adaptive.run TECH BLOG

Cloud can be tricky sometimes. Find out what scenarios we've ran into that are worth being mentioned and explained.

Streamline Your Azure Firewall Deployment with Bicep: A Step-by-Step Guide

Level: 300
Publishing date: 24-Jan-2023
Author: Catalin Popa

As organizations move more of their operations to the cloud, security becomes a critical concern. Azure Firewall is a cloud-based network security solution that provides centralized protection for your Azure virtual network resources. In this blog post, we'll show you how to deploy Azure Firewall rulesets that require authentication by Azure Active Directory using Bicep, a declarative language for deploying Azure resources.

By using Bicep, you can streamline the deployment process, eliminate manual errors, and make it easier to manage and collaborate on your Azure Firewall configurations. In this step-by-step guide, we'll cover everything from writing the Bicep template to deploying it through the Azure CLI or Azure Portal.

Scenario: As an Azure cloud architect, you're tasked with securing organization's Azure environment and to do so I will use Azure Firewall to enforce network security rules. To simplify the deployment process and make it easier to manage, I've decided to use the Bicep language to create a deployment template.

Problems that Could Occur:

  1. Complexity of Azure Firewall rule deployment: The traditional approach of deploying Azure Firewall rules through the Azure portal or Azure CLI can be time-consuming and prone to errors.
  2. Lack of Version Control: With manual deployments, there is no way to keep track of changes or revert to previous configurations.
  3. Difficulty in Collaboration: Sharing and collaborating on deployment configurations can be challenging, especially with a large team of cloud architects.
Bicep Template
Here's an example of a Bicep template that deploys an Azure Firewall with a ruleset that requires all traffic to be authenticated by Azure Active Directory:

// Create the firewall resource
resource firewall 'Microsoft.Network/firewalls' = {
name: 'myFirewall',
location: resourceGroup().location,
properties: {
firewallPolicy: {
id: ''
},
threatIntelMode: 'Alert',
virtualHub: {
id: ''
}
}
}

// Create the Azure AD Connector resource
resource connector 'Microsoft.Network/firewall/azureFirewallNetworkRuleSets' = {
name: 'AADConnect',
location: resourceGroup().location,
properties: {
authenticationMethod: 'AzureActiveDirectory',
ruleSetType: 'AzureFirewallApplicationRuleCollection',
ruleSetName: 'AADConnect'
}
}

// Create the rule collection for the Azure AD Connector
resource ruleSet 'Microsoft.Network/firewall/azureFirewallApplicationRuleCollections' = {
name: firewall.name + '/AADConnect/' + connector.name,
properties: {
ruleGroups: [
{
name: 'Allow Azure AD Connected Traffic',
rules: [
{
name: 'Allow All Traffic',
actions: [
'Allow'
],
sourceAddresses: [
'AzureActiveDirectory'
]
}
]
}
]
}

Deploying the Template
To deploy the Bicep template, you can use the following Azure CLI command:

az deployment create --name "AzureFirewallAADDeployment" --template-file .bicep

Alternatively, you can use the Azure Portal to deploy the template by following these steps:
1. Go to the Azure portal.
2. Select "Create a resource".
3. Select "Template deployment".
4. Upload the Bicep template file.
5. Fill out the required parameters, including the location and resource group, then click "Create".

Conclusion:
By using Bicep to deploy Azure Firewall rulesets, you can simplify the deployment process and make it easier to manage and collaborate on.

adaptive.run

Transform your business.
Run adaptive.

Contact

Phone: +40 73 523 0005
Email: hello@adaptive.run

Legal and Privacy

Privacy Policy - PPD
A.N.P.C.
A.N.P.C - SAL

© Copyright  2019-2024 adaptive.run- All Rights Reserved