Azure Firewall Policy

This document provides a comprehensive guide to Azure Firewall Policy, a central management solution for your Azure Firewall deployments. Understand how to create, manage, and deploy firewall policies to enforce security rules across your organization.

What is Azure Firewall Policy?

Azure Firewall Policy is a centralized management feature that allows you to manage your Azure Firewall resources using a policy-based approach. It provides a consistent and hierarchical way to define and apply security rules, network rules, and NAT rules across multiple firewall instances.

Key Concepts

• Policy: A collection of rules and settings that define the security posture for your firewalls.
• Rule Collection: A group of rules (Network, Application, NAT) within a policy.
• Network Rules: Control inbound and outbound traffic based on IP addresses, ports, and protocols.
• Application Rules: Control HTTP/S traffic to specific FQDNs (Fully Qualified Domain Names).
• NAT Rules: Enable Network Address Translation for inbound traffic to specific service endpoints.
• Threat Intelligence: Integrate with Azure threat intelligence feeds to block malicious IP addresses and domains.
• Hub and Spoke Topology: Azure Firewall Policy is particularly effective in managing firewalls in hub-spoke architectures.

Creating an Azure Firewall Policy

You can create an Azure Firewall Policy using the Azure portal, Azure CLI, or Azure PowerShell.

Using the Azure Portal:

1. Navigate to the Azure portal.
2. Search for "Firewall Policies" and select it.
3. Click "Create firewall policy".
4. Fill in the required details: Subscription, Resource Group, Policy Name, Region.
5. Configure Global Settings, Intrusion Detection and Prevention (IDPS), Threat Intelligence, and DNS settings as needed.
6. Define Rule Collections for Network, Application, and NAT rules.
7. Review and create the policy.

Using Azure CLI:

The following is a conceptual example. Refer to the official Azure CLI documentation for the exact syntax and parameters.

az network firewall policy create \
    --name MyFirewallPolicy \
    --resource-group MyResourceGroup \
    --location eastus \
    --sku Standard \
    --threat-intelligence-mode Deny
            

Managing Rules within a Policy

Once a policy is created, you can manage its rules through rule collections.

Network Rule Collection Example:

Allow outbound HTTP traffic to a specific web server.

• Name: AllowOutboundHTTP
• Priority: 100
• Rule Type: Network
• Source Type: IP Address
• Source: 10.0.1.0/24
• Destination Type: IP Address
• Destination: 20.12.34.56
• Protocol: TCP
• Destination Port: 80

Application Rule Collection Example:

Allow outbound access to a specific Microsoft 365 FQDN.

• Name: AllowM365
• Priority: 200
• Rule Type: Application
• Source Type: IP Address
• Source: 10.0.1.0/24
• Target FQDNs: login.microsoftonline.com, *.office365.com
• Protocol: http:80, https:443

Associating Policies with Firewalls

After creating and configuring a firewall policy, you need to associate it with one or more Azure Firewall instances.

1. In the Azure portal, navigate to your Azure Firewall resource.
2. Under "Settings", select "Policy".
3. Click "Change policy".
4. Select the desired firewall policy from the dropdown.
5. Save the changes.

Advanced Features

• Network Lockdown: Restrict access to specific FQDNs, ensuring only approved applications can be accessed.
• IDPS Signatures: Utilize Intrusion Detection and Prevention System signatures to detect and block known exploits.
• Azure Monitor Integration: Collect and analyze firewall logs for security monitoring and troubleshooting.

Learning More

For detailed configuration steps and advanced scenarios, please refer to the official Azure Firewall Policy documentation.