Muokkaa

Jaa


Quickstart: Create an Azure Firewall with multiple public IP addresses - ARM template

In this quickstart, you use an Azure Resource Manager template (ARM template) to deploy an Azure Firewall with multiple public IP addresses from a public IP address prefix. The deployed firewall has NAT rule collection rules that allow RDP connections to two Windows Server 2019 virtual machines.

Diagram showing the network configuration for this quickstart.

An Azure Resource Manager template is a JavaScript Object Notation (JSON) file that defines the infrastructure and configuration for your project. The template uses declarative syntax. You describe your intended deployment without writing the sequence of programming commands to create the deployment.

For more information about Azure Firewall with multiple public IP addresses, see Deploy an Azure Firewall with multiple public IP addresses using Azure PowerShell.

If your environment meets the prerequisites and you're familiar with using ARM templates, select the Deploy to Azure button. The template will open in the Azure portal.

Button to deploy the Resource Manager template to Azure.

Prerequisites

Review the template

This template creates an Azure Firewall with two public IP addresses, along with the necessary resources to support the Azure Firewall.

The template used in this quickstart is from Azure Quickstart Templates.

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.26.54.24096",
      "templateHash": "8395247770070350203"
    }
  },
  "parameters": {
    "adminUsername": {
      "type": "string",
      "metadata": {
        "description": "Admin username for the backend servers"
      }
    },
    "adminPassword": {
      "type": "securestring",
      "metadata": {
        "description": "Password for the admin account on the backend servers"
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "Location for all resources."
      }
    },
    "vmSize": {
      "type": "string",
      "defaultValue": "Standard_B2ms",
      "metadata": {
        "description": "Size of the virtual machine."
      }
    }
  },
  "variables": {
    "copy": [
      {
        "name": "azureFirewallIpConfigurations",
        "count": "[length(range(0, 2))]",
        "input": {
          "name": "[format('IpConf{0}', add(range(0, 2)[copyIndex('azureFirewallIpConfigurations')], 1))]",
          "properties": {
            "subnet": "[if(equals(range(0, 2)[copyIndex('azureFirewallIpConfigurations')], 0), json(format('{{\"id\": \"{0}\"}}', variables('azureFirewallSubnetId'))), null())]",
            "publicIPAddress": {
              "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIpAddressName'), add(range(0, 2)[range(0, 2)[copyIndex('azureFirewallIpConfigurations')]], 1)))]"
            }
          }
        }
      }
    ],
    "virtualMachineName": "myVM",
    "virtualNetworkName": "myVNet",
    "networkInterfaceName": "net-int",
    "ipConfigName": "ipconfig",
    "ipPrefixName": "public_ip_prefix",
    "ipPrefixSize": 31,
    "publicIpAddressName": "public_ip",
    "nsgName": "vm-nsg",
    "firewallName": "FW-01",
    "vnetPrefix": "10.0.0.0/16",
    "fwSubnetPrefix": "10.0.0.0/24",
    "backendSubnetPrefix": "10.0.1.0/24",
    "azureFirewallSubnetId": "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), 'AzureFirewallSubnet')]"
  },
  "resources": [
    {
      "copy": {
        "name": "nsg",
        "count": "[length(range(0, 2))]"
      },
      "type": "Microsoft.Network/networkSecurityGroups",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}{1}', variables('nsgName'), add(range(0, 2)[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "properties": {
        "securityRules": [
          {
            "name": "RDP",
            "properties": {
              "protocol": "Tcp",
              "sourcePortRange": "*",
              "destinationPortRange": "3389",
              "sourceAddressPrefix": "*",
              "destinationAddressPrefix": "*",
              "access": "Allow",
              "priority": 300,
              "direction": "Inbound"
            }
          }
        ]
      }
    },
    {
      "type": "Microsoft.Network/publicIPPrefixes",
      "apiVersion": "2023-09-01",
      "name": "[variables('ipPrefixName')]",
      "location": "[parameters('location')]",
      "properties": {
        "prefixLength": "[variables('ipPrefixSize')]",
        "publicIPAddressVersion": "IPv4"
      },
      "sku": {
        "name": "Standard"
      }
    },
    {
      "copy": {
        "name": "publicIPAddress",
        "count": "[length(range(0, 2))]"
      },
      "type": "Microsoft.Network/publicIPAddresses",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}{1}', variables('publicIpAddressName'), add(range(0, 2)[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "sku": {
        "name": "Standard"
      },
      "properties": {
        "publicIPAddressVersion": "IPv4",
        "publicIPAllocationMethod": "Static",
        "publicIPPrefix": {
          "id": "[resourceId('Microsoft.Network/publicIPPrefixes', variables('ipPrefixName'))]"
        },
        "idleTimeoutInMinutes": 4
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/publicIPPrefixes', variables('ipPrefixName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/virtualNetworks",
      "apiVersion": "2023-09-01",
      "name": "[variables('virtualNetworkName')]",
      "location": "[parameters('location')]",
      "properties": {
