Azure Documentation

Azure Firewall Overview

Azure Firewall is a managed, cloud-native network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and cloud scalability.

Key Benefits:

  • Built-in High Availability and Scalability: Azure Firewall is deployed as a highly available service.
  • Stateful Firewall as a Service: Azure Firewall inspects traffic and logs it.
  • Threat Intelligence-Based Filtering: Protects against known exploits by blocking traffic to and from malicious IP addresses, domains, and URLs.
  • Centralized Management: Define, enforce, and log your security policies across subscriptions and virtual networks.
  • Advanced Network Features: Supports network and application FQDN filtering, threat intelligence, and more.

Core Components and Features

Azure Firewall provides several key features to secure your network:

  • Network Rules: Allow or deny traffic based on IP address, port, and protocol. This is useful for securing access to specific services.
  • Application Rules: Allow or deny traffic to FQDNs (Fully Qualified Domain Names) based on web filtering. This offers more granular control over web access.
  • Threat Intelligence-Based Filtering: Integrates with Microsoft's Threat Intelligence feed to automatically block malicious IPs and domains, protecting your resources from known threats.
  • SNAT and DNAT Support: Azure Firewall supports Source Network Address Translation (SNAT) for outbound traffic and Destination Network Address Translation (DNAT) for inbound traffic.
  • TLS Inspection: Enables decryption and inspection of outbound TLS traffic for threats.
  • Centralized Logging and Analytics: Integrates with Azure Monitor and Log Analytics for comprehensive logging and analysis of network traffic and firewall events.
[Conceptual Diagram Placeholder: Azure Firewall in a Hub-and-Spoke Network Topology]

Imagine a diagram here showing Azure Firewall deployed in a central hub network, inspecting traffic flowing between spoke VNet subnets, on-premises networks, and the internet.

Deployment Scenarios

Azure Firewall can be deployed in various scenarios:

  • Hub-and-Spoke Networks: Azure Firewall is typically deployed in a central hub VNet and traffic is routed through it from spoke VNets.
  • Securing Workloads: Protects virtual machines and other Azure resources within your VNets.
  • Hybrid Connectivity: Secures traffic between your on-premises network and Azure resources.

Key Concepts

Firewall Policies

Firewall policies are the primary way to manage your Azure Firewall rules. They allow you to define a collection of network rules, application rules, and threat intelligence settings in a centralized manner.

Rule Collections

Rule collections are containers for rules within a firewall policy. They are processed in order, and the first matching rule determines the action taken.

Network Rules vs. Application Rules

Network rules operate at Layer 3 (IP addresses, ports) and are suitable for controlling traffic to and from infrastructure services. Application rules operate at Layer 7 (FQDNs, HTTP/HTTPS) and are ideal for controlling web traffic.

Threat Intelligence

This feature leverages Microsoft's extensive threat intelligence data to automatically block connections to and from known malicious IP addresses and URLs. It can be configured to enforce deny or allow lists.

Getting Started

To deploy and configure Azure Firewall, you can use the Azure portal, Azure PowerShell, Azure CLI, or ARM templates.

Here's a simplified example of creating a network rule collection using Azure CLI:


az network firewall network-rule-collection create \
    --collection-name AllowWebTraffic \
    --firewall-name MyFirewall \
    --name MyResourceGroup \
    --priority 200 \
    --rule-type NetworkRule \
    --action Allow \
    --rules \
        '{
            "name": "AllowHTTP",
            "protocols": [ "TCP" ],
            "sourceAddresses": [ "*" ],
            "destinationAddresses": [ "*" ],
            "destinationPorts": [ "80", "443" ]
        }'

Conclusion

Azure Firewall provides a robust and scalable solution for securing your Azure network infrastructure. By centralizing your firewall policies and leveraging advanced features like threat intelligence, you can significantly enhance your organization's security posture.

For more detailed information and configuration guides, please refer to the official Azure Firewall documentation.