This is the first post in a series of articles where I will show you how to manage an Azure Firewall using PowerShell and Azure CLI. In this first post, I want to show you how to deploy an Azure Firewall in an existing virtual network.

Azure Firewall is a cloud-based security service that protects your Azure virtual network resources from incoming and outgoing threats.

During the Firewall deployment process, you will need to create two resources: a dedicated subnet in your virtual network with the following characteristics:

  • The name of the dedicated subnet must be AzureFirewallSubnet.
  • The size of the AzureFirewallSubnet must be /26.

and a public IP that must meet the following characteristics:

  • Azure Firewall supports only static¬†standard public IP.

Important: The firewall, VNet, and the public IP address must be in the same resource group.

Prerequisites

  • You already created the necessary Virtual Network and subnet. If you want to know how to create a Virtual Network, check out this link.

Azure PowerShell Workaround

If you want to know how to install the PowerShell Azure module on your machine, check out this link.

The simplest way to get started is to sign in interactively at the command line.

This cmdlet will bring up a dialog box prompting you for your email address and password associated with your Azure account.

If you have more than one subscription associated with your mail account, you can choose the default subscription. To perform this task, we will use the following commands:

Once you set your default subscription, you’re ready to start.

Set the variables

Here, we define the characteristics of our environment and the resource’s properties.

Add a dedicated subnet in the existing VNET

You should create a new subnet in your network configuration, and it must be called “AzureFirewallSubnet”. To do this, use the Add-AzVirtualNetworkSubnetConfig cmdlet with the following syntax.

Request a Public IP address

One of the resources you need to configure your Firewall is a public IP. To create this resource, you should use the New-AzPublicIpAddress cmdlet with the following syntax.

Deploy an Azure Firewall

Once the above steps have been completed successfully, you are ready to deploy your Firewall on your virtual network. To do this, you must use the New-AzFirewall cmdlet with the following syntax.

The -SKU parameter accepts the AZFW_VNet value and AZFW_Hub value to attach the azure firewall to vhub.

Check the Azure firewall settings

To get the information of the deployed resource, you can use the Get-AzFirewall cmdlet with the following syntax.

Get-AzFirewall

Delete the Azure Firewall

If you want to remove the resource from the firewall for some reason, you should use the Remove-AzFirewall cmdlet with the following syntax.

Important: note that the created subnet and public IP will not be erased when removing the firewall resource.

Azure CLI Workaround

In this case, we will use Azure Cloud Shell, a browser-based shell built into Azure Portal. This allows us to use the Azure command-line tools (Azure CLI and Azure PowerShell) directly from a browser. If you want to know more about Azure Cloud Shell, check out this link.

First, we define the characteristics of our environment and store the values in variables.

Add a dedicated subnet in the existing VNET

You should create a new subnet in your network configuration, and it must be called “AzureFirewallSubnet“. To do this, use the following commands.

Request a Public IP address

To create a public IP address for Azure Firewall, you should use the following command.

Deploy an Azure Firewall

The deployment of this resource using Azure CLI must be done in two steps. First, we perform the deployment of the Azure Firewall without the network configurations.

The Firewall SKU value cannot be updated after creation. The -SKU parameter accepts the AZFW_VNet value and AZFW_Hub value to attach the Azure firewall to vhub.

Set the basic network settings

And once the resource is deployed, we establish the basic network configurations using the following command.

Check the Azure firewall settings

To get the information of the deployed resource, you can use the following command.

Azure Firewall

Delete the Azure Firewall

If for some reason, you want to remove the firewall resource, you should use the following command.

Important: Note that the created subnet and public IP will not be erased when removing the firewall resource.

In the following posts, I will explain how to set different configurations and management tasks in Azure Firewall using PowerShell and Azure CLI.

If you want to know more about Azure Firewall, check out this link.