Azure Firewall Policies

Azure Firewall policies provide a centralized way to manage firewall rules across multiple Azure Firewall instances. They allow you to define a set of rules (Network, Application, DNAT) and associate them with one or more Firewall instances. This simplifies management, promotes consistency, and enhances security posture.

Key Concepts

Rule Collection Groups: A logical grouping of rule collections (Network, Application, DNAT). Each group is assigned a priority.
Rule Collections: A collection of rules of the same type (Network, Application, or DNAT). Each collection also has a priority.
Rules: The individual directives that define what traffic is allowed or denied.
- Network Rules: Filter traffic based on IP addresses, ports, and protocols.
- Application Rules: Filter HTTP/S traffic based on FQDNs, ports, and protocols.
- DNAT Rules: Translate destination NAT for inbound traffic.
Policies: The overarching object that contains rule collection groups.

Creating and Managing Firewall Policies

Using the Azure Portal

You can create and manage firewall policies directly through the Azure portal. Navigate to the Azure Firewall resource, and then select 'Policies' from the left-hand menu to create or edit policies and their associated rule collection groups and rules.

Using Azure CLI

The Azure CLI provides powerful commands for managing firewall policies programmatically.

Create a new firewall policy:

az network firewall policy create --name MyFirewallPolicy --resource-group MyResourceGroup --location westus

Add a network rule collection to a policy:

az network firewall policy rule-collection-group collection add \
    --policy-name MyFirewallPolicy \
    --collection-name AllowWebTraffic \
    --resource-group MyResourceGroup \
    --rule-type network \
    --priority 200 \
    --action Allow \
    --rules '[
        {
            "name": "AllowHTTP",
            "protocols": ["TCP"],
            "destination-ports": ["80"],
            "destination-addresses": ["*"],
            "source-addresses": ["10.0.0.0/16"],
            "target-fqdns": ["*"]
        }
    ]'

Associate a policy with an Azure Firewall:

az network firewall update \
    --name MyAzureFirewall \
    --resource-group MyResourceGroup \
    --policy MyFirewallPolicy

Best Practices

Use the least privilege principle: Only allow necessary traffic.
Organize rules logically: Use rule collection groups and descriptive names for clarity.
Leverage FQDN tags: For commonly used Microsoft services to simplify rule management.
Implement Threat Intelligence: Enable threat intelligence-based filtering for enhanced security.
Regularly review and audit: Ensure policies remain effective and aligned with security requirements.

API Reference

Explore the detailed API documentation for programmatic management of Azure Firewall Policies.

Deploy Firewall Policy with ARM Templates Learn about Azure Firewall DNAT Rules