Guidance Needed for Configuring Azure Firewall for Outbound Traffic Control

Question

Hi Experts,

We currently have a setup with one HUB VNet and five Spoke VNets, all of which are peered. Additionally, there is a Site-to-Site (S2S) connection established between our on-premises network and Azure. The five Spoke VNets host multiple VMs and various PaaS services, and their outbound traffic is routed via the VNet Internet route.

Our requirement is to deploy an Azure Firewall in the HUB VNet and configure route tables to direct only outbound traffic through the firewall. Furthermore, we want to enforce application rules in the Azure Firewall to allow access to specific websites while denying all others.

Could you kindly provide guidance on the following:

1. Configuring Azure Firewall with the appropriate network rules.
2. Setting up application rules to allow access to specific websites and block all others.

Thank you for your support!

Veera.

Answer 1

Hi @veerabose chandran , I understand you have a requirement to deploy an Azure Firewall in Hub vnet with the requirement of application FQDN filtering.

Use Azure Firewall with at least Standard SKU, as Basic SKU does not support application level FQDN filtering. Reference: Azure Firewall Feature comparison.

Use the following guidance to create a new subnet in Hub named "AzureFirewallSubnet" (it must use this subnet name) then deploy Azure Firewall in it. Tutorial: Deploy and configure Azure Firewall and policy using the Azure portal

After Azure Firewall is deployed, create network rules and application rules as required. Then, make sure that UDR (User Defined Route) is applied to all spoke subnets and to Hub's GatewaySubnet (to route the traffic from VPN Gateway to Firewall)

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.