Azure Firewall Concepts - Azure Documentation

Azure Firewall is a cloud-native and intelligent network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Key Concepts

Network Rules

Network rules allow you to filter traffic based on Layer 3 (IP address) and Layer 4 (port and protocol) information. These rules are ideal for securing traffic to and from your Azure resources.

Source type: IP Address, Service Tag, Application Group
Protocol: TCP, UDP, ICMP, Any
Source/Destination: IP addresses, CIDR blocks, Service Tags
Destination Ports: Specific ports, port ranges, Any

Example of a network rule:

{
    "ruleType": "NetworkRule",
    "name": "Allow_HTTP_to_WebServers",
    "priority": 200,
    "direction": "Inbound",
    "ipProtocols": ["TCP"],
    "sourceAddresses": ["10.0.1.0/24"],
    "destinationAddresses": ["203.0.113.5"],
    "destinationPorts": ["80", "443"]
}

Application Rules

Application rules allow you to filter traffic based on the application layer (Layer 7). This provides more granular control, enabling you to allow or deny traffic to specific fully qualified domain names (FQDNs), web categories, or even specific HTTP/S requests.

Source type: IP Address, Service Tag, Application Group
Protocol: Http, Https
FQDN Tags: Predefined FQDNs for common Microsoft services (e.g., Windows Update, Office 365).
Web Categories: Groupings of websites based on their content.
Target FQDNs: Specific FQDNs you want to allow or deny.

Example of an application rule:

{
    "ruleType": "ApplicationRule",
    "name": "Allow_Contoso_Website",
    "priority": 100,
    "protocols": [{ "protocolType": "Https", "port": 443 }],
    "sourceAddresses": ["10.0.0.0/16"],
    "targetFqdns": ["www.contoso.com", "*.contoso.net"],
    "terminateTLS": true,
    "webCategories": []
}

NAT Rules

NAT (Network Address Translation) rules allow you to translate public IP addresses and ports to private IP addresses and ports. This is crucial for scenarios like allowing inbound access to services running in your virtual network from the internet.

Protocol: TCP, UDP
Source IP address/CIDR: Public IP address(es) or range(s) that the NAT rule applies to.
Destination IP address: The public IP address of the Azure Firewall.
Destination Ports: The public port(s) to translate.
Translated IP address: The private IP address of the internal resource.
Translated Ports: The private port(s) to translate to.

Example of a NAT rule:

{
    "ruleType": "NatRule",
    "name": "RDP_to_VM",
    "priority": 150,
    "direction": "Inbound",
    "protocols": ["TCP"],
    "sourceAddresses": ["*"],
    "destinationAddresses": ["203.0.113.10"],
    "destinationPorts": ["3389"],
    "translatedPort": "3389",
    "translatedAddress": "10.1.1.4"
}

Rule Collections

Rule collections are containers for rules. They are used to group similar rules together and define a priority for evaluation. Rules within a rule collection are evaluated in the order they are defined, and the first matching rule determines the action (Allow or Deny).

Azure Firewall supports three types of rule collections:

Network Rule Collection: Contains network rules.
Application Rule Collection: Contains application rules.
NAT Rule Collection: Contains NAT rules.

Rule collections are evaluated based on their priority. Lower numbers indicate higher priority. Network and Application rules are evaluated before NAT rules.

Firewall Policy

A firewall policy provides a centralized way to manage your firewall rules and settings. You can associate a firewall policy with one or more Azure Firewall instances. This allows for consistent rule management across your organization.

Firewall policies can include:

Rule collections (Network, Application, NAT)
Threat intelligence-based filtering
TLS inspection settings
DNAT (Destination Network Address Translation) settings

Threat Intelligence-Based Filtering

Azure Firewall can be configured to automatically block traffic to and from known malicious IP addresses, domains, and URLs. This feature leverages Microsoft's threat intelligence feed to enhance your network security posture.

Mode: Off, Audit, Don't Trudy, Block
Threat intelligence allowlist: You can specify IPs, FQDNs, or Threat Intelligence feeds that should never be blocked.

TLS Inspection

Azure Firewall supports TLS inspection, allowing it to decrypt outbound TLS/SSL traffic for inspection. This helps in identifying and preventing threats that are hidden within encrypted traffic, such as malware or data exfiltration.

To enable TLS inspection, you typically need:

A private certificate authority (CA) that is trusted by your internal clients.
The CA certificate imported into Azure Firewall.

Deployment and Management

Azure Firewall is deployed as a managed service within your virtual network. Management is primarily done through the Azure portal, Azure PowerShell, Azure CLI, or ARM templates. Key management tasks include:

Creating and configuring Firewall instances.
Defining and managing rule collections and policies.
Monitoring firewall logs and activity.
Integrating with other Azure security services like Azure Sentinel.

Supported Features Summary

High Availability

Built-in high availability with automatic failover.

Scalability

Unrestricted cloud scalability to handle varying traffic loads.

Centralized Logging

Comprehensive logging of network and application traffic.

Integration

Seamless integration with Azure Virtual WAN, VNets, and other security services.

SNAT Support

Source Network Address Translation for outbound connections.

DNAT Support

Destination Network Address Translation for inbound connections.

Understanding these core concepts is essential for effectively designing, deploying, and managing a secure network infrastructure using Azure Firewall.