In this part of the lab, you will create the spoke virtual networks and subnets where you will place the workload servers. Then you will create the secured virtual hub and connect the hub and spoke virtual networks.<\/p>\n\n\n\n
In this lab, you will:<\/p>\n\n\n\n
- Task 1: Create two spoke virtual networks and subnets<\/li>
- Task 2: Create the secured virtual hub<\/li>
- Task 3: Connect the hub and spoke virtual networks<\/li>
- Task 4: Deploy the servers<\/li>
- Task 5: Create a firewall policy and secure your hub<\/li>
- Task 6: Associate the firewall policy<\/li>
- Task 7: Route traffic to your hub<\/li>
- Task 8: Test the application rule<\/li>
- Task 9: Test the network rule<\/li><\/ul>\n\n\n\n
Prerequisites for this labs : Azure Account<\/a> \/ Download Labs Files here<\/a><\/p>\n\n\n\n
Task 1: Create two spoke virtual networks and subnets<\/strong><\/p>\n\n\n\n
In this task, you will create the two spoke virtual networks each containing a subnet that will host your workload servers.<\/p>\n\n\n\n
- On the Azure portal home page, in the search box, type virtual network<\/strong> and select Virtual Network<\/strong> when it appears.<\/li>
- Click Create<\/strong>.<\/li>
- In Resource group<\/strong>, select Create new<\/strong>, and enter fw-manager-rg<\/strong> as the name and click OK<\/strong>.<\/li>
- In Name<\/strong>, enter Spoke-01<\/strong>.<\/li>
- In Region<\/strong>, select your region.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture1-8.png\")
<\/figure>\n\n\n\n- Click Next: IP Addresses<\/strong>.<\/li>
- In IPv4 address space<\/strong>, enter 10.0.0.0\/16<\/strong>.<\/li>
- Delete<\/strong> any other address spaces listed here, such as 10.1.0.0\/16<\/strong>.<\/li>
- Under Subnet name<\/strong>, click the word default<\/strong>.<\/li>
- In the Edit subnet<\/strong> dialog box, change the name to Workload-01-SN<\/strong>.<\/li>
- Change the Subnet address range<\/strong> to 10.0.1.0\/24<\/strong>.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture2-8.png\")
<\/figure>\n\n\n\nClick Save<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture3-8.png\")
<\/figure>\n\n\n\nClick Review + create<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture4-8.png\")
<\/figure>\n\n\n\nClick Create<\/strong>.<\/p>\n\n\n\n
Repeat steps 1 to 14 above to create another similar virtual network and subnet but using the following information:<\/p>\n\n\n\n
- Resource Group: fw-manager-rg<\/strong> (select existing)<\/li>
- Name: Spoke-02<\/strong><\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture5-8.png\")
<\/figure>\n\n\n\n- Address space: 10.1.0.0\/16<\/strong> – (delete any other listed address spaces)<\/li>
- Subnet name: Workload-02-SN<\/strong><\/li>
- Subnet address range: 10.1.1.0\/24<\/strong><\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture6-7.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture7-7.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture8-6.png\")
<\/figure>\n\n\n\nTask 2: Create the secured virtual hub<\/strong><\/p>\n\n\n\n
In this task you will create your secured virtual hub using Firewall Manager.<\/p>\n\n\n\n
- From the Azure portal home page, click All services<\/strong>.<\/li>
- In the search box, type firewall manager<\/strong> and select Firewall Manager<\/strong> when it appears.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture9-6-1024x327.png\")
<\/figure>\n\n\n\nOn the Firewall Manager<\/strong> page, from the Overview page, click View secured virtual hubs<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture10-4-1024x423.png\")
<\/figure>\n\n\n\nOn the Virtual hubs<\/strong> page, click Create new secured virtual hub<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture11-4-1024x376.png\")
<\/figure>\n\n\n\n- For Resource group<\/strong>, select fw-manager-rg<\/strong>.<\/li>
- For Region<\/strong>, select your region.<\/li>
- For the Secured virtual hub name<\/strong>, enter Hub-01<\/strong>.<\/li>
- For Hub address space<\/strong>, enter 10.2.0.0\/16<\/strong>.<\/li>
- Choose New vWAN<\/strong>.<\/li>
- In Virtual WAN Name<\/strong>, enter Vwan-01<\/strong>.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture12-3.png\")
<\/figure>\n\n\n\nClick Next: Azure Firewall<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture13-1-1024x401.png\")
