Written in collaboration with ShabazShaik , andrewmathu and tobiotolorin
Introduction:
Azure Firewall is Microsoft’s cloud-native, fully stateful firewall as a service that provides the best of breed threat protection for cloud workloads running in Azure. It is recommended to use Azure Firewall Policy, a top-level resource, to configure your Azure Firewall instance.
By default, Azure Firewall Policy is not backed up automatically. Since the Firewall Policy will contain your specific Firewall rules and settings, you will want to ensure that it is continuously backed up, so you do not lose your defined configuration. Therefore, we have created a Logic App that will run every three days to back up your Azure Firewall and Azure Firewall Policy.
The Logic App runs every three days to export the configuration of your Azure Firewall and Azure Firewall Policy. It then formats this configuration into an Azure Resource Manager (ARM) template that gets stored within Azure Storage. You can then use this file from Storage to restore your Firewall and Firewall Policy deployments as required.
Deployment:
The automation has been published to the Azure Network Security GitHub repository, from where it can be deployed directly to your environment through the provided ARM template (found in the “Deploy to Azure” button in this blog). To deploy the Logic App, you must have Contributor rights on the target resource group that will contain the Logic App resource (see here for more information).
The deployment will create three main resources:
- Storage Account: The template deploys a Storage Account with a container to store the backups as Blobs.
- Logic App: The Logic App is scheduled to run every three days to store the Azure Firewall and Azure Firewall Policy templates.
- Connection: An API connection to Azure Blob Storage is created for the Logic App to run as expected. Learn more about Logic App connectors here.
When you are ready, you can click the Deploy to Azure button below to deploy the template.
During the deployment, you must specify some details, including the subscription, resource group, name, and region to host this automation. You must also configure the following:
- Playbook_Name: name of the Logic App that will run the backup process.
- Storage Account Name: name of the Storage Account to store the backups.
- Firewall_Name: name of the Azure Firewall to backup via the Logic App.
- Firewall_Policy_Name: name of the Azure Firewall Policyto backup via the Logic App.
- Subscription_ID: ID of the subscription that hosts the Azure Firewall and Azure Firewall Policy to backup.
- Resource_Group_Name: name of the Resource Group that hosts the Azure Firewall and Azure Firewall Policy to backup.
Figure 1. ARM Template input parameters
As shown in Figure 1 above, the ARM template will create the Logic App Playbook and the Storage Account. Additionally, the template will create the API connection to Azure Blob.
Post Deployment Configuration:
The following permissions and requirements must be assigned / completed after the Logic App is deployed:
- The Logic App must have the necessary permissions to export the Azure Firewall and Azure Firewall Policy templates via the Export Template REST API. This can be obtained via assigning the Logic App a system-assigned Managed Identity with Contributor permissions on the Firewall Policy/Firewall resources or the Resource Group hosting these resources. Note that you can assign permissions only if your account has been assigned Owner or User Access Administrator roles to the underlying resource. To assign the to the specific scope.
- Go to the Azure Firewall, Azure Firewall Policy pages or the Resource Group that hosts these resources.
- Press Access Control (IAM) on the navigation bar.
- Press +Add and Add role assignment.
- Select the Contributor role.
- Assign access to Managed identity.
- Select the subscription where the Logic App was deployed.
- Select Backup-Az-FW Logic App.
- The Azure Blob API connection in the Logic App must be authorized. To accomplish this, follow these steps:
- Go to the Resource Group you used to deploy the template resources.
- Select the Azure Blob API connection and press Edit API connection.
- Press the Authorize button.
- Make sure to authenticate against Azure AD.
- Press Save.
Logic Implemented:
Figure 2 displays the logic built into the Logic App in the designer view.
Figure 2. Logic App designer view
The automation is configured to run every three days by using a scheduler (frequency of which can be adjusted to meet your organization’s need). The automation sets the variables provided when the Logic App was deployed (subscription ID, Resource Group, Firewall Name, Firewall Policy Name, Storage Account Name, and Blob Path), makes an HTTP request to export the existing Firewall and Firewall Policy configurations as a template, formats the string of the template, and then stores the backup within Azure Blob Storage.
In some cases, you may require certain modifications to the Logic App. Examples of how to make these modifications can be found below:
-
In the Logic App designer, you can select the ‘Recurrence’ step to configure the recurrence period for the workflow to run.
- If you only want to backup the Azure Firewall Policy, you can select the ‘HTTP – export template’ step and modify the Body field to remove the Azure Firewall resource (“/subscriptions/subscriptionID/resourceGroups/resourceGroupName/providers/Microsoft.Network/azureFirewalls/firewallName”).
- You may want to adjust the Storage Account and path that the backup is being stored in. To do this, modify the “Create blob (v2) – store backup” action with your own values for the Storage account name and Folder path fields. You can also change the name of the backup that gets stored by modifying the Blob name field. For any connection issues, you can press Change connection to reform the connection to the Storage account.
Post-Deployment:
After you have deployed the resources and successfully ran the Logic App, it will export a deployment template for your Azure Firewall and Azure Firewall Policy and store it in Azure Blob Storage.
When you navigate to the Blob Storage, you should see the backup listed. Figure 3 displays an example of the backup file:
Figure 3. Backup template in Storage Account
To restore the backup, you can download the JSON file and run the following command in Azure Cloud Shell:
New-AzResourceGroupDeployment -name <firewallname> -ResourceGroupName <resourcegroupnameoffirewall> -TemplateFile <backupfilepath>
This restore will ask for two inputs, FirewallPublicIP and FirewallVNet. An example of those inputs is shown below:
/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Network/publicIPAddresses/<FirewallPublicIP>
/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Network/virtualNetworks/<FirewallVNet>
This restore command will restore both the Firewall and Firewall Policy together from the backup even if they have been deleted.
Note that Rule Collection Groups are treated as dependency objects and these objects cannot be deployed in parallel. Collection groups are referenced in the policy as dependent (dependsOn in the ARM template). This means the restore command will first update policy and then try to update all rule collection groups in parallel. This may fail due to the policy dependency issue (this is currently by design and is a roadmap item for Azure Resource Manager).
If the restore does fail, then you must deploy rule collection groups one after the other using the “depends on” tag in your Firewall backup file. As an example, the Rule Collection Group would have to be edited using the rule processing order.
The format is to first specify the Firewall Policy name, then the Policy Rule Collection Group object.
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2020-11-01",
"name": "SOC-NS-FWPolicy_premium/DefaultNetworkRuleCollectionGroup",
"location": "westus2",
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', 'SOC-NS-FWPolicy_premium')]",
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', 'SOC-NS-
FWPolicy_premium','DefaultDnatRuleCollectionGroup')]"
]
Lastly, you will want to confirm that any Azure Key Vault information for TLS inspection is not missing after the deployment is complete.
Conclusion:
By using this template, you can now easily automate the process of backing up your Firewall deployment at a required frequency without any manual effort. The REST API used to export the backup template can also be used to backup other resources within Azure.
To move this deployment from one subscription to another with your customizations, we offer this playbook. This PowerShell utility evaluates your Logic App and API connections present and then generates the template resources with the necessary parameters for deployment. A demo is available here: https://www.youtube.com/watch?v=scTtVHVzrQw.