Azure Firewall Security

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

This document provides comprehensive guidance on leveraging Azure Firewall for robust security in your Azure environment.

Key Features

  • High Availability and Scalability: Built-in HA and cloud scalability ensure continuous protection.
  • Stateful Firewall: Tracks the state of network traffic and makes decisions based on the context.
  • Threat Intelligence-Based Filtering: Automatically allows or blocks traffic based on Microsoft's threat intelligence feeds.
  • Network and Application Rule Processing: Supports both L3/L4 (network) and L7 (application) filtering.
  • Centralized Policy Management: Define and manage firewall policies centrally across multiple Azure Firewall instances.
  • VNet Integration: Protects resources within your virtual networks seamlessly.
  • Outbound SNAT Support: Provides SNAT for all outbound traffic to the internet.
  • Inbound DNAT Support: Translates destination network address for inbound traffic.
  • Global VNet Peering Support.

Architecture Overview

Azure Firewall is deployed as a Virtual Network (VNet) resource. It can be placed in a dedicated subnet called AzureFirewallSubnet. All traffic from your spokes and/or on-premises networks can be routed through the Azure Firewall for inspection and policy enforcement.

Azure Firewall Architecture Diagram

Traffic flow can be managed using User Defined Routes (UDRs) configured on your subnets to direct traffic to the Azure Firewall's private IP address.

Security Policies

Azure Firewall policies provide a centralized way to manage security rules that apply to multiple firewall instances. Policies consist of three rule collections:

  • Network rule collections: Filter traffic to and from Azure resources based on IP addresses, ports, and protocols.
  • Application rule collections: Filter traffic to fully qualified domain names (FQDNs) and FQDN tags.
  • Network and Application rule collections (Threat Intelligence): Enable filtering based on Microsoft's Threat Intelligence feed.

A firewall policy is associated with an Azure Firewall resource. Rules within a policy are processed based on priority. Lower numbers indicate higher priority.

Network Rules

Network rules operate at Layer 3 and Layer 4. They are used to allow or deny traffic based on:

  • Source IP address(es)
  • Source port(s)
  • Destination IP address(es)
  • Destination port(s)
  • Protocol (TCP, UDP, ICMP, ANY)

Example Network Rule configuration:


{
    "ruleType": "NetworkRule",
    "name": "Allow_HTTP_HTTPS",
    "priority": 200,
    "sourceAddresses": ["10.0.1.0/24"],
    "destinationAddresses": ["*"],
    "destinationPorts": ["80", "443"],
    "ipProtocols": ["TCP"],
    "action": {
        "type": "Allow"
    }
}

Application Rules

Application rules operate at Layer 7 and are used to filter outbound HTTP and HTTPS traffic. They are based on:

  • Source IP address(es)
  • FQDN tags (e.g., WindowsUpdate, Microsoft365.Com)
  • Fully Qualified Domain Names (FQDNs)
  • Web categories (for Advanced Threat Protection)

Example Application Rule configuration:


{
    "ruleType": "ApplicationRule",
    "name": "Allow_Microsoft365",
    "priority": 210,
    "sourceAddresses": ["10.0.2.0/24"],
    "targetFqdns": ["*.microsoftonline.com"],
    "protocols": [{
        "protocolType": "Https",
        "port": 443
    }],
    "action": {
        "type": "Allow"
    }
}
Note: HTTPS traffic inspection is required to apply application rules to encrypted traffic. This involves deploying a certificate to Azure Firewall.

Threat Intelligence

Azure Firewall can leverage Microsoft's Threat Intelligence feed to identify and block malicious IP addresses and URLs. This is configured as a separate rule collection within your firewall policy.

You can set the action to Allow, Deny, or Audit for traffic matching the threat intelligence feed.


{
    "ruleType": "NetworkRule",
    "name": "Block_Malicious_IPs",
    "priority": 100,
    "direction": "Outbound",
    "ipProtocols": ["Any"],
    "sourceAddresses": ["*"],
    "destinationAddresses": ["*"],
    "threatIntelMode": "Alert",
    "action": {
        "type": "Deny"
    }
}

ThreatIntelMode can be set to Alert, Deny, or Off.

Logging and Monitoring

Azure Firewall logs provide valuable insights into traffic flows and security events. Logs can be sent to:

  • Log Analytics Workspace
  • Azure Storage Account
  • Event Hubs

Key log categories include:

  • AzureFirewallNetworkRule: Logs network rule traffic.
  • AzureFirewallApplicationRule: Logs application rule traffic.
  • AzureFirewallDns: Logs DNS requests.
  • AzureFirewallThreatIntel: Logs threats identified by the threat intelligence feed.

Use Azure Monitor and Kusto Query Language (KQL) to analyze your firewall logs for security monitoring and troubleshooting.

Best Practices

  • Dedicated Subnet: Always deploy Azure Firewall in a dedicated subnet named AzureFirewallSubnet.
  • Centralized Policies: Utilize Azure Firewall policies for consistent rule management across multiple firewalls.
  • Least Privilege: Grant only necessary permissions for users and applications.
  • Network Segmentation: Implement network segmentation using VNets and subnets, routing traffic through the firewall.
  • Threat Intelligence: Enable threat intelligence filtering and set appropriate actions (e.g., Deny).
  • Regular Auditing: Regularly review firewall logs and rule configurations.
  • SNAT IP Allocation: Ensure sufficient public IP addresses are allocated for outbound SNAT if required.
  • HTTPS Inspection: Consider enabling HTTPS inspection for advanced application-level filtering and threat protection.
Important: Properly configure User Defined Routes (UDRs) on all relevant subnets to enforce traffic flow through Azure Firewall.