Azure Firewall Policy

Azure Firewall Policy is a modern way to manage firewall rules and settings centrally. It allows you to define, manage, and deploy firewall configurations across your Azure network securely and efficiently.

Policy Structure

An Azure Firewall Policy is composed of several key components that define its behavior:

Rule Collections: Groupings of rules that are processed in a specific order.
Network Rule Collections: Define rules for filtering network traffic based on IP addresses, ports, and protocols.
Application Rule Collections: Define rules for filtering HTTP/S traffic based on FQDNs, FQDN tags, and application protocols.
DNS Settings: Configure custom DNS servers for your firewall.
IDPS Settings: Configure Intrusion Detection and Prevention System (IDPS) for advanced threat protection.
Threat Intelligence: Enable and configure threat intelligence feeds.

Rule Collections

Rule collections provide a structured way to organize your firewall rules. They are evaluated in a specific order: Network Rule Collections first, followed by Application Rule Collections.

Network Rules

Network rules allow you to control network traffic based on Layer 3 and Layer 4 information. You can specify:

Source IP addresses/ranges: The origin of the traffic.
Destination IP addresses/ranges: The target of the traffic.
Protocols: TCP, UDP, ICMP, or Any.
Destination ports: Specific ports to allow or deny.

Example Network Rule Collection:


{
  "name": "AllowWebTraffic",
  "priority": 100,
  "action": {
    "type": "Allow"
  },
  "rules": [
    {
      "name": "AllowHTTPS",
      "protocols": ["TCP"],
      "sourceAddresses": ["10.0.0.0/16"],
      "destinationAddresses": ["*"],
      "destinationPorts": ["443"]
    }
  ]
}

Application Rules

Application rules provide more granular control over HTTP/S traffic by allowing filtering based on FQDNs (Fully Qualified Domain Names) and FQDN tags.

Source IP addresses/ranges: The origin of the traffic.
Protocol: HTTP or HTTPS.
Target FQDNs: Specific domain names to allow or deny.
FQDN Tags: Predefined groups of FQDNs for common services (e.g., Windows Update, Azure Cloud).
Web Categories: Block or allow access to categories of websites.

Example Application Rule Collection:


{
  "name": "AllowAzureServices",
  "priority": 200,
  "action": {
    "type": "Allow"
  },
  "rules": [
    {
      "name": "AllowWindowsUpdate",
      "protocols": [{"protocolType": "Http", "port": 80}, {"protocolType": "Https", "port": 443}],
      "sourceAddresses": ["10.1.1.0/24"],
      "targetFqdns": ["*.windowsupdate.com"]
    },
    {
      "name": "AllowOffice365",
      "protocols": [{"protocolType": "Http", "port": 80}, {"protocolType": "Https", "port": 443}],
      "sourceAddresses": ["10.1.1.0/24"],
      "fqdnTags": ["Office365"]
    }
  ]
}

DNS Settings

You can configure your Azure Firewall to use custom DNS servers, which is essential for resolving internal and external hostnames correctly. This can be set directly on the firewall policy.

Ensure your custom DNS servers are reachable by the Azure Firewall.

IDPS Settings

Azure Firewall's Intrusion Detection and Prevention System (IDPS) provides advanced threat protection by inspecting traffic for malicious activity based on a curated threat intelligence feed. You can enable IDPS, configure threat intelligence feeds, and define custom rules.

Key IDPS features include:

Signature-based detection: Identifies known malicious patterns.
Network traffic analysis: Monitors traffic for suspicious behavior.
Alerting and logging: Records detected threats for investigation.

Management

Azure Firewall Policies can be managed through the Azure portal, Azure CLI, Azure PowerShell, or ARM templates. Centralized management simplifies policy updates and ensures consistency across your deployments.

Consider using Azure Firewall Manager for managing firewall policies in complex, large-scale environments, especially those using hub-spoke architectures.

Best Practices

Principle of Least Privilege: Grant only the necessary access. Deny by default.
Use FQDN Tags and Web Categories: Simplify application rule management.
Organize Rules Logically: Use descriptive names and prioritize rules effectively.
Regularly Review Logs: Monitor firewall activity for anomalies and threats.
Enable IDPS: Enhance security posture with threat detection capabilities.
Leverage Azure Firewall Manager: For centralized policy management and scalability.

Azure Firewall Policy REST API

Create or Update Policy

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}?api-version=2021-02-01

This operation creates or updates an Azure Firewall Policy.

Get Policy

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/firewallPolicies/{firewallPolicyName}?api-version=2021-02-01

This operation retrieves an Azure Firewall Policy.