Azure Security Firewall Backup

Configure backup for Azure Firewall

Neel Borghs Neel Borghs

Reading time: 4 minutes

How to create an automated backup solution for your Azure Firewall and Firewall Policy

Configure backup for Azure Firewall

Intro

Azure Firewall is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall allows you to centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. It also integrates with Azure Monitor for logging and analytics.

However, one of the challenges that many Azure Firewall users face is how to backup their firewall policies and restore them in case of accidental deletion or corruption. Unfortunately, Azure Firewall does not have a native backup feature yet. But don’t worry, I have a solution for you! In this article, I will show you how to use an Automation Account and Storage Account to create and manage backups of your firewall policies, and how to restore them when needed. This way, you can ensure that your firewall policies are always safe and consistent.

Requirements:

  • Automation Account with Managed Identity and below access rights
    • Reader access on Resource Group of Azure firewall
    • Storage Blob Data Contributor access on Storage Account
  • Storage Account
  • Runbook

Setup Automation Account

  • Go to the Azure Portal and search for Automation Account and create a new one. Automation Account

  • Once created, go to the Automation Account and check that the System Assigned managed identity is enabled. If not, change the status to On and save. System Managed Identity

Setup Storage Account

  • Go to the Azure Portal and search for Storage Account and create a new one. Storage Account

Configure Access

The identity of the Automation Account will need the below accesses.

  • Reader access on Resource Group of Azure firewall.

  • Storage Blob Data Contributor access on Storage Account.

  • Go to the Resource Group of the Azure Firewall resource. Click on Access control (IAM) and select Add role assignment. RBAC

  • Afterwards, select the Reader role and click on next. Then you have to select the Managed Identity of the Automation Account we created earlier. Assign Managed Identity

  • Finally click on Review and Assign to finish this role assignment.

Now we will perform the same steps to grant the Automation Account access to write the backup data to the Storage Account we created earlier.

  • Navigate to the Storage Account. Click on Access control (IAM) and select Add role assignment.
  • Afterwards, select the Storage Blob Data Contributor role and click on next. Then you have to select the Managed Identity of the Automation Account we created earlier.
  • Finally click on Review and Assign to finish this role assignment.

Configure Runbook

  • Navigate to the Automation Account and create a new runbook. Runbook

  • Enter a Name, Select Powershell as runbook type and 5.1 as Runtime version and click on create. Runbook

  • Once created, you will automatically be redirected to the newly created runbook. Copy and paste the Powershell code in this runbook. The code can by found on my Github Repository.

  • Afterwards you can save the Runbook and go to the Test pane for testing. Runbook

  • Enter the needed parameters and click on Start. This will run the script and take a backup of your Azure Firewall. Once succeeded, you will see the below output. Runbook

Create a schedule

Now we have successfully tested the runbook we will be publishing this. We will also link this to a schedule to run this daily.

  • Go to the runbook you have created and click on Publish. Make sure to override the previously published version. Publish Runbook

  • Navigate again to the runbook and click on Link to schedule. Create Schedule

  • Click on Link a schedule to your runbook and then select Add a schedule. Here you can create a daily recurring schedule. Create Schedule

  • Afterwards, click on Configure parameters and run settings and fill in the required parameters. Create Schedule

Congratulations, you have now created a schedule that will run daily to perform a backup of your Azure Firewall And Firewall Policy.

Restore Azure Firewall

You can now check the backup files within the Storage Account and check what changes have been made. If possible, you can manually recreate the Policy rules that have been changed/removed by mistake.

It is also possible to restore the Azure Firewall and Firewall Policy via Powershell. Then however, you will need to login to Powershell with an Azure Account that has Contributor rights on the Azure Firewall’s Resource Group. Then you just need to perform the below command.

New-AzResourceGroupDeployment -name $azurefirewallname -ResourceGroupName $resourcegroupname -TemplateFile $filepath

Conclusion

I hope you enjoyed this blogpost and learned something new.

I have shown you how to create an automated solution to backup your Azure Firewall and Firewall Policy using an Azure Automation Account and PowerShell. This way, you can easily restore your firewall configuration in case of any accidental changes or disasters.

Feel free to customize the solution to fit your specific needs and preferences. Thank you for reading and stay tuned for more tips and tricks on Azure!

You may also like

Implement security headers on Azure Application Gateway

Implement security headers on Azure Application Gateway

How to enhance your website’s security with various security headers and how to apply them effortlessly using an Azure Application Gateway.

Neel Borghs
Neel Borghs