Azure Firewall is a cloud-based network security service that helps protect your Azure Virtual Network resources. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. With Azure Firewall, you can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks.

To get started with Azure Firewall, you can follow the below steps:

Step 1: Create an Azure Firewall

To create an Azure Firewall, you can use either the Azure portal or the Azure CLI. Let’s see how to create an Azure Firewall using the Azure CLI.

1. Open the Azure CLI and sign in to your Azure account.
2. Create a resource group for your Azure Firewall using the following command:

az group create --name <resource-group-name> --location <location>

Replace <resource-group-name> with the name of the resource group you want to create and <location> with the location where you want to deploy the resource group.

3.Create an Azure Firewall using the following command:

az network firewall create --name <firewall-name> --resource-group <resource-group-name> --location <location> --sku-name AZFW_Hub --virtual-hub <virtual-hub-name>

Replace <firewall-name> with the name of your Azure Firewall, <resource-group-name> with the name of the resource group you created in step 2, <location> with the location where you want to deploy the Azure Firewall, and <virtual-hub-name> with the name of the virtual hub you want to associate with the Azure Firewall.

Step 2: Configure Azure Firewall rules

After creating an Azure Firewall, you need to configure rules to allow traffic to and from your virtual network. Azure Firewall rules are divided into two types: network rules and application rules.

Network rules allow or deny traffic based on the source and destination IP addresses, ports, and protocols. Application rules allow or deny traffic based on the fully qualified domain name (FQDN) of the destination.

To configure Azure Firewall rules, follow the below steps:

1. Create a network rule to allow traffic from your virtual network to the internet using the following command:

az network firewall network-rule create --name AllowInternetOutBound --protocols TCP --source-addresses '*' --destination-addresses 'Internet' --destination-ports '*' --resource-group <resource-group-name> --firewall-name <firewall-name> --collection-name 'NetworkRuleCollection'

Replace <resource-group-name> with the name of your resource group and <firewall-name> with the name of your Azure Firewall.

2. Create an application rule to allow traffic from your virtual network to a specific FQDN using the following command:

az network firewall application-rule create --name AllowFQDN --protocols Http=80 Https=443 --source-addresses '*' --fqdn-tags '*' --resource-group <resource-group-name> --firewall-name <firewall-name> --collection-name 'ApplicationRuleCollection'

Replace <resource-group-name> with the name of your resource group and <firewall-name> with the name of your Azure Firewall.

Step 3: Configure network and application rule collections

After creating Azure Firewall rules, you need to configure network and application rule collections to associate them with the Azure Firewall.

To configure network and application rule collections, follow the below steps:

1. Create a network rule collection using the following command:

az network firewall network-rule collection-group create --name 'NetworkRuleCollection' --resource-group <resource-group-name> --firewall-name <firewall-name>

Replace <resource-group-name> with the name of your resource group and <firewall-name> with the name of your Azure Firewall.

2. Add the network rule created in Step 2 to the network rule collection using the following command:

az network firewall network-rule collection-group add-collection --collection-name 'NetworkRuleCollection' --firewall-name <firewall-name> --resource-group <resource-group-name>

Replace <resource-group-name> with the name of your resource group and <firewall-name> with the name of your Azure Firewall.

3. Create an application rule collection using the following command:

az network firewall application-rule collection-group create --name 'ApplicationRuleCollection' --resource-group <resource-group-name> --firewall-name <firewall-name>

Replace <resource-group-name> with the name of your resource group and <firewall-name> with the name of your Azure Firewall.

4. Add the application rule created in Step 2 to the application rule collection using the following command:

az network firewall application-rule collection-group add-collection --collection-name 'ApplicationRuleCollection' --firewall-name <firewall-name> --resource-group <resource-group-name>

Replace <resource-group-name> with the name of your resource group and <firewall-name> with the name of your Azure Firewall.

Step 4: Associate Azure Firewall with a virtual network

After configuring Azure Firewall rules and collections, you need to associate Azure Firewall with a virtual network.

To associate Azure Firewall with a virtual network, follow the below steps:

1. Create a virtual network using the following command:

az network vnet create --name <virtual-network-name> --resource-group <resource-group-name> --location <location> --address-prefixes 10.0.0.0/16

Replace <virtual-network-name> with the name of your virtual network, <resource-group-name> with the name of your resource group, and <location> with the location where you want to deploy the virtual network.

2. Create a subnet in the virtual network using the following command:

az network vnet subnet create --name <subnet-name> --resource-group <resource-group-name> --vnet-name <virtual-network-name> --address-prefix 10.0.0.0/24

Replace <subnet-name> with the name of your subnet, <resource-group-name> with the name of your resource group, and <virtual-network-name> with the name of your virtual network.

3. Associate Azure Firewall with the virtual network using the following command:

az network firewall network-rule create --name AllowAzureFirewallInBound --protocols TCP --source-addresses <virtual-network-address-space> --destination-addresses <firewall-private-ip-address> --destination-ports '*' --resource-group <resource-group-name> --firewall-name <firewall-name> --collection-name 'NetworkRuleCollection'

1. Replace <virtual-network-address-space> with the address space of your virtual network, <firewall-private-ip-address> with the private IP address of your Azure Firewall, <resource-group-name> with the name of your resource group, and <firewall-name> with the name of your Azure Firewall.

Congratulations! You have now successfully created an Azure Firewall and configured rules and collections to protect your virtual network.

In conclusion, Azure Firewall is a powerful cloud-based network security service that can help you protect your Azure Virtual Network resources. By following the steps outlined in this tutorial, you can easily create an Azure Firewall, configure rules and collections, and associate it with your virtual network using the Azure CLI.