Deploy firewall to existing resource group

Question

Hi Microsoft community,

I'll start by saying I am new to this forum as well as Azure as a whole. I have three resource groups that represent our different environments (development, quality assurance and production) and we had a security incident recently and now we would like to deploy firewalls for each respective resource group.

My question is are there any ways to do this without removing public IP's from our servers as currently, we are using azure TLDS to access these servers over the internet and by removing the public IP's we would need to register our own domains for these servers.

If anyone has any guidance or articles/tutorials out there other than the ones describing how to do it from scratch that would be great.

Thank you

Answer

There is no point to having Public IPs on VMs that are protected / routing traffic using Azure firewall, as return traffic will be dropped by the firewall. You can have Public IPs on VMs that are in subnets that are not routing traffic to the firewall / protected by Azure Firewall.

You can also have the VMs accessible via Azure Load Balancers, or the Azure Firewall's Public IPs. You can even detach your existing IP addresses (with DNS names) and add them to the Azure Firewall, then create a DNAT rule to your VM. If you have a large number of VMs this might get quite tedious though.

Share via

Deploy firewall to existing resource group

1 answer

Your answer