<\/figure>\n\n\n\nClick Next: Security Partner Provider<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture14-1.png\")
<\/figure>\n\n\n\nClick Next: Review + create.<\/strong><\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture15-1.png\")
<\/figure>\n\n\n\n- Click Create<\/strong>.<\/li><\/ul>\n\n\n\n
[!NOTE]<\/strong><\/p>\n\n\n\n
This can take up to 30 minutes to deploy.<\/p>\n\n\n\n
\u200b<\/p>\n\n\n\n
- When the deployment completes, from the Azure portal home page, click All services<\/strong>.<\/li>
- In the search box, type firewall manager<\/strong> and select Firewall Manager<\/strong> when it appears.<\/li>
- On the Firewall Manager<\/strong> page, click Virtual hubs<\/strong>.<\/li>
- Click Hub-01<\/strong>.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture16-1-1024x326.png\")
<\/figure>\n\n\n\n- Click Public IP configuration<\/strong>.<\/li>
- Note down the public IP address (e.g., 20.106.142.72<\/strong>), which you will use later.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture17-1.png\")
<\/figure>\n\n\n\nTask 3: Connect the hub and spoke virtual networks<\/strong><\/p>\n\n\n\n
In this task you will connect the hub and spoke virtual networks. This is commonly known as peering.<\/p>\n\n\n\n
- From the Azure portal home page, click Resource groups<\/strong>.<\/li>
- Select the fw-manager-rg<\/strong> resource group, then select the Vwan-01<\/strong> virtual WAN.<\/li>
- Under Connectivity<\/strong>, click Virtual network connections<\/strong>.<\/li>
- Click Add connection<\/strong>.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture18-1-1024x327.png\")
<\/figure>\n\n\n\n- For Connection name<\/strong>, enter hub-spoke-01<\/strong>.<\/li>
- For Hubs<\/strong>, select Hub-01<\/strong>.<\/li>
- For Resource group<\/strong>, select fw-manager-rg<\/strong>.<\/li>
- For Virtual network<\/strong>, select Spoke-01<\/strong>.<\/li>
- Click Create<\/strong>.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture19-1.png\")
<\/figure>\n\n\n\nRepeat steps 4 to 9 above to create another similar connection but using the connection name of hub-spoke-02<\/strong> to connect the Spoke-02<\/strong> virtual network.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture20-1.png\")
<\/figure>\n\n\n\nTask 4: Deploy the servers<\/strong><\/p>\n\n\n\n
- In the Azure portal, open the PowerShell<\/strong> session within the Cloud Shell<\/strong> pane.<\/li>
- In the toolbar of the Cloud Shell pane, select the Upload\/Download files icon, in the drop-down menu, select Upload and upload the following files FirewallManager.json<\/strong> and FirewallManager.parameters.json<\/strong> into the Cloud Shell home directory from the source folder F:\\Allfiles\\Labs\\M06<\/strong>.<\/li>
- Deploy the following ARM templates to create the VM needed for this lab:<\/li><\/ol>\n\n\n\n
code<\/p>\n\n\n\n
$RGName = \"fw-manager-rg\"\n \nNew-AzResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile FirewallManager.json -TemplateParameterFile FirewallManager.parameters.json\n<\/code><\/pre>\n\n\n\n![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture21-1-1024x215.png\")
<\/figure>\n\n\n\n- When the deployment is complete, go to the Azure portal home page, and then select Virtual Machines<\/strong>.<\/li>
- On the Overview<\/strong> page of Srv-workload-01<\/strong>, in the right-hand pane, under the Networking<\/strong> section, note down the Private IP address<\/strong> (e.g., 10.0.1.4<\/strong>).<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture22-1-1024x436.png\")
<\/figure>\n\n\n\nOn the Overview<\/strong> page of Srv-workload-02<\/strong>, in the right-hand pane, under the Networking<\/strong> section, note down the Private IP address<\/strong> (e.g., 10.1.1.4<\/strong>).<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture23-1-1024x442.png\")
<\/figure>\n\n\n\nTask 5: Create a firewall policy and secure your hub<\/strong><\/p>\n\n\n\n
In this task you will first create your firewall policy, then secure your hub. The firewall policy will define collections of rules to direct traffic on one or more Secured virtual hubs.<\/p>\n\n\n\n
- From the Azure portal home page, click Firewall Manager<\/strong>.
