Configure VNETs with a AzureFirewallSubnet subnet
March 21, 2025 ยท View on GitHub
SYNOPSIS
Use Azure Firewall to filter network traffic to and from Azure resources.
DESCRIPTION
Network segmentation is a key component of a secure network architecture. Azure provides several features that work together to provide strong network segmentation controls.
Azure Firewall is a cloud native stateful Firewall as a service. It can be used to perform deep packet inspection on both east-west and north-south traffic. Firewalls rules can be defined as policies and centrally managed.
Some key advantages that Azure Firewall has over traditional solutions include:
- Azure Firewall integrates directly with Virtual Network (VNET) and subnet level security. Supports Azure concepts that minimize the need for complex network configuration such as service/ FQDN tags and load balancing.
- Managed by Azure, there is no need to deploy additional management infrastructure or consoles.
- Built-in support for Infrastructure as Code (IaC), version control, and DevOps.
For guidance on defining your network topology in Azure see Cloud Adoption Framework (CAF).
RECOMMENDATION
Consider deploying an Azure Firewall within hub networks to filter traffic between VNETs and on-premises networks.
EXAMPLES
Configure with Azure template
To deploy Virtual Networks that pass this rule:
- Configure an
AzureFirewallSubnetdefined inproperties.subnets.
For example:
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "2023-05-01",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"10.0.0.0/16"
]
},
"subnets": [
{
"name": "GatewaySubnet",
"properties": {
"addressPrefix": "10.0.0.0/27"
}
},
{
"name": "AzureFirewallSubnet",
"properties": {
"addressPrefix": "10.0.1.0/26"
}
}
]
}
}
Configure with Bicep
To deploy Virtual Networks that pass this rule:
- Configure an
AzureFirewallSubnetdefined inproperties.subnets.
For example:
resource vnet 'Microsoft.Network/virtualNetworks@2023-05-01' = {
name: name
location: location
properties: {
addressSpace: {
addressPrefixes: [
'10.0.0.0/16'
]
}
subnets: [
{
name: 'GatewaySubnet'
properties: {
addressPrefix: '10.0.0.0/27'
}
}
{
name: 'AzureFirewallSubnet'
properties: {
addressPrefix: '10.0.1.0/26'
}
}
]
}
}