Azure Firewall Networking
This document covers the core networking concepts and configurations related to Azure Firewall.
Network Design Considerations
Designing your network for Azure Firewall is crucial for security and performance. Key considerations include:
- Hub-and-spoke topology: Azure Firewall is often deployed in a central hub network, with spokes containing your workloads.
- Routing: Proper User Defined Routes (UDRs) are essential to force traffic through the firewall.
- Network Security Groups (NSGs): NSGs are used to control traffic at the subnet level, complementing firewall rules.
- IP addressing: Plan your IP address ranges to avoid conflicts and facilitate efficient rule creation.
Forcing Traffic Through Azure Firewall
To ensure all traffic from your virtual networks is inspected by Azure Firewall, you must configure User Defined Routes (UDRs). This involves:
- Creating a route table.
- Associating the route table with the subnets that should have their traffic directed through the firewall.
- Adding routes to the route table:
- A default route (0.0.0.0/0) pointing to the Azure Firewall's private IP address as the next hop for internet-bound traffic.
- Routes for traffic destined to other virtual networks or on-premises networks, also pointing to the Azure Firewall.
Important: Do not apply NSGs to the Azure Firewall subnet itself. NSGs on other subnets should allow traffic to and from the firewall.
Firewall Subnet and IP Address
Azure Firewall requires a dedicated subnet named AzureFirewallSubnet. This subnet must have a /26 or larger address prefix.
# Example subnet configuration
ResourceGroup: MyResourceGroup
VNet: MyVNet
SubnetName: AzureFirewallSubnet
AddressPrefix: 10.0.1.0/26
Network Address Translation (NAT)
Azure Firewall performs Network Address Translation (NAT) for both inbound and outbound traffic. This includes:
- Source NAT (SNAT): Outbound traffic from private IP addresses is translated to the firewall's public IP address or a specified SNAT IP address.
- Destination NAT (DNAT): For inbound traffic, DNAT rules translate the public IP address and port to a private IP address and port within your VNet.
When configuring DNAT rules, ensure that the associated network security rules allow traffic to the destination IP and port.
Integration with Other Azure Services
Azure Firewall integrates seamlessly with other Azure networking services, including:
- Virtual WAN: For scalable, global connectivity.
- Azure Private Link: For secure access to PaaS services.
- Azure VPN Gateway and ExpressRoute: For hybrid connectivity.
Traffic Flow Scenarios
Outbound Internet Access
Traffic from workloads in spoke VNet subnets destined for the internet is routed through the AzureFirewallSubnet via UDRs. The firewall inspects and potentially filters this traffic based on network and application rules before forwarding it to the internet.
Inbound Access from the Internet
Incoming traffic from the internet is directed to the Azure Firewall's public IP address. DNAT rules on the firewall translate the destination to a specific internal IP address and port within your VNet. Network security rules then allow or deny this traffic.
East-West Traffic (Inter-VNet)
Traffic between virtual machines in different VNets (e.g., from a spoke to another spoke, or spoke to hub) can also be routed through Azure Firewall. This requires UDRs in the source subnet's route table to direct traffic to the firewall, and appropriate firewall rules to permit the communication.