As more and more organizations move to the cloud, ensuring that your cloud environment is adequately secured is critical. One of the best ways to secure your environment in Azure is by using Azure Firewall. This blog post will explore how to configure Azure Firewall to protect an Azure Virtual Desktop deployment and the Azure tenant in general.

The Importance of Azure Firewall

One of the most critical things to understand about Azure is that no absolute security is placed on outbound internet traffic by default. As a result, your organization’s data and resources could be vulnerable to various threats without proper security measures. This is where Azure Firewall comes in.

Azure Firewall is a fully managed, cloud-based firewall service that provides network security for your Azure Virtual Desktop deployment and the Azure tenant in general. It allows you to create and enforce network security policies across your entire environment, including inbound and outbound internet traffic. While there is a cost associated with using Azure Firewall, the security and peace of mind benefits are well worth it.

Configuring Azure Firewall for Azure Virtual Desktop

To configure Azure Firewall for Azure Virtual Desktop, follow these steps:

Step 1: Create an Azure Firewall

The first step is to create an Azure Firewall instance in your Azure environment. You can do this by following the instructions in the Azure documentation. Make sure to select the appropriate subscription, resource group, and region.

Step 2: Configure rules for outbound internet traffic

Once you have created an Azure Firewall, you must configure rules for outbound internet traffic. By default, all outbound internet traffic is allowed, so you will want to create rules that limit outbound traffic to only specific sites or services.

To create a rule for outbound internet traffic:

  1. In the Azure Firewall blade, select “Rules”.
  2. Click “Add”.
  3. Enter a name for the rule.
  4. Choose “Allow” for the action.
  5. Under “Source”, select “Any.”
  6. Under “Destination”, enter the URL of the site or service to which you want to allow outbound traffic.
  7. Click “Add”.

You can create multiple rules for different sites or services as needed.

Step 3: Allow access to Azure Virtual Desktop services

To allow access to Azure Virtual Desktop services, create rules that allow traffic to the relevant services, such as the WVD service, Windows Update, and MDE ATP services. To create a rule for a specific service:

  1. In the Azure Firewall blade, select “Rules”.
  2. Click “Add”.
  3. Enter a name for the rule.
  4. Choose “Allow” for the action.
  5. Under “Source”, select “Any”.
  6. Under “Destination”, select “Service Tag” and choose the appropriate service tag for the service you want to allow traffic.
  7. Click “Add”.

You can create multiple rules for Azure Virtual Desktop services, Microsoft Defender Endpoint ATP, and Cisco DUO.

Step 4: Test the firewall

Once you have configured the firewall rules, test it to ensure it works as expected. Verify that only the allowed outbound traffic is passing through the firewall and that the Azure Virtual Desktop services are accessible.

Conclusion

Properly securing your Azure Virtual Desktop deployment and the Azure tenant, in general, is critical for the safety and security of your organization’s data and resources. Azure Firewall is a powerful tool that can help you achieve this goal by providing network security for your environment. Following the steps outlined above, you can configure Azure Firewall to protect your Azure Virtual Desktop deployment and ensure that only authorized traffic can pass through. Remember that while there is a cost associated with Azure Firewall, the security and peace of mind benefits are well worth it.

Thanks,

John O’Neill Sr rMVP