Skip to content

Commit 4a73049

Browse files
asudbringasudbring
committed
fix merge
1 parent 5f73799 commit 4a73049

1 file changed

Lines changed: 32 additions & 24 deletions

File tree

articles/firewall/tutorial-firewall-deploy-portal.md

Lines changed: 32 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -40,7 +40,7 @@ In this article, you learn how to:
4040
> * Create a default route
4141
> * Configure an application rule to allow access to www.google.com
4242
> * Configure a network rule to allow access to external DNS servers
43-
> * Configure a NAT rule to allow a remote desktop to the test server
43+
> * Deploy Azure Bastion for secure VM access
4444
> * Test the firewall
4545
4646
> [!NOTE]
@@ -103,7 +103,7 @@ This virtual network has two subnets.
103103
Now create the workload virtual machine, and place it in the **Workload-SN** subnet.
104104

105105
1. On the Azure portal menu or from the **Home** page, select **Create a resource**.
106-
2. Select **Windows Server 2019 Datacenter**.
106+
2. Select **Ubuntu Server 22.04 LTS**.
107107
4. Enter these values for the virtual machine:
108108

109109
|Setting |Value |
@@ -127,6 +127,7 @@ Now create the workload virtual machine, and place it in the **Workload-SN** sub
127127
1. Accept the defaults and select **Next: Monitoring**.
128128
1. For **Boot diagnostics**, select **Disable** to disable boot diagnostics. Accept the other defaults and select **Review + create**.
129129
1. Review the settings on the summary page, and then select **Create**.
130+
1. On the **Generate new key pair** dialog, select **Download private key and create resource**. Save the key file as **Srv-Work_key.pem**.
130131
1. After the deployment is complete, select **Go to resource** and note the **Srv-Work** private IP address that you'll need to use later.
131132

132133
[!INCLUDE [ephemeral-ip-note.md](~/reusable-content/ce-skilling/azure/includes/ephemeral-ip-note.md)]
@@ -212,23 +213,14 @@ This is the network rule that allows outbound access to two IP addresses at port
212213
1. For **Destination Ports**, type **53**.
213214
2. Select **Add**.
214215

215-
## Configure a DNAT rule
216+
## Deploy Azure Bastion
216217

217-
This rule allows you to connect a remote desktop to the Srv-Work virtual machine through the firewall.
218+
Now deploy Azure Bastion to provide secure access to the virtual machine.
218219

219-
1. Select the **NAT rule collection** tab.
220-
2. Select **Add NAT rule collection**.
221-
3. For **Name**, type **rdp**.
222-
4. For **Priority**, type **200**.
223-
5. Under **Rules**, for **Name**, type **rdp-nat**.
224-
6. For **Protocol**, select **TCP**.
225-
7. For **Source type**, select **IP address**.
226-
8. For **Source**, type **\***.
227-
9. For **Destination address**, type the firewall public IP address.
228-
10. For **Destination Ports**, type **3389**.
229-
11. For **Translated address**, type the Srv-work private IP address.
230-
12. For **Translated port**, type **3389**.
231-
13. Select **Add**.
220+
1. On the Azure portal menu, select **Create a resource**.
221+
1. In the search box, type **Bastion** and select it from the results.
222+
1. Select **Create**.
223+
1. On the **Create a Bastion** page, configure the following settings:
232224

233225
| Setting | Value |
234226
|---------|-------|
@@ -266,19 +258,35 @@ For testing purposes, configure the server's primary and secondary DNS addresses
266258

267259
Now, test the firewall to confirm that it works as expected.
268260

269-
1. Connect a remote desktop to the firewall public IP address and sign in to the Srv-Work virtual machine.
270-
1. Open Internet Explorer and browse to `https://www.google.com`.
271-
4. Select **OK** > **Close** on the Internet Explorer security alerts.
261+
1. In the Azure portal, navigate to the **Srv-Work** virtual machine.
262+
1. Select **Connect**, then select **Connect via Bastion**.
263+
1. Select **Use SSH Private Key from Local File**.
264+
1. For **Username**, type **azureuser**.
265+
1. Select the folder icon and browse to the **Srv-Work_key.pem** file you downloaded earlier.
266+
1. Select **Connect**.
267+
1. At the bash prompt, run the following commands to test DNS resolution:
268+
269+
```bash
270+
nslookup www.google.com
271+
nslookup www.microsoft.com
272+
```
273+
274+
Both commands should return answers, showing that your DNS queries are getting through the firewall.
272275

273-
You should see the Google home page.
276+
1. Run the following commands to test the application rule:
274277

275-
5. Browse to `https://www.microsoft.com`.
278+
```bash
279+
curl https://www.google.com
280+
curl https://www.microsoft.com
281+
```
276282

277-
The firewall should block you.
283+
The `www.google.com` request should succeed, and you should see the HTML response.
284+
285+
The `www.microsoft.com` request should fail, showing that the firewall is blocking the request.
278286

279287
So now you verified that the firewall rules are working:
280288

281-
* You can connect to the virtual machine using RDP.
289+
* You can connect to the virtual machine using Bastion and SSH.
282290
* You can browse to the one allowed FQDN, but not to any others.
283291
* You can resolve DNS names using the configured external DNS server.
284292

0 commit comments

Comments
 (0)