Written in collaboration with @ShabazShaik , @andrewmathu and @tobiotolorin
Introduction:
Azure Firewall is Microsoft’s cloud-native, fully stateful firewall as a service that provides the best of breed threat protection for cloud workloads running in Azure. It is recommended to use Azure Firewall Policy, a top-level resource, to configure your Azure Firewall instance.
By default, Azure Firewall Policy is not backed up automatically. Since the Firewall Policy will contain your specific Firewall rules and settings, you will want to ensure that it is continuously backed up, so you do not lose your defined configuration. Therefore, we have created a Logic App that will run every three days to back up your Azure Firewall and Azure Firewall Policy.
The Logic App runs every three days to export the configuration of your Azure Firewall and Azure Firewall Policy. It then formats this configuration into an Azure Resource Manager (ARM) template that gets stored within Azure Storage. You can then use this file from Storage to restore your Firewall and Firewall Policy deployments as required.
Deployment:
The automation has been published to the Azure Network Security GitHub repository, from where it can be deployed directly to your environment through the provided ARM template (found in the “Deploy to Azure” button in this blog). To deploy the Logic App, you must have Contributor rights on the target resource group that will contain the Logic App resource (see here for more information).
The deployment will create three main resources:
When you are ready, you can click the Deploy to Azure button below to deploy the template.
During the deployment, you must specify some details, including the subscription, resource group, name, and region to host this automation. You must also configure the following:
Figure 1. ARM Template input parameters
As shown in Figure 1 above, the ARM template will create the Logic App Playbook and the Storage Account. Additionally, the template will create the API connection to Azure Blob.
Post Deployment Configuration:
The following permissions and requirements must be assigned / completed after the Logic App is deployed:
Logic Implemented:
Figure 2 displays the logic built into the Logic App in the designer view.
Figure 2. Logic App designer view
The automation is configured to run every three days by using a scheduler (frequency of which can be adjusted to meet your organization’s need). The automation sets the variables provided when the Logic App was deployed (subscription ID, Resource Group, Firewall Name, Firewall Policy Name, Storage Account Name, and Blob Path), makes an HTTP request to export the existing Firewall and Firewall Policy configurations as a template, formats the string of the template, and then stores the backup within Azure Blob Storage.
In some cases, you may require certain modifications to the Logic App. Examples of how to make these modifications can be found below:
In the Logic App designer, you can select the ‘Recurrence’ step to configure the recurrence period for the workflow to run.
Post-Deployment:
After you have deployed the resources and successfully ran the Logic App, it will export a deployment template for your Azure Firewall and Azure Firewall Policy and store it in Azure Blob Storage.
When you navigate to the Blob Storage, you should see the backup listed. Figure 3 displays an example of the backup file:
Figure 3. Backup template in Storage Account
To restore the backup, you can download the JSON file and run the following command in Azure Cloud Shell:
New-AzResourceGroupDeployment -name <firewallname> -ResourceGroupName <resourcegroupnameoffirewall> -TemplateFile <backupfilepath>
This restore will ask for two inputs, FirewallPublicIP and FirewallVNet. An example of those inputs is shown below:
/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Network/publicIPAddresses/<FirewallPublicIP>
/subscriptions/<SubscriptionId>/resourceGroups/<ResourceGroupName>/providers/Microsoft.Network/virtualNetworks/<FirewallVNet>
This restore command will restore both the Firewall and Firewall Policy together from the backup even if they have been deleted.
Note that Rule Collection Groups are treated as dependency objects and these objects cannot be deployed in parallel. Collection groups are referenced in the policy as dependent (dependsOn in the ARM template). This means the restore command will first update policy and then try to update all rule collection groups in parallel. This may fail due to the policy dependency issue (this is currently by design and is a roadmap item for Azure Resource Manager).
If the restore does fail, then you must deploy rule collection groups one after the other using the “depends on” tag in your Firewall backup file. As an example, the Rule Collection Group would have to be edited using the rule processing order.
The format is to first specify the Firewall Policy name, then the Policy Rule Collection Group object.
"type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups",
"apiVersion": "2020-11-01",
"name": "SOC-NS-FWPolicy_premium/DefaultNetworkRuleCollectionGroup",
"location": "westus2",
"dependsOn": [
"[resourceId('Microsoft.Network/firewallPolicies', 'SOC-NS-FWPolicy_premium')]",
"[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', 'SOC-NS-
FWPolicy_premium','DefaultDnatRuleCollectionGroup')]"
]
Lastly, you will want to confirm that any Azure Key Vault information for TLS inspection is not missing after the deployment is complete.
Conclusion:
By using this template, you can now easily automate the process of backing up your Firewall deployment at a required frequency without any manual effort. The REST API used to export the backup template can also be used to backup other resources within Azure.
To move this deployment from one subscription to another with your customizations, we offer this playbook. This PowerShell utility evaluates your Logic App and API connections present and then generates the template resources with the necessary parameters for deployment. A demo is available here: https://www.youtube.com/watch?v=scTtVHVzrQw.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.