![[The AI Show Episode 142]: ChatGPT’s New Image Generator, Studio Ghibli Craze and Backlash, Gemini 2.5, OpenAI Academy, 4o Updates, Vibe Marketing & xAI Acquires X](https://www.marketingaiinstitute.com/hubfs/ep%20142%20cover.png)
![[DEALS] The Premium Learn to Code Certification Bundle (97% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
![From drop-out to software architect with Jason Lengstorf [Podcast #167]](https://cdn.hashnode.com/res/hashnode/image/upload/v1743796461357/f3d19cd7-e6f5-4d7c-8bfc-eb974bc8da68.png?#)
.png?#)
_Christophe_Coat_Alamy.jpg?#)
 (1).webp?#)
![iPhone 17 Pro Won't Feature Two-Toned Back [Gurman]](https://www.iclarified.com/images/news/96944/96944/96944-640.jpg)
![Tariffs Threaten Apple's $999 iPhone Price Point in the U.S. [Gurman]](https://www.iclarified.com/images/news/96943/96943/96943-640.jpg)
Exercise 03: Create and Configure Azure Firewall
Scenario In this exercise, I needed to implement centralized network security for an application hosted in Azure. The application required a firewall for application-level filtering and advanced threat protection. Given the need for continuous updates from Azure DevOps pipelines, I also needed to ensure that the firewall allowed seamless access to Azure DevOps while providing DNS resolution for other critical services. The task required: Setting up Azure Firewall for enhanced security in the app-vnet. Configuring a firewall policy to manage application access. Setting up application rules to allow access to Azure DevOps. Creating network rules to enable DNS resolution. Skilling Tasks ✅ Create an Azure Firewall. ✅ Create and configure a firewall policy. ✅ Create an application rule collection. ✅ Create a network rule collection. Exercise Instructions Step 1: Create the Azure Firewall Subnet To begin, I had to create a dedicated subnet within my virtual network for Azure Firewall. Here’s what I did: 1️⃣ Navigate to Virtual Networks: I searched for Virtual Networks in the Azure portal and selected app-vnet. 2️⃣ Add a New Subnet: I selected Subnets and clicked + Subnet. I entered the following information for the new subnet: Property Value Name AzureFirewallSubnet Address range 10.1.63.0/26 I saved the changes to create the AzureFirewallSubnet. Step 2: Create an Azure Firewall Next, I created the Azure Firewall using the following steps: 1️⃣ Navigate to Firewall: In the Azure portal, I searched for Firewall and selected + Create. 2️⃣ Configure Firewall Settings: I filled in the configuration settings as follows: Property Value Resource group RG1 Name app-vnet-firewall Firewall SKU Standard Firewall management Use a Firewall Policy Firewall policy Add new (fw-policy) Region East US Policy Tier Standard Virtual network app-vnet (RG1) Public IP address Add new (fwpip) 3️⃣ Troubleshooting: When attempting to use the virtual network app-vnet, I encountered the error: "Force Tunneling requires this virtual network have a subnet named AzureFirewallManagementSubnet." After realizing the issue, I added the required AzureFirewallManagementSubnet to the app-vnet with the address range 10.1.64.0/26. 4️⃣ Deploy the Firewall: After resolving the subnet issue, I clicked Review + Create and Create to deploy the firewall. The deployment took a few minutes to complete. Step 3: Update the Firewall Policy Once the firewall was created, I moved on to configure the firewall policy to manage application-level access and network-level rules. 1️⃣ Create the Firewall Policy: I navigated to Firewall Policies in the Azure portal and selected fw-policy. 2️⃣ Add Application Rule: I clicked Application Rules and added a new rule collection for AllowAzurePipelines: Property Value Name app-vnet-fw-rule-collection Rule collection type Application Priority 200 Rule collection action Allow Rule collection group DefaultApplicationRuleCollectionGroup Name AllowAzurePipelines Source type IP address Source 10.1.0.0/23 Protocol https Destination type FQDN Destination dev.azure.com, azure.microsoft.com This rule allowed the web application to access Azure DevOps for continuous integration and updates. 3️⃣ Add Network Rule: I then added a network rule to allow DNS resolution: Property Value Name app-vnet-fw-nrc-dns Rule collection type Network Priority 200 Rule collection action Allow Rule collection group DefaultNetworkRuleCollectionGroup Rule AllowDns Source 10.1.0.0/23 Protocol UDP Destination ports 53 Destination addresses 1.1.1.1, 1.0.0.1 Step 4: Troubleshooting Firewall Rule Addition While attempting to add the network rule, I encountered an error message: "Failed to add the rule collection. Rule Collection Group DefaultNetworkRuleCollectionGroup cannot be updated because Parent Firewall Policy fw-policy is in Updating state."
