, then Save.

Configuring Azure instances

Configure your instances to route through NG Firewall by adding them to the private subnet (e.g. 10.2.1.0/24). The table below describes the networking configuration when creating a new virtual machine.

Setting

Example value

Description

Virtual network

my-vnet

Select the virtual network of your NG Firewall instance.

Subnet

INTERNAL (10.2.0.0/24)

Select the private subnet you created in step 2.

Public IP

None

This virtual machine is on a private network that routes through NG Firewall. A public IP is not viable.

NIC network security group

None

Set the NIC network security group to none. NG Firewall uses its own set of inbound firewall rules.

Accelerated networking

Off

This option is not available.

Load Balancing

No

Select whether to use load balancing. Note this option may incur additional costs.

image12.png

Follow
Was this article helpful?
0 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk