Janne Mattila

From programmer to programmer -- Programming just for the fun of it

Learn Azure Firewall with isolated demo environment

Posted on: October 2, 2023

Implementing network changes into running environments is hard. It’s like changing a tire on a moving car. There is always a risk that things go horribly wrong, and it causes downtime to the environment. Therefore, customers don’t want to “test” these changes just for fun. Also introducing new network components requires careful planning and testing.

When Azure Firewall was introduced a few years ago, many customers were interested in its capabilities. It’s quite different to talk about these capabilities vs. showing them in action. Enabling customers to try it out by themselves is even better. Doing this in a safe manner and isolation from their existing infrastructure is a must.

Above topics got me and my colleague Tomi Pietilä thinking about demo setup that can be spin up fast and so that you can use it to test various features. And not only test features but also test handling the various firewall rules so that it would be easy to maintain in the long run.

Here’s the architecture of the demo we’ve built:

/assets/posts/2023/10/02/learn-azure-firewall-with-isolated-demo-environment/azure-firewall-demo.png

To test the connectivity and firewall rules, we’re using the webapp-network-tester tool that I’ve blogged earlier. Read more about it here.

Azure Firewall Demo is built using Bicep and it deploys Hub-spoke network topology with 3 spokes. Each of the spokes have webapp-network-tester tool running in Azure Container Instances. This setup enables us to test routing and firewall changes in this isolated environment without any impact on your other networks. This is a good environment to learn Azure networking fundamentals. You’re free to break things in this setup!

Here is an illustration of how you can test firewall rules by connecting to the jumpbox using Azure Bastion and then executing tests using webapp-network-tester tool:

/assets/posts/2023/10/02/learn-azure-firewall-with-isolated-demo-environment/test-flow.png

Here is the Azure Firewall demo repo:

JanneMattila/azure-firewall-demo

Repository contains more detailed information on how to get started, what’s the architecture in more detail and some tasks for you to implement for learning purposes.

Here are the step-by-step instructions on how you can test it too

You can navigate between the images below by clicking the left or right side of the image or use arrow keys for navigation.

Click in the middle to enlarge the image.

Azure Firewall Demo deployment instructions

Remember to use my VS Code tricks to speed up your testing.

After running those basic connectivity tests as shown in the screenshots, you should see the following logs at the AZFWApplicationRule table:

/assets/posts/2023/10/02/learn-azure-firewall-with-isolated-demo-environment/firewall-logs.png

Now you’re good to go and start testing various firewall rules and routing configurations. Remember to delete the resource group when you’re done with your testing.

I hope you find this useful!