Safeguard Your Azure Route Server with Azure DDoS Protection

This guide walks you through securing your Azure Route Server by integrating it with Azure DDoS Protection in a virtual network. Azure DDoS Protection shields your publicly accessible route server from Distributed Denial of Service (DDoS) attacks. In this tutorial, you will learn to:

• Set up a DDoS protection plan.
• Deploy an Azure Route Server.
• Enable and configure the DDoS protection plan.
• Configure the Azure Route Server for enhanced security.

Step-by-Step Guide: Setting Up DDoS Protection and Azure Route Server        

Create a DDoS Protection Plan

In this section, you will create a DDoS protection plan to associate with a virtual network later in the process.

• Sign in to the Azure Portal.
• Use the search bar at the portal's top to search for DDoS protection and select DDoS protection plans from the results.
• Click + Create.
• On the Basics tab of the "Create a DDoS protection plan" page, provide the required details.

• Click Review + Create, and then select Create.

Create an Azure Route Server

Next, you can deploy an Azure Route Server along with the required virtual network and public IP address.

• Search for Route Server in the portal's search bar and select Route Servers from the results.
• Click + Create.
• On the Basics tab of the "Create a Route Server" page, fill in the necessary details.

• Click Review + Create, and then select Create.

Enable DDoS Protection

Enable Azure DDoS Network Protection for the virtual network associated with the Route Server.

• In the Azure Portal, search for Virtual network and select Virtual networks from the results.
• Choose your virtual network (e.g., myVNet).
• Under Settings, select DDoS protection.
• Click Enable.
• In the DDoS protection plan dropdown, select your DDoS plan (e.g., myDDoSProtectionPlan).
• Click Save.

Set Up Peering with a Network Virtual Appliance (NVA)

Establish BGP peering with your NVA.

• Search for Route Server in the portal and select your Route Server (e.g., myRouteServer) from the results.
• Under Settings, click Peers.
• Click + Add.
• In the Add Peer form, enter the required details and select Add.

Configure the NVA

To complete the configuration, obtain the Route Server's Peer IPs and ASN.

• Search for Route Server in the portal and select your Route Server (e.g., myRouteServer).
• Navigate to the Overview page and make note of the ASN and Peer IPs.

• Use this information to configure your NVA and establish the BGP session.

Deploying Azure Firewall with DDoS Protection: A Step-by-Step Guide        

This will help you deploy an Azure Firewall within a DDoS-protected virtual network to safeguard against large-scale DDoS attacks. Azure DDoS Protection enhances security by offering adaptive tuning, attack alert notifications, and monitoring capabilities. The deployment involves a simple virtual network (VNet) with two subnets:

• AzureFirewallSubnet: Contains the firewall.
• Workload-SN: Hosts the workload server, with all network traffic routed through the firewall.

For production environments, consider using a hub-and-spoke architecture where the firewall resides in its own VNet, and workload servers are in peered VNets.

In this example, we will:

1. Set up a test network environment.
2. Deploy a firewall and configure its policies.
3. Set up routing and firewall rules.
4. Test the firewall setup.

Set up the Network

First, create a resource group to contain the resources needed to deploy the firewall. Then create a VNet, subnets, and a test server.

Create a Resource Group

• Sign in to the Azure portal.
• Navigate to Resource Groups from the portal menu or search bar.

• Click + Add and provide the required details.
• Select Review + Create, then click Create.

Create a DDoS Protection Plan

• Search for DDoS Protection in the portal.
• Select DDoS protection plans, then click + Create.
• Fill in the required details under the Basics tab.

• Click Review + Create, then select Create.

Create a Virtual Network (VNet)

• Navigate to Create a Resource> Networking > Virtual Network.

• Configure the VNet: IPv4 Address space: 10.1.0.0/16. Subnet 1: Name: AzureFirewallSubnet. Address range: 10.1.1.0/26. Subnet 2: Name: Workload-SN. Address range: 10.1.2.0/24.
• Enable DDoS Network Protection, by selecting your DDoS plan.
• Click Review + Create, then Create.

Create a Virtual Machine (VM)

• Go to Create a resource > Windows Server 2019 Datacenter.
• Configure the VM: Virtual network: Test-FW-VN. Subnet: Workload-SN. Public IP: None.

• Disable boot diagnostics, then click Review + Create and Create.
• After deployment, note the private IP address of the VM for later use.