        "addressSpace": {
          "addressPrefixes": [
            "[variables('vnetPrefix')]"
          ]
        },
        "subnets": [
          {
            "name": "myBackendSubnet",
            "properties": {
              "addressPrefix": "[variables('backendSubnetPrefix')]",
              "routeTable": {
                "id": "[resourceId('Microsoft.Network/routeTables', 'rt-01')]"
              },
              "privateEndpointNetworkPolicies": "Enabled",
              "privateLinkServiceNetworkPolicies": "Enabled"
            }
          }
        ],
        "enableDdosProtection": false,
        "enableVmProtection": false
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/routeTables', 'rt-01')]"
      ]
    },
    {
      "type": "Microsoft.Network/virtualNetworks/subnets",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}/{1}', variables('virtualNetworkName'), 'AzureFirewallSubnet')]",
      "properties": {
        "addressPrefix": "[variables('fwSubnetPrefix')]",
        "privateEndpointNetworkPolicies": "Enabled",
        "privateLinkServiceNetworkPolicies": "Enabled"
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
      ]
    },
    {
      "copy": {
        "name": "virtualMachine",
        "count": "[length(range(0, 2))]"
      },
      "type": "Microsoft.Compute/virtualMachines",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}{1}', variables('virtualMachineName'), add(range(0, 2)[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "properties": {
        "hardwareProfile": {
          "vmSize": "[parameters('vmSize')]"
        },
        "storageProfile": {
          "imageReference": {
            "publisher": "MicrosoftWindowsServer",
            "offer": "WindowsServer",
            "sku": "2019-Datacenter",
            "version": "latest"
          },
          "osDisk": {
            "osType": "Windows",
            "createOption": "FromImage",
            "caching": "ReadWrite",
            "managedDisk": {
              "storageAccountType": "StandardSSD_LRS"
            },
            "diskSizeGB": 127
          }
        },
        "osProfile": {
          "computerName": "[format('{0}{1}', variables('virtualMachineName'), add(range(0, 2)[copyIndex()], 1))]",
          "adminUsername": "[parameters('adminUsername')]",
          "adminPassword": "[parameters('adminPassword')]",
          "windowsConfiguration": {
            "provisionVMAgent": true,
            "enableAutomaticUpdates": true
          },
          "allowExtensionOperations": true
        },
        "networkProfile": {
          "networkInterfaces": [
            {
              "id": "[resourceId('Microsoft.Network/networkInterfaces', format('{0}{1}', variables('networkInterfaceName'), add(range(0, 2)[range(0, 2)[copyIndex()]], 1)))]"
            }
          ]
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkInterfaces', format('{0}{1}', variables('networkInterfaceName'), add(range(0, 2)[range(0, 2)[copyIndex()]], 1)))]"
      ]
    },
    {
      "copy": {
        "name": "netInterface",
        "count": "[length(range(0, 2))]"
      },
      "type": "Microsoft.Network/networkInterfaces",
      "apiVersion": "2023-09-01",
      "name": "[format('{0}{1}', variables('networkInterfaceName'), add(range(0, 2)[copyIndex()], 1))]",
      "location": "[parameters('location')]",
      "properties": {
        "ipConfigurations": [
          {
            "name": "[format('{0}{1}', variables('ipConfigName'), add(range(0, 2)[copyIndex()], 1))]",
            "properties": {
              "subnet": {
                "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName')), '2023-09-01').subnets[0].id]"
              },
              "primary": true
            }
          }
        ],
        "enableAcceleratedNetworking": false,
        "enableIPForwarding": false,
        "networkSecurityGroup": {
          "id": "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsgName'), add(range(0, 2)[range(0, 2)[copyIndex()]], 1)))]"
        }
      },
      "dependsOn": [
        "[resourceId('Microsoft.Network/networkSecurityGroups', format('{0}{1}', variables('nsgName'), add(range(0, 2)[range(0, 2)[copyIndex()]], 1)))]",
        "[resourceId('Microsoft.Network/virtualNetworks', variables('virtualNetworkName'))]"
      ]
    },
    {
      "type": "Microsoft.Network/azureFirewalls",
      "apiVersion": "2023-09-01",
      "name": "[variables('firewallName')]",
      "location": "[parameters('location')]",
      "properties": {
        "sku": {
          "name": "AZFW_VNet",
          "tier": "Standard"
        },
        "threatIntelMode": "Deny",
        "ipConfigurations": "[variables('azureFirewallIpConfigurations')]",
        "applicationRuleCollections": [
          {
            "name": "web",
            "properties": {
              "priority": 100,
              "action": {
                "type": "Allow"
              },
              "rules": [
                {
                  "name": "wan-address",
                  "protocols": [
                    {
                      "protocolType": "Http",
                      "port": 80
                    },
                    {
                      "protocolType": "Https",
                      "port": 443
                    }
                  ],
                  "targetFqdns": [
                    "getmywanip.com"
                  ],
                  "sourceAddresses": [
                    "*"
                  ]
