title | description | author | ms.service | services | ms.topic | ms.date | ms.author |
---|---|---|---|---|---|---|---|
Azure Firewall Manager deployment overview |
Learn the high-level deployment steps required for Azure Firewall Manager |
vhorne |
azure-firewall-manager |
firewall-manager |
concept-article |
06/21/2024 |
victorh |
There's more than one way to use Azure Firewall Manager to deploy Azure Firewall, but the following general process is recommended.
To review network architecture options, see What are the Azure Firewall Manager architecture options?
-
Create a firewall policy
- Create a new policy
or - Derive a base policy and customize a local policy
or - Import rules from an existing Azure Firewall. Make sure to remove NAT rules from policies that should be applied across multiple firewalls
- Create a new policy
-
Create your hub and spoke architecture
- Create a Hub Virtual Network using Azure Firewall Manager and peer spoke virtual networks to it using virtual network peering
or - Create a virtual network and add virtual network connections and peer spoke virtual networks to it using virtual network peering
- Create a Hub Virtual Network using Azure Firewall Manager and peer spoke virtual networks to it using virtual network peering
-
Select security providers and associate firewall policy. Currently, only Azure Firewall is a supported provider.
- This is done while you create a Hub Virtual Network
or - Convert an existing virtual network to a Hub Virtual Network. It's also possible to convert multiple virtual networks.
- This is done while you create a Hub Virtual Network
-
Configure User Define Routes to route traffic to your Hub Virtual Network firewall.
-
Create your hub and spoke architecture
- Create a Secured Virtual Hub using Azure Firewall Manager and add virtual network connections.
or - Create a Virtual WAN Hub and add virtual network connections.
- Create a Secured Virtual Hub using Azure Firewall Manager and add virtual network connections.
-
Select security providers
- Done while creating a Secured Virtual Hub.
or - Convert an existing Virtual WAN Hub to Secure Virtual Hub.
- Done while creating a Secured Virtual Hub.
-
Create a firewall policy and associate it with your hub
- Applicable only if using Azure Firewall.
- Partner security as a service (SECaaS) policies are configured via partners management experience.
-
Configure route settings to route traffic to your secured hub
- Easily route traffic to your secured hub for filtering and logging without User Defined Routes (UDR) on spoke Virtual Networks using the Secured Virtual Hub Route Setting page.
Note
- You can't have overlapping IP spaces for hubs in a vWAN. For more known issues, see What is Azure Firewall Manager?
The following information applies if you convert an existing virtual network to a hub virtual network:
- If the virtual network has an existing Azure Firewall, you select a Firewall Policy to associate with the existing firewall. The firewall provisioning status is updated while the firewall policy replaces firewall rules. During the provisioning state, the firewall continues processing traffic and has no downtime. You can import existing rules to a Firewall Policy using Firewall Manager or Azure PowerShell.
- If the virtual network doesn't have an associated Azure Firewall, a firewall is deployed and the Firewall Policy is associated with the new firewall.