Azure Virtual Secure Administration Workstation – Part 2 – Firewalls and VNets

Azure Secure Admin Workstation posts:

Context and References

Deployment procedure

Stage 2 – Create Azure Network Components

  • This section provides context for the PowerShell commands are below… strongly suggest reviewing description of steps first.


Primary source for this bit: Deploy and configure Azure Firewall using Azure PowerShell | Microsoft Learn

  • Noting Azure states that for ‘production’ deployments, a hub and spoke model is recommended, where the firewall is in its own VNet.
    • For our use case, I don’t believe the hub and spoke model will provide any benefit regarding security or otherwise.
  1. Create a Vnet and add FWsubnet + SAWsubnet
    • NOTE: The AzureFWSubnet must be a /26
  2. Create a Public IP Address for the Azure FW and deploy the firewall
  3. Create a route table and associate routes to SAW subnet ensuring SAW traffic is routed via the Azure Firewall
  4. Create rules for outbound internet connectivity, some MS doc still has commands for deploying Application and Network firewall rules directly on the Azure Firewall despite the Azure Well-Architected Framework review – Azure Firewall | Microsoft Learn stating that Azure Firewall Manager and Policies should be used
    • … so the PowerShell script below has been updated to create an Azure Firewall Policy instead of assigning rules directly to the firewall



2 replies on “Azure Virtual Secure Administration Workstation – Part 2 – Firewalls and VNets”

Leave a Reply

Your email address will not be published. Required fields are marked *