Azure Firewall SKU Features
Azure Firewall offers different pricing tiers (SKUs) that provide varying levels of features and performance to meet your specific security and networking requirements. Understanding the differences between these SKUs is crucial for optimizing your Azure Firewall deployment.
Available SKUs
Azure Firewall currently offers two primary SKUs:
- Standard SKU: The foundational SKU, providing essential network security features.
- Premium SKU: An advanced SKU that builds upon the Standard SKU with additional threat intelligence and advanced filtering capabilities.
Feature Comparison
The following table provides a comprehensive comparison of features available across the Azure Firewall SKUs:
| Feature | Standard SKU | Premium SKU |
|---|---|---|
| SKU Name | Standard | Premium |
| Threat Intelligence-based Filtering | ✔ | ✔ |
| TLS Inspection (Decryption) | ✔ | ✔ |
| Web Categories | ✔ | ✔ |
| Network Rules | ✔ | ✔ |
| Application Rules | ✔ | ✔ |
| SNAT Support | ✔ | ✔ |
| DNAT Support | ✔ | ✔ |
| Azure Firewall Policy | ✔ | ✔ |
| Highly Available (HA) | ✔ | ✔ |
| Private IP Address Support | ✔ | ✔ |
| Global Threat Intelligence | ✔ | ✔ |
| Intrusion Detection and Prevention System (IDPS) | ✖ | ✔ |
| Advanced Malware Protection | ✖ | ✔ |
| URL Filtering with Wildcards | ✖ | ✔ |
| Category-based Filtering | ✖ | ✔ |
| Unrestricted FQDN Tag Support | ✖ | ✔ |
| DNS Proxy | ✔ | ✔ |
| Application Gateway Integration | ✔ | ✔ |
Key Premium SKU Differentiators
Intrusion Detection and Prevention System (IDPS)
The Premium SKU includes a full-fledged IDPS that inspects traffic against known exploits and vulnerabilities. This provides an additional layer of security by detecting and blocking malicious traffic patterns.
Advanced Malware Protection
With Advanced Malware Protection, Azure Firewall Premium scans traffic for malware and viruses, preventing malicious files from entering your network. This feature leverages signature-based detection to identify and block known threats.
Enhanced URL Filtering
The Premium SKU extends URL filtering capabilities to include support for wildcards and category-based filtering. This allows for more granular control over which websites and categories users can access.
Choosing the Right SKU
When selecting an Azure Firewall SKU, consider the following:
- Security Needs: If you require advanced threat protection, IDPS, and malware scanning, the Premium SKU is the recommended choice.
- Compliance Requirements: Certain industry regulations may mandate advanced threat detection capabilities, making the Premium SKU necessary.
- Budget: The Premium SKU generally has a higher cost due to its advanced features. Evaluate your budget against your security requirements.
- Performance: While both SKUs offer high throughput, the Premium SKU is designed for more intensive traffic inspection scenarios.
For detailed pricing information and to further explore the capabilities of each SKU, please refer to the official Azure Firewall pricing page.
Example: Application Rule for Premium SKU
{
"ruleCollectionType": "ApplicationRule",
"ruleCollections": [
{
"ruleCollectionName": "AllowSpecificWebsites",
"rules": [
{
"ruleType": "ApplicationRule",
"name": "AllowSocialMedia",
"protocols": [
{"protocolType": "Https", "port": 443}
],
"sourceAddresses": ["10.0.1.0/24"],
"targetFqdns": ["*.facebook.com", "*.twitter.com"],
"terminatedTLSProjects": ["*"]
}
]
}
]
}
This example demonstrates an application rule in Azure Firewall Policy for the Premium SKU, allowing access to specific social media domains via HTTPS and enabling TLS decryption.