Create Virtual Network & Add Subnet

On the Azure portal menu or from the Home page, select Create a resource.

  • Select Networking > Virtual network.
  • For Subscription, select your subscription.
  • For Resource group, select <jasparrow>.
  • For Name, type Test-FW-VN.
  • For Region, select the same location that you used previously.
  • Select Next: IP addresses.
  • For IPv4 Address space, type
  • Under Subnet, select default.
  • For Subnet name type AzureFirewallSubnet. The firewall will be in this subnet, and the subnet name must be AzureFirewallSubnet.
  • For Address range, type
  • Select Save.

Next, create a subnet for the workload server.

  • Select Add subnet.
  • For Subnet name, type Workload-SN.
  • For Subnet address range, type
  • Select Add.
  • Select Review + create.
  • Select Create.

Create Virtual Machine

Now create the workload virtual machine, and place it in the Workload-SN subnet.

  • On the Azure portal menu or from the Home page, select Create a resource.
  • Select Compute and then select Virtual machine.
  • Windows Server 2019 Datacenter in the Featured list.
  • Enter these values for the virtual machine:
VM Settings.emf.jpg
  • Under Inbound port rulesPublic inbound ports, select None.
  • Accept the other defaults and select Next: Disks.
  • Accept the disk defaults and select Next: Networking.
  • Make sure that Test-FW-VN is selected for the virtual network and the subnet is Workload-SN.
  • For Public IP, select None.
  • Accept the other defaults and select Next: Management.
  • Select Off to disable boot diagnostics. Accept the other defaults and select Review + create.
  • Review the settings on the summary page, and then select Create.

Deploy Azure Firewall


  • On the Azure portal menu or from the Home page, select Create a resource.
  • Type firewall in the search box and press Enter.
  • Select Firewall and then select Create.
  • On the Create a Firewall page, use the following table to configure the firewall:



  •  Select Review + create.
  • Review the summary, and then select Create to create the firewall.This will take a few minutes to deploy.
  • After deployment completes, go to the <jasparrow> resource group, and select the Test-FW01 firewall.
  • Note the firewall private and public IP addresses. You’ll use these addresses later.

Creating a Default Route

For the Workload-SN subnet, configure the outbound default route to go through the firewall.

  • On the Azure portal menu, select All services or search for and select All services from any page.
  • Under Networking, select Route tables.
  • Select Add.
  • For Name, type Firewall-route.
  • For Subscription, select your subscription.
  • For Resource group, select <jasparrow>.
  • For Location, select the same location that you used previously.
  • Select Create.
  • Select Refresh, and then select the Firewall-route route table.
  • Select Subnets and then select Associate.
  • Select Virtual network > Test-FW-VN.
  • For Subnet, select Workload-SN. Make sure that you select only the Workload-SN subnet for this route, otherwise your firewall won’t work correctly.
  • Select OK.
  • Select Routes and then select Add.
  • For Route name, type fw-dg.
  • For Address prefix, type
  • For Next hop type, select Virtual appliance.Azure Firewall is actually a managed service, but virtual appliance works in this situation.
  • For Next hop address, type the private IP address for the firewall that you noted previously.
  • Select OK.

Creating Application Rule

This is the application rule that allows outbound access to

  • Open the <jasparrow>, and select the Test-FW01 firewall.
  • On the Test-FW01 page, under Settings, select Rules.
  • Select the Application rule collection tab.
  • Select Add application rule collection.
  • For Name, type App-Coll01.
  • For Priority, type 200.
  • For Action, select Allow.
  • Under RulesTarget FQDNs, for Name, type Allow-Google.
  • For Source type, select IP address.
  • For Source, type
  • For Protocol:port, type http, https.
  • For Target FQDNS, type
  • Select Add.

Creating Network Rule

This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).

  • Select the Network rule collection tab.
  • Select Add network rule collection.
  • For Name, type Net-Coll01.
  • For Priority, type 200.
  • For Action, select Allow.
  • Under RulesIP addresses, for Name, type Allow-DNS.
  • For Protocol, select UDP.
  • For Source type, select IP address.
  • For Source, type
  • For Destination type select IP address.
  • For Destination address, type, are public DNS servers operated by CenturyLink.
  • For Destination Ports, type 53.
  • Select Add.

Creating NAT Rule Testing Traffic

This rule allows you to connect a remote desktop to the Srv-Work virtual machine through the firewall.

  • Select the NAT rule collection tab.
  • Select Add NAT rule collection.
  • For Name, type rdp.
  • For Priority, type 200.
  • Under Rules, for Name, type rdp-nat.
  • For Protocol, select TCP.
  • For Source type, select IP address.
  • For Source, type *.
  • For Destination address, type the firewall public IP address.
  • For Destination Ports, type 3389.
  • For Translated address, type the Srv-work private IP address.
  • For Translated port, type 3389.
  • Select Add.

DNS Configuration & Testing

For testing purposes in this tutorial, configure the server’s primary and secondary DNS addresses. This isn’t a general Azure Firewall requirement.

  • On the Azure portal menu, select Resource groups or search for and select Resource groups from any page. Select the <jasparrow>resource group.
  • Select the network interface for the Srv-Work virtual machine.
  • Under Settings, select DNS servers.
  • Under DNS servers, select Custom.
  • Type in the Add DNS server text box, and in the next text box.
  • Select Save.
  • Restart the Srv-Work virtual machine.

Test the firewall

Now, test the firewall to confirm that it works as expected.

  • Connect a remote desktop to firewall public IP address and sign in to the Srv-Work virtual machine.
  • Open Internet Explorer and browse to
  • Select OK > Close on the Internet Explorer security alerts.You should see the Google home page.
  • Browse to should be blocked by the firewall.

So now you’ve verified that the firewall rules are working:

  • You can browse to the one allowed FQDN, but not to any others.
  • You can resolve DNS names using the configured external DNS server.


Jasparrow Blog

Video Tutorial