Deploy the Firewall and Configure Policies

Deploy Azure Firewall

• Navigate to Create a resource > Firewall.
• Configure the firewall: Subnet: AzureFirewallSubnet. Accept default values, then click Review + Create and Create.

• After deployment, note the firewall's public and private IP addresses.

Set a Default Route

• Navigate to All Services > Route Tables.
• Create a route table and associate it with Workload-SN.

• Add a route: Route name: fw-dg. Address prefix: 0.0.0.0/0. Next hop type: Virtual appliance.

Next hop address: Firewall private IP.

 Once the deployment is complete, click Go to resource.        

? On the Firewall-route page:

• Navigate to Subnets and click Associate.
• Under Virtual network, select Test-FW-VN.
• For Subnet, choose Workload-SN.
• Ensure only the Workload-SN subnet is selected for this route; otherwise, the firewall will not function correctly.
• Click OK.

Go to Routes and click Add:

• Set Route name to fw-dg.
• For the Address prefix, enter 0.0.0.0/0.
• Under Next hop type, select Virtual appliance (Azure Firewall, though a managed service, functions in this context as a virtual appliance).
• Enter the firewall's private IP address in the Next hop address (noted earlier).
• Click OK.

?Configure Application Rule

This rule allows outbound access to www.google.com:

• Open the Test-FW-RG resource group and select the fw-test-pol firewall policy.
• Navigate to Application Rules and click Add a rule collection.
• Configure the rule collection as follows: Name: App-Coll01 Priority: 200 Rule collection action: Allow
• Under Rules, provide the following details: Name: Allow-Google Source type: IP address Source: 10.0.2.0/24 Protocol:port: http, https Destination type: FQDN Destination: www.google.com
• Click Add to save the rule.

Configure a Network Rule

This rule allows outbound access to two IP addresses on port 53 for DNS traffic:

• Go to Network Rules and click Add a rule collection.
• Configure the rule collection with the following details: Name: Net-Coll01 Priority: 200 Rule collection action: Allow Rule collection group: DefaultNetworkRuleCollectionGroup
• Under Rules, enter the following information: Name: Allow-DNS Source type: IP Address Source: 10.0.2.0/24 Protocol: UDP Destination Ports: 53 Destination type: IP address Destination: 209.244.0.3, 209.244.0.4 (public DNS servers managed by CenturyLink).
• Click Add to save the rule.

Configure a DNAT Rule

This rule enables Remote Desktop Protocol (RDP) access to the Srv-Work virtual machine through the firewall:

• Navigate to DNAT rules and select Add a rule collection.
• Configure the rule collection with the following details: Name: rdp Priority: 200 Rule collection group: DefaultDnatRuleCollectionGroup
• Under Rules, provide the following information: Name: rdp-nat Source type: IP address Source: * (allows any source IP). Protocol: TCP Destination Ports: 3389 Destination Type: IP address Destination: Enter the firewall's public IP address. Translated address: Enter the Srv-Work virtual machine's private IP address. Translated port: 3389
• Click Add to save the rule.

Update the DNS Settings for the Srv-Work Network Interface

To configure the server's primary and secondary DNS addresses for testing purposes (not a general Azure Firewall requirement):

1. Open the Azure portal menu and select Resource Groups, or search for and select Resource Groups from any page.
2. Select the Test-FW-RG resource group.
3. Locate and select the network interface associated with the Srv-Work virtual machine.
4. Under Settings, choose DNS servers.
5. In the DNS servers section, select Custom.
6. Enter the following values: Primary DNS server: 209.244.0.3 Secondary DNS server: 209.244.0.4
7. Click Save to apply the changes.
8. Restart the Srv-Work virtual machine to ensure the new settings take effect.

Test the Firewall

Follow these steps to confirm the firewall is functioning as expected:

1. Connect to the Virtual Machine: Use Remote Desktop to connect to the firewall's public IP address. Sign in to the Srv-Work virtual machine.
2. Test Access to Allowed FQDN: Open Internet Explorer and navigate to https://www.google.com. If prompted with security alerts, select OK > Close. You should successfully access the Google homepage.
3. Test Access to a Blocked FQDN: Attempt to browse to https://www.microsoft.com. The firewall should block the request.

Verification of Firewall Rules

• Allowed Access: You can browse to the permitted FQDN (www.google.com).
• Blocked Access: All other FQDNs are inaccessible.
• DNS Resolution: You can resolve DNS names using the external DNS server configured earlier.