Azure Secure Hub Tutorial for Virtual Network Security

Azure Secure Hub is a centralized platform that enables you to manage and monitor your virtual network security. It provides a comprehensive view of your network traffic and security posture.

With Azure Secure Hub, you can create a virtual network hub to connect your virtual networks, which allows you to manage and monitor your network security from a single location. This hub enables you to configure network security groups, route tables, and subnets.

To get started with Azure Secure Hub, you'll need to create a virtual network and a network security group, which can be done through the Azure portal or using Azure CLI. This will give you a solid foundation for managing your virtual network security.

By following the steps outlined in the Azure Secure Hub tutorial, you'll be able to set up a secure virtual network hub and start monitoring your network traffic and security posture.

Configuring routing is a crucial step in setting up an Azure Secure Hub. To force traffic through the firewall, you need to create a custom route table and modify the network connections.

You can achieve this by creating a new route table and associating it with the network connections you want to modify. For example, in Example 1, we created a custom route table and modified the network connections to spoke 2 and 4 to use this new route table.

The associated_route_table_id in the routing block should be set to the custom route table you created. Additionally, in the propagated_route_table block, you should set the propagation to the noneRouteTable to prevent the connected network from propagating the range.

Here's a step-by-step guide to configuring routing:

1. Create a custom route table

2. Associate the custom route table with the network connections you want to modify

3. Set the associated_route_table_id in the routing block to the custom route table

4. Set the propagated_route_table block to noneRouteTable

By following these steps, you can ensure that traffic is routed through the firewall and that your Azure Secure Hub is properly configured.

In some cases, you may need to add routes to the default route table to allow traffic to flow between private spokes and public spokes. This can be achieved by adding a route to the default route table for each private spoke.

Here's an example of how to add a route to the default route table:

```terraform

resource "azurerm_route" "example" {

name = "example-route"

resource_group_name = azurerm_resource_group.example.name

route_table_name = azurerm_route_table.example.name

address_prefix = "10.0.0.0/16"

next_hop_type = "VirtualAppliance"

next_hop_in_ip_address = "10.100.254.132"

}

```

Note that the next_hop_in_ip_address should be set to the private IP address of the firewall.

The internet_security_enabled parameter plays a crucial role in determining egress flows on the Firewall. When set to false, a VM can be accessed directly from the internet, even without specifying any flow.

However, when set to true, the next hop for well-known IPs like 8.8.8.8 is the Firewall, blocking access to Ubuntu depots. This is because the default Internet Egress configuration is not propagated.

Interestingly, the internet_security_enabled parameter is set to true by default when creating a network connection from the portal, where it's known as Propagate Default Route.

Egress flows are crucial for allowing outgoing traffic from your network. The firewall can be configured to filter egress flows between spokes.

The parameter internet_security_enabled plays a significant role in determining egress flows. By default, it's set to true when creating a network connection from the portal.

For a VM with internet_security_enabled set to false, you can connect from the internet directly and access Ubuntu depots without specifying any flow.

A public IP and NSG configuration are required for this to work.

Ingress flows from the internet to a Security-Enabled Spoke are not possible. This is because traffic coming from the internet is routed back through the Firewall, preventing access to the VM.

The next hop configuration for internet traffic is set up in such a way that it doesn't allow ingress flows from the internet. This is a logical setup, considering the role of the Firewall in controlling incoming traffic.

If you try to access a VM in a spoke with internet security enabled, the traffic will not be able to get through. The Firewall will intercept the traffic, causing the access attempt to fail.

Route Management is a crucial aspect of setting up an Azure Secure Hub. You can configure routing to force traffic through the firewall by creating a custom route table and modifying network connections. This is done by changing the associated route table for specific network connections, such as spoke 2 and 4.

In Azure Firewall Manager, you can select Virtual hubs, then select the Hub-01, and under Settings, select Security configuration. Here, you can ensure that network traffic gets routed through your firewall by selecting Azure Firewall under Internet traffic and Private traffic.

To manage different route tables, you need to add a route to the private spokes on the default route table. This is done by propagating the route from the network connection, but you cannot just propagate the route or you would not have the firewall in between. Instead, you add a route on the default route table for each private spoke.

You can also enable routing intent to send inter-hub and inter-region traffic via Azure Firewall deployed in the Virtual WAN hub. This is done by selecting Enabled under Inter-hub in Firewall Manager.

Here's a summary of the steps to configure routing in Azure Secure Hub:

By following these steps, you can ensure that network traffic is routed through your Azure Firewall, providing an additional layer of security for your Secure Hub.

To create a Firewall Policy, you'll need to use specific code, which you can find in the Azure documentation. This policy will allow for traffic control.

By default, Private Traffic is not routed via Azure Firewall, so you must enable this in the Azure Portal. Unfortunately, there's no way to do this using the AzureRM Terraform Provider at the time of writing.

It's essential to read the link around multi-region Virtual WAN and Azure Firewall deployment, as there are some key considerations to keep in mind. The link is https://docs.microsoft.com/en-us/azure/virtual-wan/how-to-routing-policies#key-considerations.