Scenario
In this exercise, I needed to implement centralized network security for an application hosted in Azure. The application required a firewall for application-level filtering and advanced threat protection. Given the need for continuous updates from Azure DevOps pipelines, I also needed to ensure that the firewall allowed seamless access to Azure DevOps while providing DNS resolution for other critical services.
The task required:
- Setting up Azure Firewall for enhanced security in the app-vnet.
- Configuring a firewall policy to manage application access.
- Setting up application rules to allow access to Azure DevOps.
- Creating network rules to enable DNS resolution.
Skilling Tasks
- ✅ Create an Azure Firewall.
- ✅ Create and configure a firewall policy.
- ✅ Create an application rule collection.
- ✅ Create a network rule collection.
Exercise Instructions
Step 1: Create the Azure Firewall Subnet
To begin, I had to create a dedicated subnet within my virtual network for Azure Firewall. Here’s what I did:
1️⃣ Navigate to Virtual Networks:
- I searched for Virtual Networks in the Azure portal and selected app-vnet.
2️⃣ Add a New Subnet:
- I selected Subnets and clicked + Subnet.
- I entered the following information for the new subnet:
| Property | Value |
|---|---|
| Name | AzureFirewallSubnet |
| Address range | 10.1.63.0/26 |
- I saved the changes to create the AzureFirewallSubnet.
Step 2: Create an Azure Firewall
Next, I created the Azure Firewall using the following steps:
1️⃣ Navigate to Firewall:
- In the Azure portal, I searched for Firewall and selected + Create.
2️⃣ Configure Firewall Settings:
- I filled in the configuration settings as follows:
| Property | Value |
|---|---|
| Resource group | RG1 |
| Name | app-vnet-firewall |
| Firewall SKU | Standard |
| Firewall management | Use a Firewall Policy |
| Firewall policy | Add new (fw-policy) |
| Region | East US |
| Policy Tier | Standard |
| Virtual network | app-vnet (RG1) |
| Public IP address | Add new (fwpip) |
3️⃣ Troubleshooting:
- When attempting to use the virtual network app-vnet, I encountered the error: "Force Tunneling requires this virtual network have a subnet named AzureFirewallManagementSubnet."
- After realizing the issue, I added the required AzureFirewallManagementSubnet to the app-vnet with the address range
10.1.64.0/26.
4️⃣ Deploy the Firewall:
- After resolving the subnet issue, I clicked Review + Create and Create to deploy the firewall.
- The deployment took a few minutes to complete.
Step 3: Update the Firewall Policy
Once the firewall was created, I moved on to configure the firewall policy to manage application-level access and network-level rules.
1️⃣ Create the Firewall Policy:
- I navigated to Firewall Policies in the Azure portal and selected fw-policy.
2️⃣ Add Application Rule:
- I clicked Application Rules and added a new rule collection for AllowAzurePipelines:
| Property | Value |
|---|---|
| Name | app-vnet-fw-rule-collection |
| Rule collection type | Application |
| Priority | 200 |
| Rule collection action | Allow |
| Rule collection group | DefaultApplicationRuleCollectionGroup |
| Name | AllowAzurePipelines |
| Source type | IP address |
| Source | 10.1.0.0/23 |
| Protocol | https |
| Destination type | FQDN |
| Destination | dev.azure.com, azure.microsoft.com |
- This rule allowed the web application to access Azure DevOps for continuous integration and updates.
3️⃣ Add Network Rule:
- I then added a network rule to allow DNS resolution:
| Property | Value |
|---|---|
| Name | app-vnet-fw-nrc-dns |
| Rule collection type | Network |
| Priority | 200 |
| Rule collection action | Allow |
| Rule collection group | DefaultNetworkRuleCollectionGroup |
| Rule | AllowDns |
| Source | 10.1.0.0/23 |
| Protocol | UDP |
| Destination ports | 53 |
| Destination addresses | 1.1.1.1, 1.0.0.1 |
Step 4: Troubleshooting Firewall Rule Addition
While attempting to add the network rule, I encountered an error message:
"Failed to add the rule collection. Rule Collection Group DefaultNetworkRuleCollectionGroup cannot be updated because Parent Firewall Policy fw-policy is in Updating state."
