Azure Firewall
This document provides a comprehensive guide to Azure Firewall, a cloud-native network security service that protects your Azure Virtual Network resources. It's a managed, cloud-based network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Introduction to Azure Firewall
Azure Firewall is a fully stateful firewall as a service that can be deployed as a hub network security in a hub-and-spoke architecture. It can filter and inspect traffic to and from virtual networks, on-premises networks, and the internet. It supports application and network level rules for defining traffic flow and protecting your resources.
Key Features
Centralized Policy Management
Define and enforce firewall policies across your entire Azure environment from a single pane of glass.
Network and Application Rule Support
Control traffic based on IP addresses, ports, protocols, and fully qualified domain names (FQDNs).
Threat Intelligence-Based Filtering
Automatically block traffic to and from known malicious IP addresses and domains, powered by Microsoft's threat intelligence feeds.
High Availability and Scalability
Built-in redundancy ensures continuous operation, and it scales automatically to meet demand.
Private IP Address Support
Protect your internal private IP address spaces effectively.
Service Tags
Simplify rule creation by using pre-defined service tags that represent groups of IP addresses for Azure services.
Architecture
Azure Firewall is deployed as a network virtual appliance (NVA) within your virtual network. It can be deployed in a hub virtual network and route traffic from spoke virtual networks through it. This allows for centralized management and inspection of network traffic.
A typical hub-and-spoke deployment looks like this:
- Hub Virtual Network: Contains the Azure Firewall and potentially other shared services.
- Spoke Virtual Networks: Contain your workloads (e.g., Virtual Machines, App Services).
- User Defined Routes (UDRs): Configured in spokes to force traffic through the Azure Firewall in the hub.
Deployment Scenarios
1. Hub-and-Spoke Network Topology
This is the most common scenario for using Azure Firewall. It allows you to centralize network security for multiple spoke VNETs.
2. On-Premises Connectivity
Azure Firewall can inspect traffic flowing between your on-premises networks and Azure, whether directly connected via VPN Gateway or ExpressRoute.
3. Filtering Outbound Internet Traffic
Control which websites and FQDNs your virtual machines and other resources can access on the public internet.
Management and Operations
Azure Firewall is managed through the Azure portal, Azure CLI, PowerShell, or ARM templates. Key management tasks include:
- Rule Management: Creating, updating, and deleting network and application rules.
- Policy Management: Grouping rules into policies for easier management.
- Monitoring: Utilizing Azure Monitor and Azure Firewall Workbook for insights into traffic, threats, and performance.
- Logging: Enabling diagnostic logs to capture firewall activity for auditing and troubleshooting.
Example: Creating a Network Rule
az network firewall network-rule create \
--resource-group MyResourceGroup \
--firewall-name MyFirewall \
--collection-name NetworkRuleCollection1 \
--name AllowHTTPS \
--rule-type NetworkRule \
--protocols TCP \
--source-addresses 10.0.1.0/24 \
--destination-addresses '*' \
--destination-ports 443 \
--action Allow
Pricing
Azure Firewall pricing is based on several factors, including:
- The number of firewall instances deployed.
- The amount of data processed through the firewall.
- The duration of time the firewall is provisioned.
For detailed and up-to-date pricing information, please refer to the official Azure Firewall pricing page.