Azure Backup can’t backup the Azure firewall directly additional steps need to be done before you can backup the Firewall rules. If you create all the rules with PowerShell or an ARM / bicep template then it is easy to add all the rules again, but often in time manual rules are changed or added. There for a good backup is needed of the rules to make sure the latest setup is been backuped.
Azure Firewall is a managed stateful network security service
Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions. To meet the increased performance demands of IDPS and TLS inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.
Details about the Azure firewall can be found here on the microsoft doc site Azure Firewall documentation | Microsoft Docs
A setup in my testlab with some rules and keep in mind the current runbook works only if the Firewall , policys, and the storage account is in the same resource group. In this blog post I may use different naming across the screenshots, it is the method that you need and the things that can go wrong.
- Automation account
- Storage Account
Overview of my demo lab empty shell with rules.
When you are in need to get quickly all the firewall rules and settings you can export the template in the policy manager. as below on my policy’s for the Azure Virtual Machines
Manual is the quick and easy when we want to do this automatically we need an automation account and some runbook that will create a full backup on a storage account, and the storage account can be backup-ed with Azure backup
First we need to setup an Automation Account
Now that the Automation Account is created we can configure it to our needs.
Go to the Automation account and in the Settings blade, under Account settings, create a “Run As” account. This provide the service principal access that will be used to auto-login.
adding the run-as account
This provide the service principal access that will be used to auto-login into the runbook.
The runbook is a PowerShell module and we need to confirm that we have access to network and resources modules. It is important to check if the AZ modules are there else the PowerShell script won’t run. But all you need is already available
The modules that we need are Az.Account, Az.Network, Az.Resources
As you can see all the Az modules are there with the +model from the menu you can add your own modules that you may need.
When running the PowerShell script it needs a storage location, A storage account will be used as storage, keep in mind that the storage account needs to be globally unique It can be also on a storage account that you already have for backup or management then that account can be used.
Create a blob storage account.
This can be done with PowerShell or manual
#Create new RG for the firewall backup
- $location=”west europe”
#Create new RG for the firewall backup
New-AzResourceGroup -Name $ResourceGroupName -Location $Location
#Create new Storage account for the firewall backup
New-AzStorageAccount -ResourceGroupName $ResourceGroupName
Now we save the account name and storagekey and we create a blobcontainer
Now that the blob is created we create a folder in the blob, you can also do this in the runbook
Now that the Storage account is created we go back to our automation account created earlier and create a runbook, this runbook is used for backup all the firewall rules to the storage account.
create a runbook
just give it a name and choose powershell 5
We are using the Runbook that is on the github page
Select the just created runbook and copy the text into the runbook section https://raw.githubusercontent.com/Azure/Azure-Network-Security/master/Azure Firewall/Runbook – Back Up Azure Firewall/Runbook.txt
Into the new created runbook and click save.
We need to test the runbook to see if it works.
Here we use the created resource group and storage account that we have created for this. you can also make this fixed in the runbook but this is better and also very handy if you want to backup more firewall policy’s
In my case I played to much, if if the folder already exist you will see an error in the test. Also I like to show what kind of errors you could get.
Starting database backup... Logging in to Azure... Creating 'firewallbackup' blob container space for storage... Container 'firewallbackup' already exists Starting Azure Firewall current configuration export in json...
Starting database backup... Logging in to Azure... Creating 'firewallbackup1' blob container space for storage... CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer Permission : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions PublicAccess : Off LastModified : 2/8/2022 11:33:12 AM +00:00 ContinuationToken : Context : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext Name : firewallbackup1 Container 'firewallbackup1' created Starting Azure Firewall current configuration export in json...
Second error that could be there
The running command stopped because the preference variable “ErrorActionPreference” or common parameter is set to Stop: The remote server returned an error: (403) Forbidden. HTTP Status Code: 403 – HTTP Error Message: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
you probably need to change the storage key that is used, or change the access to that storage account .
But when it all run’s
Starting database backup... Logging in to Azure... Creating 'firewallbackup' blob container space for storage... CloudBlobContainer : Microsoft.WindowsAzure.Storage.Blob.CloudBlobContainer Permission : Microsoft.WindowsAzure.Storage.Blob.BlobContainerPermissions PublicAccess : Off LastModified : 2/8/2022 1:05:04 PM +00:00 ContinuationToken : Context : Microsoft.WindowsAzure.Commands.Common.Storage.AzureStorageContext Name : firewallbackup Container 'firewallbackup' created Starting Azure Firewall current configuration export in json... Path ---- C:\Users\Client\Temp\AzureFirewall_MVPCentral202202081305.json Submitting request to dump Azure Firewall configuration Removing backups older than '7' days from blob: 'firewallbackup' Azure Firewall current configuration back up completed.
Now that the testing is complete and working we can publish the runbook
Remember if you don’t publish the runbook it won’t work.
As you run the test runbook it will keep asking would you like to save etc when you want to switch to the schedule blade. just say no save. Our final step is to schedule the backup of the firewall
Create the schedule and the retention time
We create a new schedule
Noe we need to fill in all the parameters just as in the test
if you want to turn this off just click on the line on
Looking into the storage blob we see all the json files
With this json file you can redeploy the firewall rules or use it for a new deployment with a different name.
Hope it was helpfull thanks for visiting my blog.
Follow Me on Twitter @ClusterMVP
Follow My blog https://robertsmit.wordpress.com
Linkedin Profile Http://nl.linkedin.com/in/robertsmit