Azure – A typical DMZ with Firewalls, User Defined Routing (UDR) and Network Security Groups (NSGs)

There are a lot of questions asked when you try to convince a customer to setup their on premise unbreakable DMZs on Azure or any other public cloud. The IT teams especially are very particular and a lot skeptical about it being done on a Cloud environment.

I could think of Times they are A-Changin’ (Bob Dylan) playing in my head when I had to start with setting up something like the above for a customer recently. Obviously, I was super excited and I knew this is a challenge which is going to be a worthy one.

So, before I begin, I will share what I ended up staring at eventually:

dmz

For the lack rights to paste my a Visio diagram, and my ability to draw on Word, this is as close I could project how a 3 year old would draw once he saw a Visio diagram. So, the setup:

  • If you really want those traffic logs, then you need a Firewall sitting out in the front. We used Checkpoint from Azure market place. For obvious reasons, we needed a multi-NIC setup and we chose to have separate subnets for the Checkpoint NICs.
  • The traffic from the Web/App servers was forced through Checkpoint through Azure User defined Routing, which works great, but is only PowerShell for now. The App subnets were forwarding the traffic through the backend NIC of Checkpoint.
  • Now the interesting bit, why the NSGs on the front-end to Back-end subnet communications. Well, it’s up to the customers’ requirements, but in our case we were not so interested in collecting the backend communication logs, so spare the UDR through checkpoint for the backend communication.
  • The obvious checkpoint configuration needs to be done.
  • Multiple Public IPs for Checkpoint.

Learnings:

  • Currently the Marketplace Firewalls on Azure don’t support HA. We are hopeful the set of requirements will be met in Azure very soon.
  • No NSG logging as of today.
  • No NSG URL based rules as of today.
  • The current limit for Azure public IPs is 5, we were happy with 3 but you may not.
  • It’s all through PowerShell J.
  • It can take a while !.
By |September 1st, 2015|Azure, Azure Networking|

2 Comments

  1. Cody Engelman December 9, 2015 at 8:20 pm - Reply

    This is exactly what our company is trying to achieve, with a twist. We are trying to setup a DMZ in Azure so we can use ASR to recover our current DMZ into Azure as well as our internal apps.

    Question: When setting up the NSG’s and UDR’s, what do you need to first? Does it matter? Also I can’t tell where my NSG is being mapped to, so for document reasons if I went behind what I did and wanted to make sure what I did was accurate, how do I accomplish that as well?

    Thanks good write up, we are using check point as well.

  2. Eilesh Gondalia July 6, 2016 at 3:03 pm - Reply

    We have this already setup, we are using Barracuda Firewalls, but we only have HA but its an Active / Passive setup, where a Barracuda API talks to all UDR rules and changes there Next Hop to the secondary Barracuda NG Firewall is the first goes down. Work very well, but it would be nice to have an option for a Active/Active solutions, using a Azure ILB, but we cant assign an ILB for IP Forwarding as far as I am aware, if we could do this then we wouldnt need to rely on the Barracuda API to access the UDR control.

Leave A Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.