Merge pull request #310391 from asudbring/tsk544779-sfi-bastion

denrea · web-flow · commit 13822a23e998 · 2026-01-13T13:40:54.000-08:00
Replace insecure RDP testing with HTTP-based DNAT validation in Firewall tutorial
diff --git a/articles/firewall/tutorial-firewall-deploy-portal-policy.md b/articles/firewall/tutorial-firewall-deploy-portal-policy.md
@@ -40,7 +40,7 @@ In this tutorial, you learn how to:
 > * Create a default route
 > * Configure an application rule to allow access to www.google.com
 > * Configure a network rule to allow access to external DNS servers
-> * Configure a NAT rule to allow a remote desktop to the test server
+> * Configure a NAT rule to allow inbound HTTP access to the test server
 > * Test the firewall
 
 If you prefer, you can complete this procedure using [Azure PowerShell](deploy-ps-policy.md).
@@ -71,7 +71,7 @@ The resource group contains all the resources for the tutorial.
 
 ### Create a VNet
 
-This VNet will have two subnets.
+This VNet has two subnets.
 
 > [!NOTE]
 > The size of the AzureFirewallSubnet subnet is /26. For more information about the subnet size, see [Azure Firewall FAQ](firewall-faq.yml#why-does-azure-firewall-need-a--26-subnet-size).
@@ -94,7 +94,7 @@ This VNet will have two subnets.
 1. Under **Subnets**, select **default**.
 1. On the **Edit subnet** page, for **Subnet purpose**, select **Azure Firewall**.
 
-   The firewall will be in this subnet, and the subnet name **must** be AzureFirewallSubnet.
+   The firewall is in this subnet, and the subnet name **must** be AzureFirewallSubnet.
 1. For **Starting address**, type **10.0.1.0**.
 1. Select **Save**.
 
@@ -107,34 +107,84 @@ Next, create a subnet for the workload server.
 1. Select **Review + create**.
 1. Select **Create**.
 
+## Deploy Azure Bastion
+
+Deploy Azure Bastion Developer edition to securely connect to the **Srv-Work** virtual machine for testing.
+
+1. In the search box at the top of the portal, enter **Bastion**.  Select **Bastions** from the search results.
+1. Select **Create**.
+1. On the **Create a Bastion** page, enter or select the following values:
+
+   | Setting | Value |
+   | ------- | ----- |
+   | **Project details** | |
+   | Subscription | Select your Azure subscription. |
+   | Resource group | Select **Test-FW-RG**. |
+   | **Instance details** | |
+   | Name | Enter **Test-Bastion**. |
+   | Region | Select the same location that you used previously. |
+   | Tier | Select **Developer**. |
+   | Virtual network | Select **Test-FW-VN**. |
+   | Subnet | The **AzureBastionSubnet** is created automatically with address space **10.0.0.0/26**. |
+
+1. Select **Review + create**.
+1. Review the settings and select **Create**.
+
+   The deployment takes a few minutes to complete.
+
 ### Create a virtual machine
 
 Now create the workload virtual machine, and place it in the **Workload-SN** subnet.
 
-1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
-1. Select **Windows Server 2019 Datacenter**.
+1. In the search box at the top of the portal enter **Virtual machine**, select **Virtual machines** in the search results.
+1. Select **Create** > **Virtual machine**.
 1. Enter or select these values for the virtual machine:
 
    | Setting | Value |
    | ------- | ----- |
+   | **Project details** | |
    | Subscription  | Select your Azure subscription. |
    | Resource group     | Select **Test-FW-RG**. |
+   | **Instance details** | |
    | Virtual machine name     | Enter **Srv-Work**.|
    | Region     | Select the same location that you used previously. |
-   | Username     | Enter a username. |
-   | Password     | Enter a password. |
+   | Availability options | Select **No infrastructure redundancy required**. |
+   | Security type | Select **Standard**. |
+   | Image | Select **Ubuntu Server 24.04 LTS -x64 Gen2** |
+   | Size | Select a size for the virtual machine. |
+   | **Administrator account** | |
+   | Username | Enter **azureuser**. |
+   | SSH public key source | Select **Generate new key pair**. |
+   | Key pair name | Enter **Srv-Work_key**. |
 
 1. Under **Inbound port rules**, **Public inbound ports**, select **None**.
 1. Accept the other defaults and select **Next: Disks**.
 1. Accept the disk defaults and select **Next: Networking**.
 1. Make sure that **Test-FW-VN** is selected for the virtual network and the subnet is **Workload-SN**.
 1. For **Public IP**, select **None**.
-1. Accept the other defaults and select **Next: Management**.
-1. Select **Next:Monitoring**.
-1. Select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.
+1. Select **Review + create**.
 1. Review the settings on the summary page, and then select **Create**.
+1. When prompted, select **Download private key and create resource**. Save the private key file to your computer.
 1. After the deployment completes, select the **Srv-Work** resource and note the private IP address for later use.
 
