Azure Ingress Firewall Setup Solution

This document illustrates a simple architecture for Ingress traffic inspection firewall that leverages Azure Load Balancers, Transit FireNet for Azure, and Azure Transit with Native Spoke VNets. The solution also allows you to view the client IP address.

The deployment is shown as the diagram below.

transit_firenet_vnet

The key idea is from FireNet point of view, the ingress inspection is simply a VNet-to-VNet traffic inspection. This is accomplished by

  1. Place an Internet facing Azure Application Gateway in a spoke VNet (in the diagram, this spoke VNet is called Ingress Spoke VNet) to load balance traffic to the VNet where applications reside (Application Spoke VNet).

  2. Manage Spoke Inspection Policies for the Application Spoke VNet traffic that requires inspection with the Aviatrix Transit VNet.

In this unified architecture, firewalls can be used for Ingress, Egress, North-South and VNet-to-VNet filtering. The solution does not need Azure Load Balancers to directly attach to firewall instances which then requires firewall instances to source NAT the incoming traffic from the Internet. Firewall instances can scale out as applications scale for all traffic types.

Note

This architecture works for Azure Application Gateway. You can create multiple load balancers in the Ingress Spoke VNet.

Prerequisite Setup

First, upgrade the Aviatrix Controller to at least version UserConnect-5.3.1428.

In this instruction, we are going to deploy the below topology in Azure.

  • Azure VNets

    • Aviatrix Transit VNet (i.e. 192.168.23.0/24)

    • Ingress Spoke VNet (i.e. 10.20.0.0/16)

    • Application Spoke VNet (i.e. 10.21.0.0/16)

  • Azure Transit with Native Spoke VNets topology

Note

Aviatrix Transit FireNet for Azure Encrypted Transit topology also supports this Azure Ingress Firewall Solution.

Deploy an Aviatrix Transit VNET

Create an Aviatrix Transit VNet by using the Aviatrix feature Create a VPC with the Aviatrix FireNet VPC option enabled.

  1. Go to the Aviatrix Controller.

  2. Open Useful Tools on the left sidebar > Create a VPC.

  3. Click + Add new to create a new VPC with Cloud Type Azure ARM.

  4. Enable Aviatrix FireNet VPC checkbox.

Deploying an Ingress Spoke VNET

Create an Ingress Spoke VNET by using the Aviatrix feature Create a VPC as the previous step or manually deploying it in Azure portal. Moreover, feel free to use your existing VNet.

Deploying an Application Spoke VNET

Create an Application Spoke VNET by utilizing Aviatrix feature Create a VPC as the previous step or manually deploying it in Azure portal. Moreover, feel free to use your existing Application VNET.

Deploying Azure Transit with Native Spoke VNets Topology

Follow Global Transit Network Workflow Instructions (AWS/Azure/GCP/OCI) to deploy Azure Transit with Native Spoke VNets topology.

  • Create an Aviatrix Transit Gateway in Aviatrix Transit VNET by following the step Launch a Transit Gateway as the following screenshot.

    Important

    For Azure deployment, the Aviatrix Transit Gateway must be launched with the option Enable Transit FireNet Function enabled. The minimum Azure FireNet gateway size is Standard_B2ms.

azure_avx_transit_gw

Managing Transit FireNet

Follow Aviatrix Transit FireNet Workflow to deploy manage FireNet policy, and firewall instances.

  • Manage a spoke inspection policy for the Application spoke VNET by referring to step Manage Transit FireNet Policy as the following screenshot.

azure_avx_manage_firenet_policy

  • Deploy firewall instance in Aviatrix Transit VNet by following the step Deploy Firewall Network as the following screenshot.

    Here is the Firewall information in this example for your reference. Please adjust it depending on your requirements.

    Example setting

    Example value

    Firewall Image

    Palo Alto Networks VM-Series Next-Generation Firewall Bundle 1

    Firewall Image Version

    9.1.0

    Firewall Instance Size

    Standard_D3_v2

    Management Interface Subnet

    Select the subnet whose name contains “gateway-and-firewall-mgmt”

    Egress Interface Subnet

    Select the subnet whose name contains “FW-ingress-egress”

    Username

    Applicable to Azure deployment only. “admin” as a username is not accepted.

    Attach

    Check

    azure_avx_deploy_firewall

  • Set up firewall configuration by referring to Example Config for Palo Alto Network VM-Series.

    Note

    In Azure, instead of using pem file, please use username/password to ssh into firewall instance to reset password if needed. Additionally, use the same username/password to login into firewall website.

Launching an Apache2 Web server in Application Spoke VNET

In Application Spoke VNET, create an opensource OS virtual machine and install Apache2 HTTP Server with custom port 8080.

Example setting

Example value

Protocol

HTTP

Port

8080

Note

Refer to Install The Latest Apache2 HTTP Server ( 2.4.34 ) On opensource OS servers to install Apache2 HTTP Server.

Refer to How To Change Apache Default Port To A Custom Port to use custom port 8080.

Creating Azure Application Gateway

In Ingress Spoke VNET, create an Azure Application Gateway. Make sure you select the following:

  1. Create an Azure Application Gateway in Ingress Spoke VNET.

    azure_application_gw_creation

  2. Select “Public” for Frontend IP address type in section Frontends.

    azure_application_gw_frontend

  3. Select “IP address or hostname” for Target type and configure the private IP of Apache2 Web Server for Target in section Backends.

    azure_application_gw_backend

  1. Add a routing rule on Listener depending on your requirement.

    Example setting

    Example value

    Frontend IP

    Public

    Protocol

    HTTP

    Port

    80

    azure_application_gw_routing_rule_listener

  2. Add a routing rule on Backend targets and create a HTTP setting depending on your requirement.

    azure_application_gw_routing_rule_backend_target

  3. Click Create new on HTTP settings.

    azure_application_gw_routing_rule_http_setting

    Example setting

    Example value

    Backend protocol

    HTTP

    Backend port

    8080

    azure_application_gw_routing_rule_backend_target_02

  4. Review the configuration and click Create on the Review + create page.

Ready to Go

Make sure Server (backend pool) status is in Healthy state from the Azure portal page Application Gateway > Backend health.

azure_application_gw_health_check

Run a http request targeting on the Azure Application Gateway Public IP or DNS name.

  • Find the Frontend public IP address of Azure Application Gateway from the Azure portal page Application Gateway > Overview.

    azure_application_gw_frontend_public_IP

  • Copy the Frontend public IP address of Azure Application Gateway and paste it on a browser from your laptop/PC.

    azure_browser

  • Perform tcpdump with port 8080 on Apache2 Web server.

    azure_application_server_tcpdump

  • The Azure Application Gateway automatically preserves client original IP address in the HTTP header field “X-Forwarded-For (XFF)”.

Viewing Traffic Log on Firewall

You can view if traffic is forwarded to the firewall instance by logging in to the Palo Alto VM-Series console. Go to Monitor > Logs > Traffic. Perform http/https traffic from your laptop/PC to the public IP or domain name of Azure Application Gateway.

Capturing Client IP in Logs

To view the client IP address in the access log, follow the instructions in How to save client IP in access logs.

  1. Find and open Apache configuration file.

    #vim /etc/apache2/apache2.conf
    
  2. In the LogFormat section, add %{X-Forwarded-For}i as follows:

    ...
    LogFormat "%{X-Forwarded-For}i %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    ...
    
  3. Save your changes.

  4. Reload the Apache service.

    #systemctl reload apache2
    
  5. Review the public/original client IP on apache2 access log.

azure_application_server_apache2_accesslog