Edge protection deployment with Azure Firewall

This option describes how to deploy your Network Security virtual appliance behind the Azure Firewall to provide advanced network protection. In this topology, the Hub-VNet serves as the point of connectivity to the internet. The Azure virtual appliance lives in the Hub-VNet to share its inspection capability as a service for the Spoke-VNet(s).

|


Inbound traffic flow

|


Outbound traffic flow

|


To set up your environment you will complete these tasks:

  1. Create a resource group
  2. Create spoke virtual network and subnets
  3. Create hub virtual network and subnets
  4. Add peering to connect the hub and spoke-VNets
  5. Deploy the Network Security virtual appliance
  6. Configure the firewall
  7. Configure route tables and rules
  8. Configure high availability



Note

Review Azure's naming conventions before you begin.



Create a resource group

Create a resource group if one does not already exist in your environment.

  1. Navigate to Resource groups+ Add.
  2. Select your Subscription, name the resource group, then select a region.
  3. Click Review + Create.


Create the spoke virtual network and workload subnet

  1. Navigate to Virtual Networks+ Add.
  2. Enter values for the fields in the Basics tab, naming the instance Spoke-VNet.
  3. In the IP Address tab, edit the IPv4 address space and enter a new address.
  4. Click + Add Subnet and fill in these details:
    • Subnet name: WorkloadSubnet
    • Subnet CIDR (example): 10.1.1.x/x
  5. Click OK.
  6. Skip the Security and Tags tabs.
  7. Click Review + CreateCreate.


Create a Workload virtual machine (optional)

Follow these steps if you are creating this environment as a proof of concept or if you do not have an existing workload in your environment.

  1. Navigate to Virtual machines+ AddVirtual machine.
  2. In the Basics tab, fill in the required fields. Use these values for the Name and Inbound port rules:
    • Name: WorkloadVM
    • Public inbound ports: None
  3. In the Disks tab, select Standard HDD for the OS disk type and configure the other settings.
  4. In the Networking tab, enter these values:
    • Virtual network: <Your Spoke-VNet>
    • Subnet: WorkloadSubnet
    • Public inbound ports: None
  5. Fill in the information in the remaining tabs.
  6. Click Review + CreateCreate.
  7. Write down the Private IP address after the deployment is complete.


Backend workloads example

If you followed the steps above to create a workload in your Azure environment, the following table provides an example of configuration details for two virtual machine web workloads. Install an HTTP server if you intend to configure backend workloads after they are created.

Network interface Subnet IP example
WorkloadVM1 WorkloadSubnet1 10.3.x.x
WorkloadVM2 WorkloadSubnet2 10.4.x.x


Create the inspection virtual network and subnets

Use the procedure below to manually set up the inspection-VNet and subnets. You will select all of the subnets when you deploy your Network Security virtual appliance.

  1. Navigate to Virtual Networks+ Add.

  2. Enter values for the fields in the Basics tab, naming the instance Hub-VNet.

  3. In the IP Address tab, edit the IPv4 address space and enter a CIDR.

  4. Add three subnets to the Hub-VNet. Click + Add Subnet and enter this information:

    Subnet name Subnet CIDR examples
    Management-subnet 10.0.0.x/x
    Inspection-subnet 10.0.1.x/x
    Sanitized-subnet 10.0.2.x/x
  5. Skip this step if you already have an Azure Firewall or a third party firewall set up.
    In the Security tab, select Enable for the Firewall setting and fill in the firewall details.

    • Firewall name: AzureFirewall
    • Firewall subnet CIDR (example): 10.0.100.x/x
    • Public IP address: Create New → add an IP address, select Regional or Global, then click OK.
  6. Click Review + CreateCreate.



Note

If you choose to manually create the Azure Firewall VNet and subnet, ensure the subnet name is AzureFirewallSubnet.



Add peering to connect the hub and spoke VNets

  1. Navigate to the Virtual networks page.
  2. Click into the Hub-VNetPeerings+ Add.
  3. The first peering connection is from the Hub to the Spoke-VNet. Enter the following configuration details, then click Ok.
    • Peering connection name: Hub-to-Spoke1
    • Virtual network deployment model: Resource manager
    • Subscription: your subscription
    • Virtual network: <your Spoke VNet>
    • Peering connection name: Spoke1-to-Hub
    • Allow virtual network access from Hub-VNet to Spoke1: Enabled
    • Allow virtual network access from Spoke1 to Hub_VNet: Enabled
    • Allow forwarded traffic from Spoke1-to-Hub: Enabled
    • Allow virtual network access from Hub-to-Spoke: Enabled
    • Allow gateway transit: Disable


Deploy the Network Security virtual appliance

The Network Security virtual appliance is available from the Azure Marketplace as a public offer. To deploy the Network Security virtual appliance, navigate to Azure Portal → Marketplace → Trend Micro Cloud One™ – Network Security.

Gather the following information before you begin the deployment:



Note

Best practice is to copy and paste the exact names of the resource group, hub-VNet, and subnets in the following instructions.



  1. Log into Azure and select Create a resource (this will direct you to the Marketplace).
  2. Search for Trend Micro Network Security.
  3. Next to Select a plan, choose Single VM in the dropdown menu.
  4. Click Create.
  5. Enter the following information in the Basics tab:
  6. Select the following information in the Networking tab:
    • Your virtual network
    • All of the subnets you created in the inspection-VNet
  7. Enter or select the following information in the Advanced tab:
    • (Suggested) Keep the Boot diagnostics setting enabled
    • Select your boot diagnostic account, or create a new one
    • Enter the Log Analytics workspace ID and Primary Key in order to upload your logs to the Network Security management portal
  8. Click Review + CreateDeploy.


Configure the Azure Firewall

After you create and deploy the Azure Firewall, configure it using these procedures.


Write down the Firewall IP information

Private and public IPs are assigned automatically after you create the firewall. Write down the IP information for future use, as it is required several times during the deployment process.

  1. Navigate to FirewallsAzureFirewall.
  2. Select Public IP Configuration.
  3. Write down the Private and Public IP addresses for the AzureFirewallSubnet.


Configure the Firewall rules

Configure the AzureFirewall NAT Rule (Ingress) and Network Rule (Egress).

NAT rule

  1. Navigate to FirewallsAzureFirewall.
  2. Select RulesNAT rule collection tab.
  3. Click + Add NAT rule collection.
  4. Add a name and priority.
  5. Configure the NAT rule settings:
    • Name: Ingress
    • Protocol: TCP
    • Source type: IP address
    • Source *
    • Destination address: <Public IP of the AzureFirewall>
    • Destination ports: 80
    • Translated address: <Private IP of your Workload VM>
    • Translated port: 80
  6. Click Add.


Network Rule

  1. Navigate to the Network rule collection tab → + Add network rule collection.
  2. Add a name, priority, and action.
  3. Configure the NAT rule settings:
    • Name: Egress
    • Protocol: Any
    • Source type: IP address
    • Source: Your entire V-Net
    • Destination type: IP address
    • Destination address: *
    • Destination ports: *
  4. Click Add.


Configure route tables and rules

After the Network Security virtual appliance is deployed, add and configure the route tables and routes that will place your virtual appliance in-line and begin inspecting traffic. Network traffic is subjected to the firewall rules when network traffic is routed to the firewall as the subnet default gateway.

You will need the following information in order to complete this process:


Step 1: Create three route tables

  1. Navigate to Route tables+ Add
  2. Enter these values:
    • Table one: Firewall-rt
    • Table two: DataportB-rt
    • Table three: Spoke1-rt
  3. Click Review + CreateCreate.
  4. Repeat this process for the remaining tables.


Step 2: Configure the route tables

  1. From the Route tables page, select the Firewall-rt table → Routes+ Add.
  2. Enter this information:
    • Name: toSpoke
    • Address prefix: <CIDR of the Spoke-VNet>
    • Next hop type: Virtual Appliance
    • Next hop address: <NIC 1A private IP of Network Security virtual appliance>
    • Click OK.
  3. Add another route to the Firewall-rt. Select Routes+ Add.
    • Name: Default
    • Address prefix: 0.0.0.0/0
    • Next hop type: Internet
    • Click OK.
  4. Select the DataportB-rt table → Routes+ Add.
    • Name: Default
    • Address prefix: 0.0.0.0/0
    • Next hop: Virtual Appliance
    • Next hop address: <Private IP of AzureFirewall>
    • Click OK.
  5. Select the Spoke-rt table → Routes+ Add.
    • Name: toFirewall
    • Address prefix: <CIDR of AzureFirewallSubnet>
    • Next hop: Virtual Appliance
    • Next hop address: <NIC 1A private IP of Network Security virtual appliance>
    • Click OK.
  6. Add another route to the Spoke-rt. Select Routes+ Add.
    • Name: Default
    • Address prefix: 0.0.0.0/0
    • Next hop: Virtual Appliance
    • Next hop address: `<NIC 1A private IP of Network Security virtual appliance>
    • Click OK.


Step 3: Associate route table to related subnet

  1. Select your Spoke-rt table, then click Subnets+ Associate.
    • Virtual network: <Your Spoke-VNet>
    • Subnet: <Workload>
  2. Select your Firewall-rt table, then click Subnets+ Associate.
    • Virtual network: <Your Hub-VNet>
    • Subnet: <AzureFirewallSubnet>
  3. Select your DataportB-rt table, then click Subnets+ Associate.
    • Virtual network: <Your Hub-VNet>
    • Subnet: <Sanitized-hub>


High availability

High availability fail-open is available for this deployment. Learn more. Contact your Trend Micro TippingPoint representative for assistance with configuration.

Manual Fallback

Manually place your virtual appliances in fallback mode by enabling this setting.