Configure VNETs with a AzureFirewallSubnet subnet

Security · Virtual Network · Rule · 2022_12 · Important

Use Azure Firewall to filter network traffic to and from Azure resources.

Description

Network segmentation is a key component of a secure network architecture. Azure provides several features that work together to provide strong network segmentation controls.

Azure Firewall is a cloud native stateful Firewall as a service. It can be used to perform deep packet inspection on both east-west and north-south traffic. Firewalls rules can be defined as policies and centrally managed.

Some key advantages that Azure Firewall has over traditional solutions include:

• Azure Firewall integrates directly with Virtual Network (VNET) and subnet level security. Supports Azure concepts that minimize the need for complex network configuration such as service/ FQDN tags and load balancing.
• Managed by Azure, there is no need to deploy additional management infrastructure or consoles.
• Built-in support for Infrastructure as Code (IaC), version control, and DevOps.

For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).

Recommendation

Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.

Examples

Configure with Azure template

To deploy Virtual Networks that pass this rule:

• Configure an AzureFirewallSubnet defined in properties.subnets.

For example:

Azure Template snippet

{
  "type": "Microsoft.Network/virtualNetworks",
  "apiVersion": "2023-05-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "addressSpace": {
      "addressPrefixes": [
        "10.0.0.0/16"
      ]
    },
    "subnets": [
      {
        "name": "GatewaySubnet",
        "properties": {
          "addressPrefix": "10.0.0.0/27"
        }
      },
      {
        "name": "AzureFirewallSubnet",
        "properties": {
          "addressPrefix": "10.0.1.0/26"
        }
      }
    ]
  }
}

Configure with Bicep

To deploy Virtual Networks that pass this rule:

• Configure an AzureFirewallSubnet defined in properties.subnets.

For example:

Azure Bicep snippet

resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
  name: name
  location: location
  properties: {
    addressSpace: {
      addressPrefixes: [
        '10.0.0.0/16'
      ]
    }
    subnets: [
      {
        name: 'GatewaySubnet'
        properties: {
          addressPrefix: '10.0.0.0/27'
        }
      }
      {
        name: 'AzureFirewallSubnet'
        properties: {
          addressPrefix: '10.0.1.0/26'
        }
      }
    ]
  }
}

Links

• Azure features for segmentation
• Hub-spoke network topology in Azure
• Define an Azure network topology
• What is Azure Firewall?
• Azure VNET deployment reference
• Azure subnet deployment reference

Comments