azure firewall costly? try fortigate

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

As I haired from a few customers that Azure firewall is a little bit expensive! and some of them they don't have a budget for test/dev environment,as it cost (approximately $100 monthly, per appliance). This price gets compounded if you need to deploy multiple Azure Firewall appliances per regional VNet

In this post we will explain how to deploy FortiGate NGFW for Azure, you can deploy the FortiGate for Azure as a virtual appliance in Azure cloud (infrastructure as a service)

This section shows you how to install and configure a single instance FortiGate-VM in Azure to provide a full NGFW/unified threat management (UTM) security solution in front of Azure IaaS resources

Deployment
Current Environment:
I have around 15 VMs, connected to the same VNet which it has around 12 Subnets
I created another two subsets for FortiGate VM as i will explain later

• Login to Azure Portal and click on Add resources, from marketplace search for FortiGate
  

• Select FortiGate next-generation firewall - Single VM
• Click Create

• You can see Plans in our case we will deploy the cheapest option (DS1v2)
  

• Fill the configuration part
  
• in my case as i don't have the license i selected in PAYG/BYOL License: PAYG 6.2.3, in case you have the license select BYOL
  

• Click Next, to fill network part
• Here if you can I selected: outsideSubnet which it will have public IP, and InsideSubnet which I will use it to configure the route between existing VMs
• In VM size I choosed (DS1 V2)
  

• Next select the Public IP Address which it will be attached to Nic0 which is connected to externalSubnet
  

• Once you finish click Create
  

• It will take up-to 5 minutes to be created
  

• You can verify test the appliance now, just copy the public IP address to your browser, https://90.13.125.24
  

• Before start configuring the rules on  the firewall is to add all the existing subnet to the route table which is created "contains the word 'inside'"
  

• Make sure to Add all Subnets you have into FortiGate Static Route as below
  

• Last step, if you want access the VM using a specific port such as RDP, you have to add another public ip address to same FortiGate NIC which is already have a one public IP before, in my case I need to access 3 VMs using RDP so I added another 3 Public IP address, and once i finished i create a static NAT in FortiGate
  

Allow Inbound Traffic:
Let's consider I have an jump server and I need to allow outbound port# 3389, this first thing I will do is

1. To make sure that the Subnet has added to the route table
2. Then, I will add a new IP to the first NIC of the Firewall as the previous screenshot
3. From FortiGate I will configure the policy as per the below screenshot

And in case you want to allow outbound traffic do the same but, from port2 to port 1 as per the below screenshot