Azure Virtual WAN with Secured Virtual Hub

Azure Virtual WAN with Secured Virtual Hub

Image:https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

Recently one of my on going projects requires centralized routing, multi location connectivity, custom DNS settings and with security. The best solution is Azure Virtual WAN integrated with Azure Firewall. In my previous article, I have already talked about Azure Firewall with Custom DNS and DNS Proxy, so in this article, I will be talking securing Azure Virtual WAN with Azure Firewall.

Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity such as SD-WAN or VPN CPE, Site-to-site VPN, remote user VPN, ExpressRoute, intra-cloud connectivity, VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity.

Personally I think Azure Virtual WAN is a very big topic and involves many functionalities. To quickly understand it briefly, I would strongly recommend viewing this video, a shorter version, published by Microsoft on Youtube.

A longer and much more details version here!

In addition, you can refer Azure Firewall features here!

Without further ado, let’s get started!

Azure Virtual WAN with Secured Virtual Hub

Image:https://docs.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

This is how the structure looks like for this demo but with only one Vnet. I will only blog the important or key configuration parts, the rest will be omitted. An any-to-any connectivity vWAN will be built.

  1. Create vWAN with vHub
  2. Create Vnet with VM running (omitted)
  3. Connect Vnet to vWAN
  4. Create and configure Firewall policy
  5. Attach Firewall policy to vHub
  6. Verify result

Let’s start from creating vWAN, it is pretty simple and straight forward.

Azure Virtual WAN with Secured Virtual Hub

Once done, this is how it looks. Click Hubs to create your first vHub. vHub is the actual resources that connects transits all your connections.

Azure Virtual WAN with Secured Virtual Hub

Click New Hub.

Azure Virtual WAN with Secured Virtual Hub

This is how the creating page looks like.

Azure Virtual WAN with Secured Virtual Hub

№1 is the place to setup vHub. №2 to №4 are sections where you can build related services. I will only build vHub in this article, the rest will be omitted.

For Hub private address space, cause Azure Virtual WAN is a managed service, it creates the appropriate subnets in the virtual hub for the different gateways/services (for example, VPN gateways, ExpressRoute gateways, User VPN point-to-site gateways, Firewall, routing, and etc.), therefore we need to assign a space to it with minimum /24 CIDR requirement.

It takes about 30 minutes to create the vHub so go get yourself an ice cream ; )

Once done, you can see it in Overview from vWan.

Azure Virtual WAN with Secured Virtual Hub

Click into the vHub, in my cause, ystatit-demo, more details can be revealed.

Azure Virtual WAN with Secured Virtual Hub

You can see if any Vnets are integrated with this vHub as well as all if any features are enabled on this vHub.

Click Vnet connection to configure pre-configued Vnet integrates into vHub.

Azure Virtual WAN with Secured Virtual Hub

The options themselves are pretty explainable. The most import part is the Routing configuration. The key concepts are:

  • Associate Route Table
  • Propagate to Route Tables
  • Propagate to labels

Route table decides how your traffics flow. So you attach your Vnet to that particular route table that you want your traffic to follow.

On the other hand, you propagate your current Vnet route to particular route table so that every Vnet that’s associated to that route table, is able to communicate to your current Vnet

Labels are the same concept only that they are logical grouping of route tables.

For more and detailed information, please watch the video in the beginning of the article or here, here and here.

Once created, it looks as below.

Azure Virtual WAN with Secured Virtual Hub

If you return to the Overview page of vHub, you would see that there is One vNet connection right now.

Azure Virtual WAN with Secured Virtual Hub

To convert vHub to a secured vHub, we need to have Firewall Policy first.

Azure Virtual WAN with Secured Virtual Hub
  • №2, Configure the basics at this section.
  • I will not be using №3, №4, №6 and №7 in this post
  • I will setup №5 later on
  • №8, please refer here for the differences between Standard and Premium

For detailed walk through for №3 and №5, please refer Azure Firewall with Custom DNS and DNS Proxy

Once the policy is done, it looks like below. Settings section is where we can configure all options we had during the setup of Firewall Policy.

Azure Virtual WAN with Secured Virtual Hub

Secured virtual hubs is the place where we can review if any vHub is associated with this policy and that’s what we are going to do next. Let’s check back again once done.

Back to vHub, let’s start converting the vHub from №1. At №2, choose which vHub to be converted.

Azure Virtual WAN with Secured Virtual Hub

At section №4, choose the Firewall Policy just created.

Azure Virtual WAN with Secured Virtual Hub
  • №1, Azure Firewall is needed by Azure Policy.
  • №2, Azure Firewall tier must match the tier of Azure Policy just created so the policy would show.
  • No3, You can request max of 250 public ip address for Azure Firewall.
  • Choose the Firewall Policy just created at №4.

I will pass section №5 and start the converstion. One done, you can see that vHub is now enabled with Azure.

Azure Virtual WAN with Secured Virtual Hub

And basically that it! You have now converted your vHub into a secured vHub! Or put it this way, you have integrated Azure Firewall with Azure virtual hub!

Now, let’s go to various places to verify the result. There are

  1. Azure Firewall
  2. Azure Firewall Policy
  3. Azure Firewall Manager

In Azure Firewall, you would see a newly created Firewall for your vHub. There are a lot of information can be viewed in the Overview section.

Azure Virtual WAN with Secured Virtual Hub
  • №3, Firewall and Firewall policy works together, so you can see which policy is attached to this Firewall.
  • №4, It tells you which vHub is this Firewall protecting or integrated with.
  • №5, Where you can obtain the Public and Private IP of your Firewall where you can use for DNAT and routing purpose.
  • №6, Tells you what kind of rule and the quantity that is attached to the Firewall currently.
  • №7, For updated operation, it is recommended to manage Firewall and Firewall through Azure Firewall Manager.

When we were creating the Azure Firewall Policy, we mention about Secured virtual hubs, this is how it looks like after securing the vHub with Azure Firewall Policy.

Azure Virtual WAN with Secured Virtual Hub

We could see that our vHub is integrated with Azure Firewall and Secured by this particular Azure Firewall Policy. If you click on Hub name, it will take you to Azure Firewall Manager.

Azure Firewall Manager is a centralized location where you can operate and manage all your Vnets, vHubs and Azure Firewall Policies. From landing page, let’s check out our secured vHub.

Azure Virtual WAN with Secured Virtual Hub

From Overview page, there are some basic information can be viewed.

Azure Virtual WAN with Secured Virtual Hub

In the Security providers section, this is the place where we configure which Azure Firewall Policy to be attached to this vHub.

Azure Virtual WAN with Secured Virtual Hub

And as we went through before, Azure Firewall supports max of 250 IPs and this is where you can setup for more IPs.

Azure Virtual WAN with Secured Virtual Hub

In this article I omitted quite a lot of setups such as building Vnet with VM, create Route Table, configure route pointing to Azure Firewall, apply the Route Table to VM subnet etc.

Detailed walk through has been done on post Azure Firewall with Custom DNS and DNS Proxy.

OR you can refer Tutorial: Secure your virtual hub using Azure Firewall Manager for more information.

That’s it for this post, hope you all enjoy it ; )

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.