                },
                {
                  "name": "google",
                  "protocols": [
                    {
                      "protocolType": "Http",
                      "port": 80
                    },
                    {
                      "protocolType": "Https",
                      "port": 443
                    }
                  ],
                  "targetFqdns": [
                    "www.google.com"
                  ],
                  "sourceAddresses": [
                    "10.0.1.0/24"
                  ]
                },
                {
                  "name": "wupdate",
                  "protocols": [
                    {
                      "protocolType": "Http",
                      "port": 80
                    },
                    {
                      "protocolType": "Https",
                      "port": 443
                    }
                  ],
                  "fqdnTags": [
                    "WindowsUpdate"
                  ],
                  "sourceAddresses": [
                    "*"
                  ]
                }
              ]
            }
          }
        ],
        "natRuleCollections": [
          {
            "name": "Coll-01",
            "properties": {
              "priority": 100,
              "action": {
                "type": "Dnat"
              },
              "rules": [
                {
                  "name": "rdp-01",
                  "protocols": [
                    "TCP"
                  ],
                  "translatedAddress": "10.0.1.4",
                  "translatedPort": "3389",
                  "sourceAddresses": [
                    "*"
                  ],
                  "destinationAddresses": [
                    "[reference(resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIpAddressName'), add(range(0, 2)[0], 1))), '2023-09-01').ipAddress]"
                  ],
                  "destinationPorts": [
                    "3389"
                  ]
                },
                {
                  "name": "rdp-02",
                  "protocols": [
                    "TCP"
                  ],
                  "translatedAddress": "10.0.1.5",
                  "translatedPort": "3389",
                  "sourceAddresses": [
                    "*"
                  ],
                  "destinationAddresses": [
                    "[reference(resourceId('Microsoft.Network/publicIPAddresses', format('{0}{1}', variables('publicIpAddressName'), add(range(0, 2)[1], 1))), '2023-09-01').ipAddress]"
                  ],
                  "destinationPorts": [
                    "3389"
                  ]
                }
              ]
            }
          }
        ]
      },
      "dependsOn": [
        "publicIPAddress",
        "[resourceId('Microsoft.Network/virtualNetworks/subnets', variables('virtualNetworkName'), 'AzureFirewallSubnet')]"
      ]
    },
    {
      "type": "Microsoft.Network/routeTables",
      "apiVersion": "2023-09-01",
      "name": "rt-01",
      "location": "[parameters('location')]",
      "properties": {
        "disableBgpRoutePropagation": false,
        "routes": [
          {
            "name": "fw",
            "properties": {
              "addressPrefix": "0.0.0.0/0",
              "nextHopType": "VirtualAppliance",
              "nextHopIpAddress": "10.0.0.4"
            }
          }
        ]
      }
    }
  ],
  "outputs": {
    "name": {
      "type": "string",
      "value": "[variables('firewallName')]"
    },
    "resourceId": {
      "type": "string",
      "value": "[resourceId('Microsoft.Network/azureFirewalls', variables('firewallName'))]"
    },
    "location": {
      "type": "string",
      "value": "[parameters('location')]"
    },
    "resourceGroupName": {
      "type": "string",
      "value": "[resourceGroup().name]"
    }
  }
}

Multiple Azure resources are defined in the template:

Deploy the template

Deploy the ARM template to Azure:

  1. Select Deploy to Azure to sign in to Azure and open the template. The template creates an Azure Firewall, the network infrastructure, and two virtual machines.

    Button to deploy the Resource Manager template to Azure.

  2. In the portal, on the Create an Azure Firewall with multiple IP public addresses page, type or select the following values:

    • Subscription: Select from existing subscriptions
    • Resource group: Select from existing resource groups or select Create new, and select OK.
    • Location: Select a location
    • Admin Username: Type username for the administrator user account
    • Admin Password: Type an administrator password or key
  3. Select I agree to the terms and conditions stated above and then select Purchase. The deployment can take 10 minutes or longer to complete.

Validate the deployment

In the Azure portal, review the deployed resources. Note the firewall public IP addresses.

Use Remote Desktop Connection to connect to the firewall public IP addresses. Successful connections demonstrate firewall NAT rules that allow the connection to the backend servers.

Clean up resources

When you no longer need the resources that you created with the firewall, delete the resource group. Deleting the resource group removes the firewall and all the related resources.

To delete the resource group, call the Remove-AzResourceGroup cmdlet:

Remove-AzResourceGroup -Name "<your resource group name>"

Next steps