Hi Dean! Thank for your effort. I have one question: When you were making this tutorial, what do you expect your followers to be doing while you are teaching: watch you as you go show them how you can do it, or pause every minute or so? By the way, the volume is very low.
Yeah this is an older recording before I had a good mic…sorry but I can’t edit old videos. And you have a great question. My general hope is that people watch it all the way through to understand the ideas, then watch it again while they are building it, pausing as they need to. Then if there are any questions or feedback, putting them into the comments.
I have a VNET1 with a subnet1, which is peered with a VNET2 with a subnet 2, and in this VNET2 there is an Azure Firewall. I set up a route table for subnet1, with destination 0.0.0.0/0 for the private IP of Azure Firewall. In this same subnet1, there is a standard NSG, which allows full access to the internet via the Outbound rule. Even with the NSG configured for outbound internet access, internet access will be blocked for a VM on this subnet, correct?
First off, If you have The Azure Firewall in the network with a UDR sending the /0 route to the firewall...which means ALL traffic, unless you have another rule on the UDR. So I don't think you need the NSG. The Firewall does everything the NSG can and more.
hi do you think, that branchcache is still good to use? We had setup that on our on prem server. And im thinking about to build that in azure. So our WVD User can cache the websites. What do you recommend?
Dean, if only azure firewall would have HTML5 as for example Sophos does. in that case there is no need to setup jump boxes. Even more, on-prem env has proxy and blocked 3389/22 by using HTML5 I would not even trouble opening change request with network team to rdp to the jump boxes. (other alternative is to use RDS with GW/Web server which has HTML5 build it, but it is another farm to maintain after all)
I think you are talking about the HTML5 based remote app/desktop tool...right? I am not familiar with Sophos. There is no direct management interface to the firewall, other than the Azure interface to set the rules. This does not support any kind of pass through to a console or RDP session. Once the firewall is in place you must open all ports or URLs that you need for communication so the data would not get to the proxy without allowing that traffic flow to on prem either because the AZ Firewall is controlling all that traffic into and out of Azure
@@AzureAcademy Yes, it will look like this 1drv.ms/u/s!AiOOAOMl1OCYgeomxtwSajRiO9oeOw May be some time in the feature HTML5 will be a part of azure firewall. What interesting is back in 2016 Azure had cloud RDP offering (as now days cloud shell) that was a great feature to use as jump box. for some reason it was taking away ...
If there is an nsg in a subnet frontend that allows connection from the internet port 3389 to the VM in this subnet, the connection will be allowed, even if a route table is configured in this subnet which redirects the traffic 0.0.0.0/0 to the private IP of the Azure Firewall ?
When the Firewall is in place and there is a route table controlling all routes to the subnet with a 0.0.0.0/0 (default route) then the inbound and outbound traffic goes through the firewall. So the NSG can still be on the frontend...but WHY? You will have already allowed the RDP traffic through the Azure Firewall and allow the Firewall to route port 3389 from internet to the front end. If you still wanted the NSG for some reason, then you would have to allow RDP from the firewall to the frontend...not the internet, since the firewall is the source.
Azure Academy Can you clarify how Inbound-Rule1 works? Why rule has destination address 10.0.1.4 (FW) if destination address in the packet header is 10.0.2.4 (routing doesn't change this address). I doubt this rule is working - is there a way to check traffic hit counts of this rule? On the other hand how this traffic would be accepted (maybe some automatic network rule is created?)? thank you
Your video was really helpful, Could you please let me know the video link for WVD integrated with Azure Firewall? How it works routing traffic from On-premise network to Azure network using S2S VPN connectivity applying azure firewall rules in HUB VNet? also Does it still maintain the same source default rule 0.0.0.0/0 for all the routes ? Please help me on this two questions
I really loved your video.I am facing some issues with spoke vnets. Communication between spoke vnets must pass through the firewall as default route pointed to firewall. If i dont configure any rules in network rule connection in firewall, I can RDP from VM1 in Spoke-1 subnet to VM2 in spoke-2 subnet. Nat rule collection for inbound traffic and application rule collection for outbound traffic is working as expected in firewall from spoke vnets. Can you please explain why the firewall is allowing RDP traffic by default without configuring rules in network rule collection ?
