Azure Documentation

Azure Firewall Architecture

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Azure Firewall can be used to centralize your security policies across your subscriptions and virtual networks, enabling you to block unauthorized access to and from your Azure and on-premises resources. The architecture is designed for scalability, resilience, and ease of management.

Azure Firewall Architecture Diagram

Figure 1: Conceptual Azure Firewall Architecture

Core Components

The Azure Firewall architecture is built around several key components that work together to provide robust network security:

Network Firewall Policy

The firewall policy is the central management plane for your firewall configuration. It defines the rules, threat intelligence settings, and other security policies that govern network traffic. Policies can be created, managed, and applied to one or more firewall instances, promoting consistency and reducing management overhead.

Threat Intelligence

Azure Firewall integrates with Azure threat intelligence-based filtering to identify and block malicious IP addresses, domains, and URLs. This feature helps protect your network from known threats, reducing the attack surface.

Threat intelligence can be configured in two modes:

  • Detection: Logs traffic to and from known malicious IP addresses, FQDNs, and URLs.
  • Prevention: Blocks traffic to and from known malicious IP addresses, FQDNs, and URLs.

Rules

Rules are the heart of the firewall's decision-making process. Azure Firewall supports various types of rules to granularly control network traffic:

Network Rules

Network rules allow you to filter traffic based on IP address, port, and protocol. They are ideal for securing infrastructure-level traffic and can be applied to IP groups for easier management of large sets of IP addresses.


{
  "ruleType": "NetworkRule",
  "name": "Allow-HTTP-to-WebServer",
  "priority": 100,
  "sourceAddresses": ["10.0.1.0/24"],
  "destinationAddresses": ["10.0.2.5"],
  "destinationPorts": ["80", "443"],
  "protocols": ["TCP"]
}
Application Rules

Application rules provide more granular control by allowing filtering based on fully qualified domain names (FQDNs), FQDN tags, and HTTP/S headers. This is crucial for controlling access to web-based applications and services.


{
  "ruleType": "ApplicationRule",
  "name": "Allow-Internal-to-Microsoft-Update",
  "priority": 200,
  "sourceAddresses": ["10.0.1.0/24"],
  "protocols": [{"protocolType": "http", "port": 80}, {"protocolType": "https", "port": 443}],
  "targetFqdns": ["*.windowsupdate.microsoft.com"],
  "webCategories": ["Update Servers"]
}
DNS Settings

Azure Firewall can be configured to use custom DNS servers, providing enhanced control over DNS resolution and security. This can help prevent DNS spoofing and ensure that DNS queries are resolved securely.

Architecture Scenarios

Azure Firewall is flexible and can be deployed in various network topologies to meet different security requirements:

Hub-Spoke Topology

In a hub-spoke model, Azure Firewall is typically deployed in the central hub virtual network. Spoke virtual networks peer with the hub and route all their internet-bound and inter-spoke traffic through the firewall. This provides a centralized point for security inspection and policy enforcement.

Flat Network Topology

For simpler environments or smaller deployments, Azure Firewall can be deployed directly within a single virtual network. All subnets within that virtual network are configured to route traffic through the firewall.

Distributed Firewall

Azure Firewall can also be deployed at the edge of your virtual network to protect specific subnets or workloads, offering a more granular security approach.

Deployment Considerations

When deploying Azure Firewall, consider the following:

  • SKU: Choose between Standard and Premium SKUs based on your feature requirements (e.g., TLS inspection, advanced threat protection).
  • Availability Zones: Deploy across availability zones for high availability and resilience.
  • Throughput: Plan for adequate firewall throughput based on your network traffic.
  • Network Integration: Configure user-defined routes (UDRs) effectively to direct traffic through the firewall.
  • Logging and Monitoring: Enable diagnostic settings to send logs to Log Analytics, Event Hubs, or Azure Storage for analysis and auditing.

Important

Always ensure that the subnet hosting the Azure Firewall has its Network Security Group (NSG) associated with the AzureFirewallSubnet name. This subnet should not have any NSGs directly applied to it.

Conclusion

Azure Firewall's architecture is designed for modern cloud environments, offering scalability, high availability, and centralized security management. By understanding its core components and deployment options, organizations can effectively protect their Azure resources and maintain a strong security posture.