Azure Bastion 2 – Securing Access to Virtual Networks

2024-02-182024-02-18| Zoe PetersonAzure Bastion 2 – Securing Access to Virtual Networks| 0 Comment| 9:14 AM
Categories :
  1. Next, we are going to create a public IP address for the Bastion service:

$publicip = New-AzPublicIpAddress -ResourceGroupName Test-FW-RG -Location “East US” -Name Bastion-pip -AllocationMethod static -Sku standard

The public IP address for Bastion is shown in the following screenshot:

Figure 15.16 – A newly created public IP address for the Bastion service

  1. Next, we are going to create the Bastion host:

New-AzBastion -ResourceGroupName Test-FW-RG -Name Bastion-01 -PublicIpAddress $publicip -VirtualNetwork $testVnet

The following screenshot shows the newly created Bastion service:

Figure 15.17 – Creating the Bastion service

Implementing Azure Firewall and Azure Bastion 499

  1. Next, we are going to create the VM. You will be prompted to enter a username and password while running the script; please ensure that you remember this information:

#Create the NIC

$wsn = Get-AzVirtualNetworkSubnetConfig -Name VMSubnet -VirtualNetwork $testvnet

$NIC01 = New-AzNetworkInterface -Name VM01

-ResourceGroupName Test-FW-RG -Location “East us” -Subnet $wsn

#Define the virtual machine

$VirtualMachine = New-AzVMConfig -VMName VM01 -VMSize “Standard_DS2”

$VirtualMachine = Set-AzVMOperatingSystem -VM $VirtualMachine -Windows -ComputerName VM01 -ProvisionVMAgent -EnableAutoUpdate

$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $NIC01.Id

$VirtualMachine = Set-AzVMSourceImage -VM $VirtualMachine -PublisherName ‘MicrosoftWindowsServer’ -Offer ‘WindowsServer’ -Skus ‘2019-Datacenter’ -Version latest

#Create the virtual machine

New-AzVM -ResourceGroupName Test-FW-RG -Location “East US” -VM $VirtualMachine -Verbose

In this section of code, we have created the VM along with a password, as shown in the following screenshot. This information needs to be stored for use later:

Figure 15.18 – The created VM01 with its components

  1. Next, we are going to deploy the firewall along with a public IP address:

#Get a Public IP for the firewall

$FWpip = New-AzPublicIpAddress -Name “fw-pip”

-ResourceGroupName Test-FW-RG `

-Location “East US” -AllocationMethod Static -Sku Standard

#Create the firewall

$Azfw = New-AzFirewall -Name Test-FW01 -ResourceGroupName Test-FW-RG -Location “East US” -VirtualNetwork $testVnet -PublicIpAddress $FWpip

#Save the firewall private IP address for future use

$AzfwPrivateIP = $Azfw.IpConfigurations.privateipaddress $AzfwPrivateIP

The following screenshot displays the newly deployed firewall:

Figure 15.19 – The Azure Firewall deployed

  1. Next, we are going to configure a default route on the firewall along with a route table and associate the latter with our VMSubnet:

$routeTableDG = New-AzRouteTable `

-Name Firewall-rt-table `

-ResourceGroupName Test-FW-RG `

-location “East US” `

-DisableBgpRoutePropagation

#Create a route

Add-AzRouteConfig `

-Name “DG-Route” `

-RouteTable $routeTableDG `

-AddressPrefix 0.0.0.0/0 `

-NextHopType “VirtualAppliance” `

-NextHopIpAddress $AzfwPrivateIP `

| Set-AzRouteTable

#Associate the route table to the subnet Set-AzVirtualNetworkSubnetConfig `

-VirtualNetwork $testVnet `

-Name VMSubnet `

-AddressPrefix 10.0.2.0/24 `

-RouteTable $routeTableDG | Set-AzVirtualNetwork

In this section of code, we have created a new route table with a route named DG-Route and associated it with the subnet.

The following screenshot displays the newly created route table:

Figure 15.20 – The newly created route table

  1. Next, we are going to create an application rule on the firewall to allow outbound access to www.google.com:

$AppRule1 = New-AzFirewallApplicationRule -Name Allow-Google -SourceAddress 10.0.2.0/24 `

-Protocol http, https -TargetFqdn www.google.com

$AppRuleCollection =

New-AzFirewallApplicationRuleCollection -Name App-Coll01

`

-Priority 200 -ActionType Allow -Rule $AppRule1
$Azfw.ApplicationRuleCollections.Add($AppRuleCollection)

Set-AzFirewall -AzureFirewall $Azfw

In this section of code we have created a new Azure Firewall application rule to allow outbound access to Google.

The following screenshot displays the newly created Azure Firewall application rule:

Figure 15.21 – The application rule added to Azure Firewall

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Azure Bastion 3 – Securing Access to Virtual Networks

2024-02-202024-02-20 Zoe PetersonAzure Bastion 3 – Securing Access to Virtual Networks

$NetRule1 = New-AzFirewallNetworkRule -Name “Allow-DNS” -Protocol UDP -SourceAddress 10.0.2.0/24 `-DestinationAddress 8.8.8.8 -DestinationPort 53$NetRuleCollection = New-AzFirewallNetworkRuleCollection [...]

Read MoreRead More

Configuring Azure Application Gateway – Configuring Load Balancing

2022-02-102022-02-10 Zoe PetersonConfiguring Azure Application Gateway – Configuring Load Balancing

Configuring Azure Application Gateway You now have some information about what Azure Application Gateway is [...]

Read MoreRead More

Path-based load balancing – Configuring Load Balancing

2023-12-202023-12-20 Zoe PetersonPath-based load balancing – Configuring Load Balancing

Path-based load balancing Both Azure Front Door and Application Gateway support URL path-based routing. The [...]

Read MoreRead More