Azure Firewall Features

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. Azure Firewall supports both Virtual Network (VNet) and Managed Virtual Network (Managed VNet) scenarios.

Key Features

Network Rule Processing

Control network traffic to and from your Azure resources. Supports Layer 3 (IP addresses) and Layer 4 (ports, protocol) filtering.

  • Allow/Deny traffic based on IP, port, and protocol.
  • Support for both inbound and outbound rules.
  • SNAT support for outbound traffic.
{
  "ruleType": "NetworkRule",
  "name": "AllowOutboundHttp",
  "priority": 200,
  "direction": "Outbound",
  "ipProtocols": ["TCP"],
  "sourceAddresses": ["*"],
  "destinationAddresses": ["*"],
  "destinationPorts": ["80", "443"]
}

Application Rule Processing

Inspect network traffic at Layer 7 (HTTP/S). Allows you to define granular rules for FQDNs (Fully Qualified Domain Names) and applications.

  • Filter traffic based on FQDN tags and custom FQDNs.
  • Enable/disable TLS inspection.
  • Support for web categories for broad filtering.
{
  "ruleType": "ApplicationRule",
  "name": "AllowSocialMedia",
  "priority": 100,
  "direction": "Outbound",
  "protocols": ["http:80", "https:443"],
  "targetFqdns": ["*.facebook.com", "*.twitter.com"],
  "webCategories": ["Social networking"]
}

Threat Intelligence-Based Filtering

Automatically filter traffic based on Microsoft's threat intelligence feeds. Helps protect against known malicious IPs and domains.

  • Enable or disable threat intelligence filtering.
  • Configure threat intelligence modes (e.g., Alert, Deny).
  • Support for custom block and allow lists.

Centralized Logging and Monitoring

Gain visibility into firewall activity with comprehensive logs. Integrate with Azure Monitor, Log Analytics, and Azure Sentinel.

  • Collect network rules, application rules, and system logs.
  • Monitor firewall performance and health.
  • Analyze security events for threat detection.

High Availability and Scalability

Built-in high availability ensures continuous operation. Scales automatically to meet demand without manual intervention.

  • No single point of failure.
  • Supports multiple Availability Zones for zone-redundant deployments.
  • Seamless scaling based on traffic load.

NAT Support

Supports both Destination Network Address Translation (DNAT) and Source Network Address Translation (SNAT).

  • DNAT: Translate inbound traffic to specific internal resources.
  • SNAT: Translate outbound traffic from private IP addresses to public IP addresses.

Advanced Capabilities

Explore additional features for enhanced security and network management.

  • TLS Inspection: Decrypt and inspect outbound HTTPS traffic.
  • IP Address management: Use static public IP addresses for predictable access.
  • Private IP address support: Secure internal VNet traffic.
  • Azure Firewall Manager: Centralized management of multiple Azure Firewall instances.

Getting Started

To learn more about deploying and configuring Azure Firewall, refer to the official Azure documentation:

Azure Firewall Documentation

Deploy Azure Firewall using PowerShell