+### Install a web server
+
+Connect to the virtual machine and install a web server for testing.
+
+1. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page. Select the **Test-FW-RG** resource group.
+1. Select the **Srv-Work** virtual machine.
+1. Select **Operations** > **Run command** > **RunShellScript**.
+1. In the script box, enter the following commands:
+
+   ```bash
+   sudo apt-get update
+   sudo apt-get install -y nginx
+   echo "<html><body><h1>Azure Firewall DNAT Test</h1><p>If you can see this page, the DNAT rule is working correctly!</p></body></html>" | sudo tee /var/www/html/index.html
+   ```
+
+1. Select **Run**.
+1. Wait for the script to complete successfully.
+
 ## Deploy the firewall and policy
 
 Deploy the firewall into the VNet.
@@ -146,23 +196,26 @@ Deploy the firewall into the VNet.
 
    | Setting | Value |
    | ------- | ----- |
+   | **Project details** | |
    | Subscription  | Select your Azure subscription. |
    | Resource group     | Select **Test-FW-RG**. |
+   | **Instance details** | |
    | Name     | Enter **Test-FW01**. |
    | Region     | Select the same location that you used previously. |
+   | Firewall SKU | Select **Standard**. |
    | Firewall management | Select **Use a Firewall Policy to manage this firewall**. |
-   | Firewall policy | Select **Add new**, and enter **fw-test-pol**. <br> Select the same region that you used previously.|
-   | Choose a virtual network | Select **Use existing**, and then select **Test-FW-VN**. |
-   | Public IP address     | Select **Add new**, and enter **fw-pip** for the **Name**. |
+   | Firewall policy | Select **Add new**, and enter **fw-test-pol**. <br> Select the same region that you used previously. Select **OK**. |
+   | Choose a virtual network | Select **Use existing**, and then select **Test-FW-VN**. **Ignore the warning about the Force Tunneling. The warning is resolved in a later step**.|
+   | Public IP address     | Select **Add new**, and enter **fw-pip** for the **Name**. Select **OK**. |
 
 1. Clear the **Enable Firewall Management NIC** check box.
 5. Accept the other default values, then select **Next: Tags**.
 1. Select **Next : Review + create**.
 1. Review the summary, and then select **Create** to create the firewall.
 
-   This will take a few minutes to deploy.
+   This takes a few minutes to deploy.
 7. After deployment completes, go to the **Test-FW-RG** resource group, and select the **Test-FW01** firewall.
-8. Note the firewall private and public IP addresses. You'll use these addresses later.
+8. Note the firewall private and public IP addresses. You use these addresses later.
 
 ## Create a default route
 
@@ -174,10 +227,12 @@ For the **Workload-SN** subnet, configure the outbound default route to go throu
 
    | Setting | Value |
    | ------- | ----- |
+   | **Project details** | |
    | Subscription | Select your Azure subscription. |
    | Resource group | Select **Test-FW-RG**. |
-   | Region  | Select the same location that you used previously. |
+   | **Instance details** | |
    | Name  | Enter **Firewall-route**. |
+   | Region  | Select the same location that you used previously. |
 
 1. Select **Review + create**.
 1. Select **Create**.
@@ -203,7 +258,7 @@ After deployment completes, select **Go to resource**.
 This is the application rule that allows outbound access to `www.google.com`.
 
 1. Open the **Test-FW-RG** resource group, and select the **fw-test-pol** firewall policy.
-1. Under **Settings**, Select **Application rules**.
+1. Under **Settings** > **Rules**, Select **Application rules**.
 1. Select **Add a rule collection**.
 1. For **Name**, enter **App-Coll01**.
 1. For **Priority**, enter **200**.
@@ -218,6 +273,8 @@ This is the application rule that allows outbound access to `www.google.com`.
 
 Azure Firewall includes a built-in rule collection for infrastructure FQDNs that are allowed by default. These FQDNs are specific for the platform and can't be used for other purposes. For more information, see [Infrastructure FQDNs](infrastructure-fqdns.md).
 
