Secure RDP using Azure Firewall

I wanted to be able to port forward my RDP connections to VMs in Azure. I have done this before on my local virtual lab environment using PFSense.

In Azure I could deploy the open source PFSense from the marketplace but I thought I’d try it with the Azure Firewall instead because it supports source and destination Network Address Translation (SNAT and DNAT).

What capabilities are supported in Azure Firewall?

Stateful firewall as a service

Built-in high availability with unrestricted cloud scalability

FQDN filtering

FQDN tags

Network traffic filtering rules

Outbound SNAT support

Inbound DNAT support

Centrally create, enforce, and log application and network connectivity policies across Azure subscriptions and VNETs

Fully integrated with Azure Monitor for logging and analytics

https://docs.microsoft.com/azure/firewall/firewall-faq#what-capabilities-are-supported-in-azure-firewall

Pricing for Azure Firewall can be found here, but in my estimations and research it is R20/hour regardless of scale and you pay R 0.48/GB processed by the firewall.

So firstly I started to deploy my Azure Firewall because I didn’t have one in my virtual network as you can see in the screenshot below:

Then I realised that I need a dedicated subnet in the Vnet for the Firewall and it must be aptly named AzureFirewallSubnet:

So I created a subnet in the Vnet. (Note: The minimum size of the AzureFirewallSubnet subnet is /26)

Once the FW had deployed (7 minutes 13 seconds) I needed to then create a route table:

I created a Route Table called “Firewall-route”

Once the route table was created, I needed to associate a subnet to the new route table (I associated the subnet which contains my VMs):

Then I needed to create a default route for the destination 0.0.0.0/0 which means all traffic. The next hop is a virtual appliance (Azure Firewall) and the IP address (internal) of the Azure Firewall after it was deployed.

Now this is (kind of) what I have:

I could then see that the firewall was up and running and I could see that it was actively denying hits (~5000 in 30 mins):

I then wanted to create a NAT or DNAT rule to route RDP to my VM

So in the Firewall under settings, rules. I created a new NAT rule collection. In the screenshot, I have purposefully obfuscated the destination address and destination ports, but the destination address is the Public IP (PIP) of my Azure Firewall and the destination port is a random number I chose that I could RDP or SSH to from my client. The translated address is the internal IP address of the VM and the translated port is the default port the RDP or SSH service is listening on within that VM. So 3389 for RDP and 22 for SSH.

I combined the two rules (RDP and SSH) into one collection, because they are both remote administration protocols but you could have separate NAT collections for each protocol.

A collection is a group of firewall rules that share the same order and priority.

So now to test my firewall rule, I removed the PIP from the Virtual Machine

I also saved a RDP connection to the Public IP address of the firewall and the port chose in the destination RDP-Archive rule.

And I was able to RDP to my VM in Azure from my local machine with no VPN connection, only the PIP of the firewall and the port specified.

The other thing I noticed was, I couldn’t browse to any internet site from the VM because I didn’t have any outbound rules on the firewall configured, but that I will leave for another blog post.

Till next time, secure your infrastructure with an Azure Firewall.

Cheers