Self Service Firewall For Windows Azure Pack (WAP)

Note: This has been sitting in my drafts folder for well over 6 months, so the software versions below maybe out of date.

I wanted to be able to provide a Self Service Firewall For Windows Azure Pack (It’s not the cloud unless it is). For this I decide to use PfSense which is an open source FreeBSD firewall –

Since the networking fabric of 2012 R2 only allows you to use NVGRE gateways to provide external connectivity to SDN (software defined networks).  You are forced to use VLAN’s to provide isolation between tenants if you want to use a third party firewall\router.

The VM should be deployed with two hard drives attached, the first being a linux (Ubuntu) image that has the VM additions installed.  The second hard drive being a pfSense image.  I chose a Linux as apposed to a Windows image because of the smaller footprint giving quicker deployment times. The Linux image allows WAP to talk to it for deployment as it has the VM additions installed.

To get around the fact SCVMM can’t inject an IP into pfSense because there are no VM additions for FreeBSD, I used a DHCP server that only hands out reservations.  Each reservation obviously has a MAC address assigned to it. Port ACL rules can be used to block the traffic from the pfSense if the tenant changes their external IP.

Once the VM has been deployed successfully, an SMA workflow is used to remove the Linux hard drive and assign at static MAC to the pfSense VM. This leaves the VM to boot off the FreeBSD hard drive with a working PfSense install and a functioning external IP address.

What is required to make this work.

  • A private network for each tenant with VLAN’s providing isolation.
  • A WAP hosting plan that is unique to each tenant so they have access to there own VLAN.
  • A  DHCP server that only hands out reserved addresses. (This can be achieved on 2012 R2 server by reserving the whole range then adding the required address back as reservations).
  • A prepared Linux VHD\VHDX image that has the SCVMM guest tools installed.
  • A prepared PfSense VHD\VHDX image.
  • A SCVMM template that has a Linux VHD\VHDX as the primary HD and a pfSense VHD\VHDX as the secondary HD.
  • A SMA workflow to remove the Linux VHD from the VM once deployed.
  • A SMA workflow to assign a reserved MAC to the internet NIC.


The VM Template Used

The deployment experience for the tenant.

Console connect to the pfSense firewall.

The SMA Work Flow below will make the changes once VM has been deployed  (Proof Of Concept Not Production Ready) (The workFlow has a few dependencies on child Run Books but these should be easy enough to re-create.)


About the author

Ben Taylor

Cloud and PowerShell enthusiast with a penchant for automation and CI.

View all posts


Leave a Reply

Your email address will not be published. Required fields are marked *