Azure IaaS Lab – Firewall – Part 1

This post is part of a series, for the series contents see:
https://irankon.wordpress.com/post-lists/azure-iaas-lab-project/

For the code listed in this post please see:
https://github.com/irankon/azure-iaas-lab/blob/master/security_build.ps1

*** Update – 21st March 2017: Ubuntu version changed to 14.04 LTS ***

Now that I’ve got my base VNETs setup and peering in place, the next step is to sort out my firewall.  The overall plan is:

  1. Setup the security VNET with peering relationships to all the others
  2. Build a VM there to act as a firewall.  Ideally it would nice for this to be a proper firewall appliance like a Check Point or a Cisco ASA (simply because they are two firewalls I know well) but I don’t have the cash to spend on that for a test lab so I’ll simply setup an Ubuntu VM running Zentyal to show the concept.
  3. Setup routing across my environment to force all traffic through that firewall

First up let’s get the firewall VNET setup and make it peer with all the other VNETs:


#Create the Security group base build

#Login to Azure and resource manager
Add-AzureAccount
Login-AzureRmAccount

#Just in case you have multiple subscriptions check which one you're working in
Get-AzureSubscription

#If you need to select your test subscription use:
#Set-AzureSubscription -SubscriptionName <name>

#First the resource group
$RGName = "security-rg"
$Location = "North Europe"
New-AzureRmResourceGroup -Name $RGName -Location $Location

#Now the Security network
New-AzureRmVirtualNetwork -ResourceGroupName $RGName -Name security-vnet `
-AddressPrefix 10.2.0.0/16 -Location $Location

$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $RGName -Name security-vnet

Add-AzureRmVirtualNetworkSubnetConfig -Name firewall-subnet `
-VirtualNetwork $vnet -AddressPrefix 10.2.1.0/28

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

#Now setup peering to our other VNETs

#First get my VNETs
$vnet1 = Get-AzureRmVirtualNetwork -ResourceGroupName dmz-rg -Name dmz-vnet
$vnet2 = Get-AzureRmVirtualNetwork -ResourceGroupName hub-rg -Name hub-vnet
$vnet3 = Get-AzureRmVirtualNetwork -ResourceGroupName internal-rg -Name internal-vnet
$vnet4 = Get-AzureRmVirtualNetwork -ResourceGroupName $RGName -Name $vnet.Name

#Setup links between the vnets
#First between the Security and DMZ
Add-AzureRmVirtualNetworkPeering -name DMZToSecurity-Peer -VirtualNetwork $vnet1 -RemoteVirtualNetworkId $vnet4.id
Add-AzureRmVirtualNetworkPeering -name SecurityToDMZ-Peer -VirtualNetwork $vnet4 -RemoteVirtualNetworkId $vnet1.id

#Then between the Hub and Security vnets
Add-AzureRmVirtualNetworkPeering -name SecurityToHub-Peer -VirtualNetwork $vnet4 -RemoteVirtualNetworkId $vnet2.id
Add-AzureRmVirtualNetworkPeering -name HubToSecurity-Peer -VirtualNetwork $vnet2 -RemoteVirtualNetworkId $vnet4.id

#Then, finally, between the Internal and Security vnets
Add-AzureRmVirtualNetworkPeering -name SecurityToInternal-Peer -VirtualNetwork $vnet4 -RemoteVirtualNetworkId $vnet3.id
Add-AzureRmVirtualNetworkPeering -name InternalToSecurity-Peer -VirtualNetwork $vnet3 -RemoteVirtualNetworkId $vnet4.id

#Amend with the commands below (in this case allowing Gateway transit)
# These settings are correct but you need a site-to-site vpn and to specify the peer network as a 'local network'
# Perhaps setup site-to-site vpn using a server 2012 box? Need a public IP?

$DMZToSecurityLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName dmz-vnet -ResourceGroupName dmz-rg -Name DMZToSecurity-Peer
$DMZToSecurityLink.UseRemoteGateways = $true

$SecurityToDMZLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName security-vnet -ResourceGroupName $RGName -Name SecurityToDMZ-Peer
$SecurityToDMZLink.UseRemoteGateways = $true

$HubToSecurityLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName hub-vnet -ResourceGroupName hub-rg -Name HubToSecurity-Peer
$HubToSecurityLink.UseRemoteGateways = $true

$SecurityToHubLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName security-vnet -ResourceGroupName $RGName -Name SecurityToHub-Peer
$SecurityToHubLink.UseRemoteGateways = $true

$InternalToSecurityLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName internal-vnet -ResourceGroupName internal-rg -Name InternalToSecurity-Peer
$InternalToSecurityLink.UseRemoteGateways = $true

$SecurityToInternalLink = Get-AzureRmVirtualNetworkPeering -VirtualNetworkName security-vnet -ResourceGroupName $RGName -Name SecurityToInternal-Peer
$SecurityToInternalLink.UseRemoteGateways = $true

With the network in place, the next step is to do the base build of the Ubuntu VM that will serve as my firewall:


#Login to Azure and resource manager
Add-AzureAccount
Login-AzureRmAccount

#Just in case you have multiple subscriptions check which one you're working in
Get-AzureSubscription

#If you need to select your test subscription use:
#Set-AzureSubscription -SubscriptionName <name>

#First the resource group variables
$RGName = "security-rg"
$Location = "North Europe"

#Create the storage account
New-AzureRmStorageAccount -ResourceGroupName $RGName -AccountName "securityvmstr" -Location $Location -Type "Standard_LRS"

#First setup default credentials to use in provisioning by retrieving and decrypting our Key Vault password
$Username = "adminuser"
$SecurePwd = Get-AzureKeyVaultSecret -VaultName 'lab-vault' -Name 'ProvisionPassword'
$Credential = New-Object System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePwd.SecretValue

#Build Ubuntu firewall VM

#Base VM variables
$VMName = "firewall-vm"
$VMSize = "Standard_D2"
$OSDiskName = $VMName + "OSDisk"
$StorageAccount = Get-AzureRmStorageAccount -ResourceGroupName $RGName -Name securityvmstr
$vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $RGName -Name security-vnet

#VM Network Interface Details
$NIC1 = New-AzureRmNetworkInterface -Name "firewall-vm-eth0" -ResourceGroupName $RGName -Location $Location -SubnetId $vnet.Subnets[0].Id -PrivateIpAddress 10.2.1.4
$NIC1.EnableIPForwarding = 1
Set-AzureRmNetworkInterface -NetworkInterface $NIC1

$NIC2 = New-AzureRmNetworkInterface -Name "firewall-vm-eth1" -ResourceGroupName $RGName -Location $Location -SubnetId $vnet.Subnets[0].Id -PrivateIpAddress 10.2.1.5
$NIC2.EnableIPForwarding = 1
Set-AzureRmNetworkInterface -NetworkInterface $NIC2

#Setup the VM object
$VirtualMachine = New-AzureRmVMConfig -VMName $VMName -VMSize $VMSize
$VirtualMachine = Set-AzureRmVMOperatingSystem -VM $VirtualMachine -ComputerName $VMName -Linux -Credential $Credential
$VirtualMachine = Set-AzureRmVMSourceImage -VM $VirtualMachine -PublisherName "Canonical" -Offer "UbuntuServer" -Skus "14.04.4-LTS" -Version "latest"
$VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id $NIC1.Id -Primary
$VirtualMachine = Add-AzureRmVMNetworkInterface -VM $VirtualMachine -Id $NIC2.Id
$OSDiskUri = $StorageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $OSDiskName + ".vhd"
$VirtualMachine = Set-AzureRmVMOSDisk -VM $VirtualMachine -Name $OSDiskName -VhdUri $OSDiskUri -CreateOption FromImage

#Create the Firewall VM
New-AzureRmVM -ResourceGroupName $RGName -Location $Location -VM $VirtualMachine

It’s pretty much a standard VM build, the only thing to note is:

“$NIC1.EnableIPForwarding = 1”

This command will become really important later on when I setup routing (UDR) to pump traffic via my firewall as it lets the VM take on that forwarding role so it can be the man in the middle between my devices/networks.

There’s a nice Microsoft article about it here.

Right, that’s the base build done.  In the post I’ll stick in some steps for getting the Zentyal firewall setup.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: