Azure Firewall: Secure Your Cloud Network

Azure Firewall is a managed, cloud-native network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Azure Firewall allows you to implement and enforce network policies across your subscriptions and virtual networks, providing a centralized control plane for traffic filtering and threat protection.

Key Features

  • High Availability and Scalability: Built to be highly available and scalable, Azure Firewall automatically scales to meet your network demands.
  • Stateful Firewall: Inspects network traffic at Layer 3 and Layer 4 (TCP/UDP).
  • Network and Application FQDN Filtering: Allows you to filter traffic to and from external Websites, including HTTPS.
  • Threat Intelligence-Based Filtering: Integrates with Azure threat intelligence feeds to identify and block known malicious IP addresses and domains.
  • Centralized Policy Management: Define and manage network and application rules in a central location.
  • Outbound SNAT Support: Automatically translates outbound traffic from your virtual network's private IP addresses to the Firewall's public IP address.
  • Inbound DNAT Support: Translates inbound traffic from the Firewall's public IP address to a private IP address in your virtual network.
  • Azure Firewall Manager: A security management service to deploy and manage firewall policies and route configurations centrally across your network.

Architecture Overview

Azure Firewall is deployed as a dedicated Azure resource in a specific virtual network (VNet). It typically sits in a dedicated hub VNet and can protect resources in multiple spoke VNets connected via VNet peering.

Key components include:

  • Firewall Policy: Defines the rules that govern traffic flow.
  • Network Rules: Filter traffic based on IP address, port, and protocol.
  • Application Rules: Filter traffic based on FQDNs (Fully Qualified Domain Names), protocol, and port for L7 filtering.
  • DNAT Rules: Used for inbound traffic translation.
  • SNAT Ports: For outbound traffic translation.
Azure Firewall supports both Standard and Premium SKUs, each offering different capabilities and performance levels.

Getting Started with Azure Firewall

Deploying Azure Firewall involves several steps:

  1. Create a Dedicated Subnet: Create a subnet named AzureFirewallSubnet in your VNet. This subnet requires a /26 or larger address space.
  2. Deploy Azure Firewall: Deploy the Azure Firewall resource into the VNet containing the AzureFirewallSubnet.
  3. Configure Firewall Rules: Define Network and Application rules to control traffic flow.
  4. Configure Route Tables: Update route tables for your VNets to force network traffic through the Azure Firewall for inspection.

You can deploy Azure Firewall using the Azure portal, Azure CLI, PowerShell, or ARM templates.

# Example using Azure CLI to create a firewall
az network firewall create --name MyFirewall --resource-group MyResourceGroup --location eastus --sku Standard --zone 1 2 3

Common Use Cases

  • Centralized Network Security: Enforce consistent security policies across multiple VNets and on-premises networks.
  • Protecting Workloads: Secure critical applications and data residing in Azure VMs and PaaS services.
  • Securing Internet Egress Traffic: Control and filter outbound internet access for your cloud resources.
  • Hybrid Cloud Security: Extend your on-premises security posture to your Azure environment.
  • Advanced Threat Protection: Leverage threat intelligence feeds to block malicious traffic.

Configuration Options

Azure Firewall offers a rich set of configuration options to tailor security to your needs:

Network Rules

These rules allow or deny traffic based on source IP address, protocol, source port, and destination IP address and port. They operate at Layer 3 and Layer 4.

{
    "ruleCollectionType": "FirewallNetworkRuleCollection",
    "ruleCollectionName": "SampleNetworkRuleCollection",
    "priority": 200,
    "rules": [
        {
            "ruleType": "NetworkRule",
            "name": "AllowInternalHTTPS",
            "ipProtocols": ["TCP"],
            "sourceAddresses": ["10.0.1.0/24"],
            "destinationAddresses": ["*"],
            "destinationPorts": ["443"]
        }
    ]
}

Application Rules

These rules allow or deny traffic based on FQDNs and HTTP/HTTPS protocols. They provide Layer 7 filtering capabilities.

{
    "ruleCollectionType": "FirewallApplicationRuleCollection",
    "ruleCollectionName": "SampleAppRuleCollection",
    "priority": 100,
    "rules": [
        {
            "ruleType": "ApplicationRule",
            "name": "AllowContosoBlog",
            "protocols": [{"protocolType": "Https", "port": 443}],
            "sourceAddresses": ["10.0.1.0/24"],
            "targetFqdns": ["www.contoso.com", "*.azure.com"]
        }
    ]
}

DNAT Rules

Used to translate inbound traffic from the firewall's public IP to private IP addresses and ports of your internal resources.

{
    "ruleCollectionType": "FirewallDnatRuleCollection",
    "ruleCollectionName": "SampleDnatRuleCollection",
    "priority": 110,
    "rules": [
        {
            "ruleType": "DnatRule",
            "name": "AllowRDPInbound",
            "protocols": ["TCP"],
            "sourceAddresses": ["*"],
            "destinationAddresses": ["YOUR_FIREWALL_PUBLIC_IP"],
            "destinationPorts": ["3389"],
            "translatedAddress": "YOUR_VM_PRIVATE_IP",
            "translatedPort": "3389"
        }
    ]
}

Monitoring and Logging

Azure Firewall integrates with Azure Monitor and Azure Log Analytics for comprehensive visibility into network traffic and security events.

  • Azure Monitor Metrics: Track performance metrics such as throughput, connection count, and rule hit counts.
  • Azure Diagnostics Logs: Collect firewall logs, including network rule hits, application rule hits, threat intelligence, and system logs.
  • Log Analytics: Query and analyze your firewall logs using Kusto Query Language (KQL) for detailed insights and reporting.
Configure diagnostic settings to send firewall logs to a Log Analytics workspace for effective analysis and alerting.

Best Practices

  • Use Firewall Manager for Centralization: For managing firewalls across multiple regions and subscriptions, leverage Azure Firewall Manager.
  • Minimize Firewall Rule Complexity: Design rules that are specific and avoid overly broad wildcard entries where possible.
  • Regularly Review Rules: Periodically audit your firewall rules to ensure they are still necessary and effective.
  • Enable Threat Intelligence: Utilize the threat intelligence-based filtering to block known malicious IPs and domains.
  • Monitor Logs Actively: Set up alerts based on critical log events to quickly respond to security incidents.
  • Choose the Right SKU: Select the Azure Firewall SKU (Standard or Premium) that best matches your performance and feature requirements.
  • Secure Management Plane: Implement strong access control (RBAC) for managing Azure Firewall resources.