Azure Virtual WAN with Secured Virtual Hub
Recently one of my on going projects requires centralized routing, multi location connectivity, custom DNS settings and with security. The best solution is Azure Virtual WAN integrated with Azure Firewall. In my previous article, I have already talked about Azure Firewall with Custom DNS and DNS Proxy, so in this article, I will be talking securing Azure Virtual WAN with Azure Firewall.
Azure Virtual WAN is a networking service that brings many networking, security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity such as SD-WAN or VPN CPE, Site-to-site VPN, remote user VPN, ExpressRoute, intra-cloud connectivity, VPN ExpressRoute inter-connectivity, routing, Azure Firewall, and encryption for private connectivity.
Personally I think Azure Virtual WAN is a very big topic and involves many functionalities. To quickly understand it briefly, I would strongly recommend viewing this video, a shorter version, published by Microsoft on Youtube.
A longer and much more details version here!
In addition, you can refer Azure Firewall features here!
Without further ado, let’s get started!
This is how the structure looks like for this demo but with only one Vnet. I will only blog the important or key configuration parts, the rest will be omitted. An any-to-any connectivity vWAN will be built.
- Create vWAN with vHub
- Create Vnet with VM running (omitted)
- Connect Vnet to vWAN
- Create and configure Firewall policy
- Attach Firewall policy to vHub
- Verify result
Create vWAN with vHub
Let’s start from creating vWAN, it is pretty simple and straight forward.
Once done, this is how it looks. Click Hubs to create your first vHub. vHub is the actual resources that connects transits all your connections.
Click New Hub.
This is how the creating page looks like.
№1 is the place to setup vHub. №2 to №4 are sections where you can build related services. I will only build vHub in this article, the rest will be omitted.
For Hub private address space, cause Azure Virtual WAN is a managed service, it creates the appropriate subnets in the virtual hub for the different gateways/services (for example, VPN gateways, ExpressRoute gateways, User VPN point-to-site gateways, Firewall, routing, and etc.), therefore we need to assign a space to it with minimum /24 CIDR requirement.
It takes about 30 minutes to create the vHub so go get yourself an ice cream ; )
Once done, you can see it in Overview from vWan.
Click into the vHub, in my cause, ystatit-demo, more details can be revealed.
You can see if any Vnets are integrated with this vHub as well as all if any features are enabled on this vHub.
Connect Vnet to vWAN
Click Vnet connection to configure pre-configued Vnet integrates into vHub.
The options themselves are pretty explainable. The most import part is the Routing configuration. The key concepts are:
- Associate Route Table
- Propagate to Route Tables
- Propagate to labels
Route table decides how your traffics flow. So you attach your Vnet to that particular route table that you want your traffic to follow.
On the other hand, you propagate your current Vnet route to particular route table so that every Vnet that’s associated to that route table, is able to communicate to your current Vnet
Labels are the same concept only that they are logical grouping of route tables.
Once created, it looks as below.
If you return to the Overview page of vHub, you would see that there is One vNet connection right now.
Create and configure Firewall policy
To convert vHub to a secured vHub, we need to have Firewall Policy first.
- №2, Configure the basics at this section.
- I will not be using №3, №4, №6 and №7 in this post
- I will setup №5 later on
- №8, please refer here for the differences between Standard and Premium
For detailed walk through for №3 and №5, please refer Azure Firewall with Custom DNS and DNS Proxy
Once the policy is done, it looks like below. Settings section is where we can configure all options we had during the setup of Firewall Policy.
Secured virtual hubs is the place where we can review if any vHub is associated with this policy and that’s what we are going to do next. Let’s check back again once done.
Attach Firewall policy to vHub
Back to vHub, let’s start converting the vHub from №1. At №2, choose which vHub to be converted.
At section №4, choose the Firewall Policy just created.
- №1, Azure Firewall is needed by Azure Policy.
- №2, Azure Firewall tier must match the tier of Azure Policy just created so the policy would show.
- No3, You can request max of 250 public ip address for Azure Firewall.
- Choose the Firewall Policy just created at №4.
I will pass section №5 and start the converstion. One done, you can see that vHub is now enabled with Azure.
And basically that it! You have now converted your vHub into a secured vHub! Or put it this way, you have integrated Azure Firewall with Azure virtual hub!
Now, let’s go to various places to verify the result. There are
- Azure Firewall
- Azure Firewall Policy
- Azure Firewall Manager
In Azure Firewall, you would see a newly created Firewall for your vHub. There are a lot of information can be viewed in the Overview section.
- №3, Firewall and Firewall policy works together, so you can see which policy is attached to this Firewall.
- №4, It tells you which vHub is this Firewall protecting or integrated with.
- №5, Where you can obtain the Public and Private IP of your Firewall where you can use for DNAT and routing purpose.
- №6, Tells you what kind of rule and the quantity that is attached to the Firewall currently.
- №7, For updated operation, it is recommended to manage Firewall and Firewall through Azure Firewall Manager.
Azure Firewall Policy
When we were creating the Azure Firewall Policy, we mention about Secured virtual hubs, this is how it looks like after securing the vHub with Azure Firewall Policy.
We could see that our vHub is integrated with Azure Firewall and Secured by this particular Azure Firewall Policy. If you click on Hub name, it will take you to Azure Firewall Manager.
Azure Firewall Manager
Azure Firewall Manager is a centralized location where you can operate and manage all your Vnets, vHubs and Azure Firewall Policies. From landing page, let’s check out our secured vHub.
From Overview page, there are some basic information can be viewed.
In the Security providers section, this is the place where we configure which Azure Firewall Policy to be attached to this vHub.
And as we went through before, Azure Firewall supports max of 250 IPs and this is where you can setup for more IPs.
In this article I omitted quite a lot of setups such as building Vnet with VM, create Route Table, configure route pointing to Azure Firewall, apply the Route Table to VM subnet etc.
Detailed walk through has been done on post Azure Firewall with Custom DNS and DNS Proxy.
OR you can refer Tutorial: Secure your virtual hub using Azure Firewall Manager for more information.
That’s it for this post, hope you all enjoy it ; )