- If the Firewall Manager icon does not appear on the homepage, then click All services<\/strong>. Then in the search box, type firewall manager<\/strong> and select Firewall Manager<\/strong> when it appears.<\/li><\/ul><\/li>
- From Firewall Manager<\/strong>, from the Overview page, click View Azure Firewall Policies<\/strong>.<\/li>
- Click Create Azure Firewall Policy<\/strong>.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture24-1-1024x327.png\")
<\/figure>\n\n\n\n- In Resource group<\/strong>, select fw-manager-rg<\/strong>.<\/li>
- Under Policy details<\/strong>, for the Name<\/strong>, enter Policy-01<\/strong>.<\/li>
- In Region<\/strong> select your region.<\/li>
- In Policy tier<\/strong>, select Standard<\/strong>.<\/li>
- Click Next : DNS Settings<\/strong>.<\/li><\/ul>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture25-1-1024x400.png\")
<\/figure>\n\n\n\nClick Next : TLS Inspection (preview)<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture26-1.png\")
<\/figure>\n\n\n\nClick Next : Rules<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture27-1.png\")
<\/figure>\n\n\n\nOn the Rules<\/strong> tab, click Add a rule collection<\/strong>.<\/p>\n\n\n\n
![\"\"](\"https:\/\/exceedthecloud.com\/wp-content\/uploads\/2022\/02\/picture28-1-1024x405.png\")
<\/figure>\n\n\n\n- On the Add a rule collection<\/strong> page, in Name<\/strong>, enter App-RC-01<\/strong>.<\/li>
- For Rule collection type<\/strong>, select Application<\/strong>.<\/li>
- For Priority<\/strong>, enter 100<\/strong>.<\/li>
- Ensure
- For Rule collection type<\/strong>, select Application<\/strong>.<\/li>
- Under Policy details<\/strong>, for the Name<\/strong>, enter Policy-01<\/strong>.<\/li>
- From Firewall Manager<\/strong>, from the Overview page, click View Azure Firewall Policies<\/strong>.<\/li>
- If the Firewall Manager icon does not appear on the homepage, then click All services<\/strong>. Then in the search box, type firewall manager<\/strong> and select Firewall Manager<\/strong> when it appears.<\/li><\/ul><\/li>
- On the Overview<\/strong> page of Srv-workload-01<\/strong>, in the right-hand pane, under the Networking<\/strong> section, note down the Private IP address<\/strong> (e.g., 10.0.1.4<\/strong>).<\/li><\/ul>\n\n\n\n
- In the toolbar of the Cloud Shell pane, select the Upload\/Download files icon, in the drop-down menu, select Upload and upload the following files FirewallManager.json<\/strong> and FirewallManager.parameters.json<\/strong> into the Cloud Shell home directory from the source folder F:\\Allfiles\\Labs\\M06<\/strong>.<\/li>
- For Hubs<\/strong>, select Hub-01<\/strong>.<\/li>
- Select the fw-manager-rg<\/strong> resource group, then select the Vwan-01<\/strong> virtual WAN.<\/li>
- Note down the public IP address (e.g., 20.106.142.72<\/strong>), which you will use later.<\/li><\/ul>\n\n\n\n
- In the search box, type firewall manager<\/strong> and select Firewall Manager<\/strong> when it appears.<\/li>
- When the deployment completes, from the Azure portal home page, click All services<\/strong>.<\/li>
- For Region<\/strong>, select your region.<\/li>
- In the search box, type firewall manager<\/strong> and select Firewall Manager<\/strong> when it appears.<\/li><\/ul>\n\n\n\n
- Subnet name: Workload-02-SN<\/strong><\/li>
- Name: Spoke-02<\/strong><\/li><\/ul>\n\n\n\n
- In IPv4 address space<\/strong>, enter 10.0.0.0\/16<\/strong>.<\/li>
- Click Create<\/strong>.<\/li>
- On the Azure portal home page, in the search box, type virtual network<\/strong> and select Virtual Network<\/strong> when it appears.<\/li>