Lecture Notes according to the Firewall design and configuration

Customer RFC:

A company called Kiwi Co. wants you (the cloud expert!!) to design the network and do the
implementation with the following conditions:

1- The server Srv-Work will be on Windows 2016 Datacenter OS and will have absolutely NO
public Internet Access.
2- The connection to Srv-Work will be done over Bastion system
3- The Virtual Network to be established, will have only 3 subnets (1- Firewall, 2 – Srv-Work, 3-
Bastion 4-AzureFirewallManagementSubnet)
4- For the IP range of SRV-WORK subnet, will have to be at least 114 IP addresses available
5- The subnet of Srv-Work will be named as Workload-SN
6- The firewall will have to have only 1 task – which is allow access to www.bing.com

Dr. Avsar ASAN - COP4451 Cloud and Its Applications

From customer RFC we can draw the following topology:

Dr. Avsar ASAN - COP4451 Cloud and Its Applications

Procedure steps as follows:

(Assumption is that you have a valid Subscription)

STEP1 - Create a resource group (20112024)

STEP 2 - Create a Virtual Network
a. 114 IP addresses must be available for server’s virtual subnet
Plus; we have to take into other subnets into the account:
AzureFirewallSubnet – gets 64 IP addresses by default
AzureBastionSubnet – gets 64 IP addresses by default
AzureFirewallManagementSubnet - gets 64 IP addresses by default

So in total we need at least 306 IP addresses in the network.

Let us observe the calculations to find the correct subnetmask CIDR:

10.10.0.0/20 – how many available IP addresses in this network?

Subnet mask = /20 = 11111111.111111111.11110000.00000000

Zeros = Host bits -> in here we have 12
Ones = Network bits
In order to calculate the host count: we will do following:
2^12 – 2:4094 IP addresses this is for normal network
2^12-2-3 : this is for azure. (Azure reserves extra 3 IP addresses) !!!!!
This is still too big!

Let’s try another subnet mask for the network.

How about /23?
11111111.11111111.11111110.00000000
10.10.0.0/23 -> 2^9-2 = 512-2 = 510

So in the end the subnets look like this:

subnet name IP range IP address count

Server subnet 10.10.0.0/25 – 10.10.0.127/25 128 IP addresses
AzureFirewallSubnet 10.10.0.128/26 - 10.10.0.191/26 64 IP addresses
AzureBastionSubnet 10.10.0.192/26 – 10.10.0.255/26 64 IP addresses
AzureFirewallManagementSubnet 10.10.1.0/26 - 10.10.1.63/26 64 IP addresses

Remarks:

• Server subnet needed at least 114 IP addresses and we supply 128. This is OK.
• Each new subnet IP starts +1 IP where the previous subnet ends. Regardless of subnet mask.

Dr. Avsar ASAN - COP4451 Cloud and Its Applications

How many IP addresses are available in the network?

510 total
– 128 server subnet
– 64 firewall subnet
– 64 bastion subnet
– 64 firewallmanagement subnet
----------------------------------------------------------------------
190 IP addresses are unowned and unsubnetted.

STEP 3- Create a Windows 2016 Datacenter without Public IP

STEP 4- Set up Bastion
Question is: how the heck am I supposed to connect to the server? = We have to use
a bastion node. Bastion allows web-based RDP connection to your internal resources.

BASTION NODE = (a.k.a hop node) is used to reach the resources from within the
specific Azure network, without resources be needing any public IP address.

For Bastion to reach the relevant datacenter the RDP port has to be enabled. 3389

Creating Bastion Service:

1 - Start Bastion Service
It is PaaS – so when we start the service, it will create some background servers to
run the service and the service will manage itself.
Minimum node count? 2 = that means it is already by default RESILIENT!!!!
That means if one of the bastion nodes die, 1 – you will still be connecting from the
healty one 2 – Microsoft will create another node instead of the dying one!

Define the network.

