Azure Firewall

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Key Features

  • Built-in High Availability and Scalability: Azure Firewall is a managed service that automatically scales to meet your network traffic demands.
  • Stateful Inspection: It provides stateful filtering of network traffic based on source and destination IP addresses, ports, and protocols.
  • Network and Application Rule Processing: Azure Firewall supports both network rules (for IP, port, and protocol filtering) and application rules (for FQDN filtering based on HTTP, HTTPS, and MSSQL).
  • Threat Intelligence-based Filtering: It can block traffic to and from known malicious IP addresses, domains, and URLs, identified by Microsoft Threat Intelligence.
  • Centralized Logging and Monitoring: Integrate with Azure Monitor for comprehensive logging and analysis of firewall activity.
  • Global Availability: Deploy Azure Firewall in any Azure region.

Core Components

Azure Firewall consists of several key components:

  • Firewall Policy: A centralized management for your firewall rules and settings.
  • Rule Collections: Groupings of rules (Network, Application, DNAT) that define the traffic flow.
  • Network Rules: Allow or deny traffic based on IP address, port, and protocol.
  • Application Rules: Allow or deny traffic based on fully qualified domain names (FQDNs) and specific application protocols.
  • DNAT Rules: Translate destination network address and port to a specific virtual machine or service.

Use Cases

Azure Firewall is ideal for various scenarios:

  • Centralized Network Security: Inspect and route traffic from multiple virtual networks through a central firewall.
  • Protecting Web Applications: Filter incoming and outgoing HTTP/HTTPS traffic to secure web servers.
  • Securing PaaS Services: Control network access to and from Azure Platform as a Service (PaaS) resources.
  • Branch Office Connectivity: Secure traffic between on-premises networks and Azure via VPN or ExpressRoute.

Getting Started

Here are a few essential steps to get started with Azure Firewall:

  1. Deploy Azure Firewall: Create an Azure Firewall instance in your desired Azure Virtual Network.
  2. Configure Firewall Policy: Define network, application, and DNAT rules to control traffic.
  3. Update Route Tables: Configure route tables to force network traffic through the Azure Firewall.
  4. Monitor and Analyze: Utilize Azure Monitor to track firewall activity and identify potential threats.
Important: Ensure your Azure Firewall is deployed in its own dedicated subnet named AzureFirewallSubnet.

Example Configuration Snippet (Firewall Policy)

Below is a simplified example of a firewall policy rule collection for application rules:


{
  "ruleCollection": {
    "ruleCollectionType": "ApplicationRuleCollection",
    "action": {
      "type": "Allow"
    },
    "priority": 100,
    "rules": [
      {
        "ruleType": "ApplicationRule",
        "name": "Allow_Microsoft_Domains",
        "protocols": [
          {
            "protocolType": "http",
            "port": 80
          },
          {
            "protocolType": "https",
            "port": 443
          }
        ],
        "targetFqdns": [
          "*.microsoft.com",
          "*.windowsupdate.com"
        ]
      }
    ]
  }
}

Learn More

Azure Firewall Architecture Firewall Rule Management