Azure Firewall is the firewall-as-a-service solution exists in the Microsoft public cloud, that allows you to secure the resources in Azure Virtual Networks and to govern its network flows. This article provides a mechanism designed to make the scheduled backup of this component configuration using Azure Automation.
Azure Firewall is a solution that is increasingly being used in Azure architectures, for the advantages over firewall solutions by third party vendors and thanks to a constant enrichment of features offered. From the moment it is adopted, this service becomes the government center of your Azure networking environment and will contain different rules to comprehensively manage the network traffic. It is therefore essential to have a strategy that allows you to restore the configuration of the service quickly. The service currently does not have an integrated feature to make full backup periodically. For this reason I made a runbook in Azure Automation that backup the Azure Firewall configuration on a Azure blob storage account.
In the following paragraphs there is the procedure for enabling periodic configuration backup using this methodology.
If you do not have an Azure Automation Account is necessary to proceed with its creation:
It is also necessary to have a blob storage account on which the Azure Firewall backups will be saved.
In the firewall account storage settings must be enabled the exception "Allow trusted Microsoft services to access this storage account".
On the storage account you can also consider creating policies that enable you to prevent the deletion of backups.
Configuring modules on Azure Automation
Azure Automation supports the ability to use the moduleAzure Powershell Az in runbooks. The module AZ is currently not automatically imported into Automation Accounts. For this reason it is necessary procedures with its configuration as described by this Microsoft's document, in particular by following the procedure given below.
These are the modules required for this automation:
Import and publish of runbook
The next step is to create the Runbook in Azure Automation:
You can find the code of the runbook in this GitHub page. Once you have created the runbook is appropriate to proceed with its publication.
As last step you should schedule the periodic execution of the runbook.
Backups in JSON format of the Azure Firewall configuration is automatically saved in the storage accounts indicated and are retained for the number of days expressed in the parameter "RetentionDays".
Restoring your configuration
In case you need to restore the Azure Firewall configuration is sufficient to deploy the JSON file in the specific resource group, using the following command:
New-AzResourceGroupDeployment -name “RestoreAzureFirewall” -ResourceGroupName “AFW-RGNamexxx” -TemplateFile “.xxx-afwxxxxx.json”
Thanks to the adoption of this automation is possible to backup Azure Firewall configuration on a Azure blob storage account. All this is particularly useful and strategic in case of wrong modification of the rules, or if there is a partial or total cancellation of Azure Firewall configuration, which can be accidental or carried out by unauthorized persons.