If the naming convention is correct, bastion service will choose its subnet
automatically.

STEP 5 - Set- Up Firewall

Subscription Visual Studio Enterprise Subscription

Resource group 20112024
Region West US 2
Azure Firewall Sku Standard
Virtual network Firewalldemo
Firewall Management Use Firewall rules(classic) to manage this firewall
Address space 10.10.0.0/23
Firewall public IP address FW-publicIP (created a new one)
Availability zone None

Dr. Avsar ASAN - COP4451 Cloud and Its Applications

STEP 6 - Create a default route via ROUTE TABLE
a- Create ROUTE TABLE template on Azure
b- Associate it with server subnet
c- Add default route

It is not enough to create the route table; you must ASSOCIATE this route with some network
and subnets. After association with a subnet, we will add route in it. (that means WHERE I
want all the traffic to be going). At this step it is crucial to tell Microsoft network that all the
traffic has to pass through the firewall. And default route does that!

Route name: anything you want

Destination type: IP Addresses
Destination IP addresses: 0.0.0.0/0
Next hop type: Virtual Appliance
Next hop address: FW Private Address

0.0.0.0/0 means ALL THE TRAFFIC in network language

Default route GUARANTEEs all the traffic outgoing from the server will go through ONLY the
firewall.

Dr. Avsar ASAN - COP4451 Cloud and Its Applications

 STEP7 –Firewall Configuration

Priority on FIREWALL RULES IS VERY IMPORTANT

Because whenever a packet wants to pass through, firewall looks at EACH rule one-by-
one (that means rules are executed according to their priority). The smaller number priority
rule, will be applied BEFORE a bigger number of priority.

a) Application Rule on Firewall (to allow www.bing.com traffic)

Application rule specifically meant to control how Firewall behaves toward
applications or processes when they connect to the internet or to another network. In our
demo we would like to only allow bing.com and for that reason we need to use FQDN (domain)
name as selector.
Why? Because there are hundreds of servers working for bing.com – and using FQDN
name includes all servers at one go.

Navigate to Firewall > add application rule > rules (classic) > Application rule collection > Target FQDNs

Name
Priority 101
Action: ALLOW

Target FQDNs
Name
Source type – IP address
Source – either * or private IP address of the server
Protocol:Port – http,https
Target FQDNs – www.bing.com

b) Add Network Rule for DNS access

Navigate to Firewall > rules (classic) > Network rule collection > IP addresses

Name
Priority 102
Action: ALLOW

IP Addresses
Name
Protocol – UDP
Source type – IP address
Source - either * or private IP address of the server
Destination type - IP address
Destination Addresses - 209.244.0.3,209.244.0.4
Destination Ports - 53

209.244.0.3 and 209.244.0.4 IP Addresses belong to random DNS servers inside of Microsoft
Network, NOT in the Internet!!

Dr. Avsar ASAN - COP4451 Cloud and Its Applications

 c) Adding a DNAT Rule (for traffic can reach the server without Public IP address)

A DNAT rule is required when the server is on an internal network (a network does not
normally connect to internet) and must be accessed through another public IP address.

Source - * (means ALL THE IP ADDRESSES)

Destination address - firewall public IP
Destination port - 2289(companion RDP)
Translation address - the private IP of the server
Translated port - 3389 (real RDP)

STEP8 - Adding Preferred DNS servers

We must let the server know which DNS server it should go to resolve domain name
into an IP address for bing.com

Navigate to resource group > network interface of Server > DNS servers > custom
Add Microsoft DNS server IPs

RESTART THE SERVER AFTER THIS PROCESS!!!!!!

CONCLUSIONS!!
In the firewall there is term we call EXPLICIT DENY
That means deny everything. And it is the last row in the rule list.
= that means the things you DO NOT ALLOW will ALL BE DENIED!!!

Logic flow of FW configuration is as follows:

Dr. Avsar ASAN - COP4451 Cloud and Its Applications