This document is the property of Al Nafi.

Any unauthorized redistribution or reproduction, including in printed form, is strictly

prohibited. This document can only be read electronically.

Lab 3: Azure Networking & Security Basic

Objective
Understand and configure Azure virtual networks, and ensure secure communication between
resources.

td
task:
Create a VNet, configure subnets, set up Network Security Groups (NSGs), and implement

tl
Azure Firewall

Pv
Step 1: Create an Azure Virtual Network (VNet)

1. Login to Azure Portal

ng
- Go to [Azure Portal](https://portal.azure.com) and sign in with your account.

2. Navigate to Virtual Networks

ni
- In the search bar at the top, type "Virtual Network" and click on the **Virtual Networks**
service.
ar
- Click on **Create** to create a new virtual network.
Le

3. Configure Virtual Network Basics:

- **Subscription**: Choose the Azure subscription you want to use.
- **Resource Group**: Select an existing resource group or create a new one (e.g.,
`MyResourceGroup`).
IE

- **Name**: Give your VNet a name (e.g., `MyVNet`).

- **Region**: Choose the appropriate Azure region (e.g., `East US`).
AF

4. Configure Address Space:

- **IPv4 Address Space**: Enter an address range for the VNet (e.g., `10.0.0.0/16`).
N

5. Create Subnets:
- **Subnet Name**: Name your subnet (e.g., `webSubnet` for web tier and `dbSubnet` for
AL

database tier).
- **Subnet Address Range**: Enter address ranges for each subnet, ensuring they fall within
the VNet address space (e.g., `10.0.1.0/24` for `webSubnet` and `10.0.2.0/24` for `dbSubnet`).

6. Review and Create

- Click **Review + Create** and then click **Create** to deploy your VNet.

---
Step 2: Configure Subnets for Different Tiers

To improve security, each application tier can be isolated in its own subnet.

1. Add More Subnets

- If you only created one subnet initially, add another one by going to the **Subnets** tab
within your VNet.
- Click **Add Subnet**, and configure the second subnet (e.g., `dbSubnet`).

td
Step 3: **Set Up Network Security Groups (NSGs)

tl
**NSGs** control inbound and outbound traffic at the subnet or NIC level by creating security
rules.

Pv
1. Create an NSG
- In the search bar, type **Network Security Group** and select the service.
- Click **Create** and fill in the following:

ng
- **Name**: `webNSG` (for the web tier) and `dbNSG` (for the database tier).
- **Resource Group**: Use the same resource group (`MyResourceGroup`).
ni
- **Location**: Select the same region as your VNet.
ar
2. Create NSG Rules
- Once your NSGs are created, navigate to **Inbound Security Rules** in the NSG for
Le

`webNSG`.
- Click Add a rule to allow HTTP (port 80) and SSH (port 22) traffic.
- Destination Port Ranges: `80, 22`
- Priority: 100 (lower numbers have higher priority).
IE

- Source: Any (for public traffic) or specific IP ranges.

- For **dbNSG**, configure rules to allow traffic only from the `webSubnet`:
AF

- Source IP Address Range: `10.0.1.0/24` (web subnet range).

- Destination Port: `1433` for SQL database or other relevant ports.
N

3. **Associate NSGs with Subnets**:

- Go to the **Subnets** section in your NSG.
AL

- Click **Associate**, select the VNet (`MyVNet`), and associate `webNSG` with `webSubnet`,
and `dbNSG` with `dbSubnet`.

Step 4: Implement Azure Firewall

An **Azure Firewall** provides network security by monitoring and controlling inbound and
outbound traffic for Azure VNet.

1. Navigate to the Azure Firewall Service**:

 - In the search bar, type **Firewall** and select **Azure Firewall**.
- Click Createand configure the following:
- Name: `MyFirewall`
- Region**: Select the same region as your VNet.
- Virtual Network: Select `MyVNet` and create a dedicated subnet called
`AzureFirewallSubnet` (e.g., `10.0.3.0/24`).
- Public IP: Create a new public IP address to associate with the firewall.

2. **Create Firewall Rules**:

td
- Once your firewall is deployed, configure **Network Rules** and **Application Rules** to
control traffic.

tl
Network Rules (for controlling layer 3/4 traffic):

Pv
- Allow HTTP and HTTPS traffic to the web tier (`webSubnet`).
- Restrict traffic between the web and database tiers.

Application Rules (for controlling layer 7 traffic):

ng
- Create rules for specific domain filtering, allowing or denying access to certain websites from
your VMs.

3. Route Traffic through Azure Firewall

ni
ar
- To ensure traffic flows through the firewall, create a **route table**:
- In the search bar, type **Route Table** and create a new route table (e.g., `MyRouteTable`).
Le

- Configure a route with the following:

- **Destination**: `0.0.0.0/0` (default route).
- **Next Hop**: `Azure Firewall`.
IE

4. Associate Route Table

- Associate the route table with the subnets where you want traffic to go through the firewall
(e.g., `webSubnet`).
AF

---
N

Step 5: **Validate the Network Configuration**

AL

1. Deploy Virtual Machines in your subnets (you can use the ARM template in the previous
steps or create them manually through the portal).
- Deploy one VM in `webSubnet` and one in `dbSubnet`.
- Use NSGs and firewall rules to ensure that the web VM can access the database VM on the
allowed ports (e.g., SQL on port 1433).

2. Test Connectivity
- SSH into the web VM and try accessing resources within the network and on the internet.
 - Verify that the database VM is only accessible from the web VM by testing connections on
the allowed port (e.g., SQL traffic).

3. Check Firewall Logs

- Azure Firewall provides diagnostic logging. Enable **logging** for the firewall and review the
logs in **Azure Monitor** to check for any rejected traffic or unusual activity.

---

td
Summary
By following these steps, you’ve set up a **VNet** with **subnets** and **Network Security

tl
Groups** for tiered security and deployed an **Azure Firewall** for advanced traffic filtering. This
configuration ensures secure communication between your resources while controlling inbound

Pv
and outbound traffic as part of a secure Azure infrastructure.

ng
ni
ar
Le
IE
AF
N
AL