The all Azure VNETs have open communication inside the VNET when you peer the VNETs together the communication is open as well. So without any rules the firewall allows the basic communication of the vNET so it works
Azure Academy oh ok.Then what’s the reason of having a firewall in between VNets and pointing default route to firewall.if I write a block rule in network rule collection to block rdp traffic between spoke VNets the traffic is getting blocked in the firewall.
I think I am confused here...your question was WHY the firewall was letting all traffic through and you didn't have any rules...which I explained is because the VNETs are open by default. You then said if you add a rule to block RDP then the traffic is getting blocked...that is what it is supposed to do. did I misunderstand your question?
Thanks for the feedback. This was one of my videos before I got a good mic. Check out any of my recent videos and let me know what you think of the sound now. #HappyLearning
Check out part 2 of the Azure Firewall, and we talk about how it works along with Azure Bastion
th-cam.com/video/xZJKbP3qNWY/w-d-xo.html&t
more to come on both topics...stay tuned!
brilliant video and very informative.
Awesome! Thanks 👍👍
Hi Dean! Thank for your effort. I have one question: When you were making this tutorial, what do you expect your followers to be doing while you are teaching: watch you as you go show them how you can do it, or pause every minute or so? By the way, the volume is very low.
Yeah this is an older recording before I had a good mic…sorry but I can’t edit old videos. And you have a great question. My general hope is that people watch it all the way through to understand the ideas, then watch it again while they are building it, pausing as they need to. Then if there are any questions or feedback, putting them into the comments.
@@AzureAcademy Ok. Thank you
Anytime @@BijouBakson
Super!!
Thanks!
I have a VNET1 with a subnet1, which is peered with a VNET2 with a subnet 2, and in this VNET2 there is an Azure Firewall.
I set up a route table for subnet1, with destination 0.0.0.0/0 for the private IP of Azure Firewall. In this same subnet1, there is a standard NSG, which allows full access to the internet via the Outbound rule.
Even with the NSG configured for outbound internet access, internet access will be blocked for a VM on this subnet, correct?
First off, If you have The Azure Firewall in the network with a UDR sending the /0 route to the firewall...which means ALL traffic, unless you have another rule on the UDR.
So I don't think you need the NSG. The Firewall does everything the NSG can and more.
Great vid man! thx!
Glad to help!
hi do you think, that branchcache is still good to use? We had setup that on our on prem server. And im thinking about to build that in azure. So our WVD User can cache the websites. What do you recommend?
I don’t have a branch cache recommendation...never used one
Dean, if only azure firewall would have HTML5 as for example Sophos does. in that case there is no need to setup jump boxes. Even more, on-prem env has proxy and blocked 3389/22 by using HTML5 I would not even trouble opening change request with network team to rdp to the jump boxes. (other alternative is to use RDS with GW/Web server which has HTML5 build it, but it is another farm to maintain after all)
I think you are talking about the HTML5 based remote app/desktop tool...right? I am not familiar with Sophos.
There is no direct management interface to the firewall, other than the Azure interface to set the rules.
This does not support any kind of pass through to a console or RDP session.
Once the firewall is in place you must open all ports or URLs that you need for communication so the data would not get to the proxy without allowing that traffic flow to on prem either because the AZ Firewall is controlling all that traffic into and out of Azure
@@AzureAcademy Yes, it will look like this 1drv.ms/u/s!AiOOAOMl1OCYgeomxtwSajRiO9oeOw May be some time in the feature HTML5 will be a part of azure firewall. What interesting is back in 2016 Azure had cloud RDP offering (as now days cloud shell) that was a great feature to use as jump box. for some reason it was taking away ...
check this out! - th-cam.com/video/-0JfUoFVLW0/w-d-xo.html
Like always, u r awesome
Thanks very much!
What other Azure topics would you like us to cover?
@@dcefola im still learning n will let u know.
Thanks for the feedback!
If there is an nsg in a subnet frontend that allows connection from the internet port 3389 to the VM in this subnet, the connection will be allowed, even if a route table is configured in this subnet which redirects the traffic 0.0.0.0/0 to the private IP of the Azure Firewall ?
When the Firewall is in place and there is a route table controlling all routes to the subnet with a 0.0.0.0/0 (default route) then the inbound and outbound traffic goes through the firewall.
So the NSG can still be on the frontend...but WHY?
You will have already allowed the RDP traffic through the Azure Firewall and allow the Firewall to route port 3389 from internet to the front end.
If you still wanted the NSG for some reason, then you would have to allow RDP from the firewall to the frontend...not the internet, since the firewall is the source.
awesome!
Thanks!
NOte: The destination address for the NAT rule collection can't be any address other than Az Firewall public IP address
correct
Azure Academy Can you clarify how Inbound-Rule1 works? Why rule has destination address 10.0.1.4 (FW) if destination address in the packet header is 10.0.2.4 (routing doesn't change this address). I doubt this rule is working - is there a way to check traffic hit counts of this rule? On the other hand how this traffic would be accepted (maybe some automatic network rule is created?)? thank you
check this out! th-cam.com/video/-0JfUoFVLW0/w-d-xo.html
Your video was really helpful, Could you please let me know the video link for WVD integrated with Azure Firewall?
How it works routing traffic from On-premise network to Azure network using S2S VPN connectivity applying azure firewall rules in HUB VNet? also Does it still maintain the same source default rule 0.0.0.0/0 for all the routes ? Please help me on this two questions
+Venkatesan G here is my video on WVD and network security including Azure Firewall th-cam.com/video/up90eL2Bbho/w-d-xo.html
I really loved your video.I am facing some issues with spoke vnets. Communication between spoke vnets must pass through the firewall as default route pointed to firewall.
If i dont configure any rules in network rule connection in firewall, I can RDP from VM1 in Spoke-1 subnet to VM2 in spoke-2 subnet.
Nat rule collection for inbound traffic and application rule collection for outbound traffic is working as expected in firewall from spoke vnets.
Can you please explain why the firewall is allowing RDP traffic by default without configuring rules in network rule collection ?
The all Azure VNETs have open communication inside the VNET when you peer the VNETs together the communication is open as well. So without any rules the firewall allows the basic communication of the vNET so it works
Azure Academy oh ok.Then what’s the reason of having a firewall in between VNets and pointing default route to firewall.if I write a block rule in network rule collection to block rdp traffic between spoke VNets the traffic is getting blocked in the firewall.
I think I am confused here...your question was WHY the firewall was letting all traffic through and you didn't have any rules...which I explained is because the VNETs are open by default. You then said if you add a rule to block RDP then the traffic is getting blocked...that is what it is supposed to do.
did I misunderstand your question?
Great Work
thanks! let me know what video we can make for you next!
THANKS Klowdtagna Global Solutions Pvt Ltd
+Klowdtagna thank you
+Klowdtagna Global Solutions Pvt Ltd thanks
Your videos are awsome , thanks for sharing - if possible make the sound little high , seems little low
Thanks for the feedback.
This was one of my videos before I got a good mic.
Check out any of my recent videos and let me know what you think of the sound now.
#HappyLearning
@@AzureAcademy Awsome... U actually make very good content... 🙏💕
Thanks for the feedback!
Is there anything we don’t have that you are looking for?
@@AzureAcademy please create content on Terraform for Azure, containers and kubernetes... Thankyou🙏💕 so much for replying!!! U r the best 👍💯
After waiting WAY TOO LONG...I am finally getting some Terraform, Containers and K8S help on the channel...stay tuned just a little longer 😁
difficult to follow because of the black background.
Thank you for your feedback Prateek