A Firewall Policy defines collections of rules to direct traffic on one or more Secured virtual hubs. You create your Firewall Policy and then secure your hub.

You'll need to associate the Firewall Policy with the hub to secure it.

To connect your virtual networks in an Azure Secure Hub, you'll need to create virtual network connections. This can be done by selecting the resource group, virtual WAN, and then adding a new connection under Connectivity.

To create a Site-to-Site connection, you'll need a VPN Gateway in each Virtual WAN Hub you want to connect into. This can be created using the code provided in the AzureRM Provider documentation.

You can connect multiple virtual networks to a hub, including spoke virtual networks. To do this, select the hub and spoke virtual networks, and then add a new connection under Virtual network connections.

Here's a step-by-step guide to connecting a spoke virtual network:

You can repeat this process to connect multiple spoke virtual networks.

Azure Bastion provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines directly through the Azure Portal.

Azure Bastion is provisioned directly into a Virtual Network (VNet) and supports all VMs in the same and peered VNets, and anywhere else provided there is connectivity.

This eliminates the need to open inbound connectivity to VMs from the internet, thereby reducing the attack surface.

Azure Virtual WAN Secured Hub allows organizations to create a hub-and-spoke architecture in Azure and route traffic through the hub, simplifying network architecture and enhancing connectivity.

To create a Virtual WAN environment using Terraform, you'll need to define three core elements. These elements are the building blocks of your Virtual WAN setup.

The AzureRM Provider is the foundation for these elements. You can download the full lab from the author's GitHub Repo if you prefer to deploy the entire environment at once.

Three core elements are required to set up Virtual WAN: note that Virtual Machines are not included in this aspect, but can be added if needed.

Azure Bastion provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines directly through the Azure Portal. It's provisioned directly into a Virtual Network (VNet) and supports all VMs in the same and peered VNets, and anywhere else provided there is connectivity.

Using Azure Bastion eliminates the need to open inbound connectivity to VMs from the internet, thereby reducing the attack surface. This is a significant advantage over traditional methods.

Azure Virtual WAN Secured Hub allows organizations to create a hub-and-spoke architecture in Azure and route traffic through the hub. The "Secured" part refers to the integrated security features, such as firewall and threat protection.

A Virtual WAN is a collection of hubs and services made available inside the hub. You can deploy as many Virtual WANs that you need. In a Virtual WAN hub, there are multiple services like VPN, ExpressRoute, and so on.

To create a secured virtual hub, you need to follow these steps:

It may take up to 30 minutes to create a secured virtual hub. You can find the firewall public IP address after the deployment completes.

To test the Azure Firewall, you need to connect a remote desktop using the public IP address, which is NATed to Srv-Workload-01. This will allow you to test the application rule and connect a remote desktop to Srv-Workload-02 to test the network rule.

The default configuration in the firewall policy is to drop everything, so you'll need to configure some rules. Start with DNAT rules, allowing the test virtual machines to be accessible over the Firewall's public IP address.

To test connectivity, you'll need to configure some example rules. Define a network rule that allows SSH traffic, and an application rule that allows Internet access to a specific URL, such as ifconfig.co.

You can verify the packets are dropped by the firewall by checking the logs. Since you configured the Azure Firewall to send logs to Azure Monitor, you can use the Kusto Query Language to retrieve the relevant logs from Azure Monitor.

Here are some specific things to look for in the logs:

Testing is a crucial step in troubleshooting and ensuring your secure hub is working as expected. To test the firewall, connect a remote desktop using the firewall public IP address, which is NATed to Srv-Workload-01.

You can then use a browser to test the application rule and connect a remote desktop to Srv-Workload-02 to test the network rule. This will help you identify any issues with your firewall configuration.

To test connectivity, you need to configure some rules in the firewall policy. Start with DNAT rules, so that the test virtual machines are accessible over the Firewall's public IP address.

You can define a network rule that allows SSH traffic, plus an application rule that allows Internet access to the Fully Qualified Domain Name ifconfig.co. This URL returns the source IP address it sees in the HTTP request.

To verify the packets are dropped by the firewall, check the logs. Since you configured the Azure Firewall to send logs to Azure Monitor, you can use the Kusto Query Language to retrieve the relevant logs from Azure Monitor.

Here's what you can expect to see in the logs:

As you're troubleshooting and testing your Azure setup, you might run into a problem that's not immediately obvious. Azure Bastion, which allows users to connect to virtual machines securely, can be broken by a Virtual WAN Secured Hub configured to secure internet traffic through the hub firewall.

This happens because the Virtual Hub Router programs a default route on all subnets in connected spoke VNETs, pointing to the firewall's load balancer address. This route is also applied to the AzureBastionSubnet, causing return traffic to be sent to the hub firewall instead of the instance public IP.

The default route programmed by the Virtual Hub Router will drop the return traffic, causing the session to fail. To fix this issue, you need to obtain the hub firewall's public IP address.