+Wait for the application rule deployment to complete before creating the network rule in the next steps.
+
 ## Configure a network rule
 
 This is the network rule that allows outbound access to two IP addresses at port 53 (DNS).
@@ -235,26 +292,28 @@ This is the network rule that allows outbound access to two IP addresses at port
 1. For **Destination Ports**, enter **53**.
 1. For **Destination type** select **IP address**.
 1. For **Destination**, enter **209.244.0.3,209.244.0.4**.<br>These are public DNS servers operated by CenturyLink.
-2. Select **Add**.
+1. Select **Add**.
+
+Wait for the network rule deployment to complete before creating the DNAT rule in the next steps.
 
 ## Configure a DNAT rule
 
-This rule allows you to connect a remote desktop to the **Srv-Work** virtual machine through the firewall.
+This rule allows you to connect to the web server on the **Srv-Work** virtual machine through the firewall.
 
 1. Select the **DNAT rules**.
 2. Select **Add a rule collection**.
-3. For **Name**, enter **RDP**.
+3. For **Name**, enter **HTTP**.
 1. For **Priority**, enter **200**.
 1. For **Rule collection group**, select **DefaultDnatRuleCollectionGroup**.
-1. Under **Rules**, for **Name**, enter **rdp-nat**.
+1. Under **Rules**, for **Name**, enter **http-nat**.
 1. For **Source type**, select **IP address**.
 1. For **Source**, enter *\**.
 1. For **Protocol**, select **TCP**.
-1. For **Destination Ports**, enter **3389**.
+1. For **Destination Ports**, enter **80**.
 1. For **Destination**, enter the firewall public IP address.
 1. For **Translated type**, select **IP Address**.
 1. For **Translated address**, enter the **Srv-work** private IP address.
-1. For **Translated port**, enter **3389**.
+1. For **Translated port**, enter **80**.
 1. Select **Add**.
 
 
@@ -274,18 +333,50 @@ For testing purposes in this tutorial, configure the server's primary and second
 
 Now, test the firewall to confirm that it works as expected.
 
-1. Connect a remote desktop to firewall public IP address and sign in to the **Srv-Work** virtual machine. 
-3. Open Microsoft Edge and browse to `https://www.google.com`.
-4. Select **OK** > **Close** on the Internet Explorer security alerts.
+### Test the DNAT rule
+
+1. Open a web browser on your local computer.
+1. In the address bar, enter `http://<firewall-public-ip-address>`, where `<firewall-public-ip-address>` is the public IP address of the firewall you noted earlier.
+1. You should see the custom web page: **Azure Firewall DNAT Test**. This confirms that the DNAT rule is working and traffic is being forwarded to the **Srv-Work** virtual machine.
+
+### Test the application and network rules
+
+Use Azure Bastion to securely connect to the **Srv-Work** virtual machine and test the firewall rules.
+
+1. On the Azure portal menu, select **Resource groups** or search for and select *Resource groups* from any page. Select the **Test-FW-RG** resource group.
+1. Select the **Srv-Work** virtual machine.
+1. Select **Connect** > **Connect via Bastion**.
+1. On the Bastion page, enter or select the following values:
+
+   | Setting | Value |
+   | ------- | ----- |
+   | Authentication Type | Select **SSH Private Key from Local File**. |
+   | Username | Enter **azureuser**. |
+   | Local File | Select **Browse** and select the **Srv-Work_key.pem** file that you downloaded during VM creation. |
+
+1. Select **Connect**.
+
+   A new browser tab opens with an SSH session to the **Srv-Work** virtual machine.
+
+1. In the SSH session, enter the following command to test access to Google:
+
+   ```bash
+   curl -I https://www.google.com
+   ```
+
+   You should see a successful HTTP response (200 OK), indicating that the application rule is allowing access to Google.
 
-   You should see the Google home page.
+1. Now test access to Microsoft, which should be blocked. Enter:
 
-5. Browse to `https://www.microsoft.com`.
+   ```bash
+   curl -I https://www.microsoft.com
+   ```
 
-   You should be blocked by the firewall.
+   The command should time out or fail after approximately 60 seconds, indicating that the firewall is blocking access.
 
 So now you've verified that the firewall rules are working:
 
+* You can access the web server through the DNAT rule.
 * You can browse to the one allowed FQDN, but not to any others.
 * You can resolve DNS names using the configured external DNS server.
 
