Shulou(Shulou.com)06/02 Report--

Next, I'm going to write a few articles about Azure Firewall. Firewall has just landed in mooncake this year, but it has been in Global GA for some time. Firewall, as a cloud native NVA product, can undoubtedly solve a big problem of security on the cloud, and its low price adds a unique attraction. It is very attractive for users who want to have similar solutions and do not want to buy third-party NVA products. As you can see from the figure below, Azure's classic hub spoke network architecture can also be well implemented by using Azure Firewall.

This time, let's take a look at how to use Azure Firewall to design the architecture of hub spoke. First, let's take a look at what Azure Firewall can do.

Azure Firewall can centrally create, implement, and document application and network connection policies across subscriptions and virtual networks. Azure firewalls use static public IP addresses for virtual network resources to enable external firewalls to identify traffic from your virtual network. And can be seamlessly integrated with Azure Monitor.

Overall, Azure Firewall has the following advantages:

Built-in high availability

Built-in high availability, so there is no need to deploy additional load balancers or any configuration.

Unlimited cloud scalability

To accommodate changing network traffic flows, Azure firewalls scale up to the maximum extent possible, so there is no need to budget for peak traffic.

Application FQDN filtering rules

Outbound HTTP/S traffic or Azure SQL traffic (preview version) can be restricted to a specified set of fully qualified domain names (FQDN) (including wildcards). This feature does not need to be terminated by SSL.

Network traffic filtering rules

Allow or deny network filtering rules can be created centrally based on source and destination IP addresses, ports, and protocols. The Azure firewall is fully stateful, so it can distinguish between legitimate packets for different types of connections. Rules will be implemented and recorded across multiple subscriptions and virtual networks.

FQDN marker

The FQDN tag allows you to easily allow known Azure service network traffic through the firewall. For example, suppose you want to allow Windows update network traffic to pass through the firewall. Create application rules and include Windows update tags in them. Network traffic from Windows updates will now be able to flow through the firewall.

Service mark

Service tags represent a set of IP address prefixes that help minimize the complexity of the security rule creation process. You cannot create your own service tag, nor can you specify which IP addresses to include in the tag. Azure manages the address prefixes contained in the service tag and automatically updates the service tag when the address changes.

Weixie intelligence

You can enable intelligence-based filtering for firewalls to alert and deny traffic from / to known malicious IP addresses and domains. The IP address and domain are derived from Azure Smart Energy.

Outbound SNAT support

All outbound virtual network traffic IP addresses are translated to Azure Firewall Public IP (Source Network address Translation). Identify traffic from your virtual network and allow it to be sent to remote Internet destinations. If the destination IP is within the private IP scope of IANA RFC 1918, Azure Firewall does not perform SNAT. If an organization uses a public IP address range for a private network, the Azure firewall sends traffic through SNAT to a firewall private IP address in the AzureFirewallSubnet.

Inbound DNAT support

Inbound network traffic (destination network address translation) that translates to the firewall public IP address and filters it to a private IP address on the virtual network.

After a brief understanding of the functions of Azure Firewall, let's take a look at our environment today.

We have three VNET:

1.Hub VNET,china north, which is also the VNET where our firewall deployment is located

2.spoke VNET1, china north

3.spoke VNET2, china east2

Hub VNET and two spoke VNET are connected with VNET Peering respectively. This is the basic environment, followed by our deployment of Firewall and tests related to Firewall.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.