Azure Firewall
Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Conceptual diagram of Azure Firewall integration.
Key Features
- High Availability and Scalability: Built-in high availability and unrestricted cloud scalability.
- Security Policies: Define network and application rules to control traffic flow.
- Threat Intelligence: Integrate with Azure Threat Intelligence-based filtering to identify and block malicious IP addresses and domains.
- Centralized Logging and Monitoring: Collect logs for traffic and security events for analysis and auditing.
- NAT Support: Supports both Destination Network Address Translation (DNAT) and Source Network Address Translation (SNAT).
- VNet Integration: Deploy within your virtual networks to protect resources.
Azure Firewall Rule Types
Azure Firewall uses three types of rules:
-
Network Rules
These rules apply to traffic based on Layer 3 and Layer 4 information, including IP address, port, and protocol.
- Source Type: IP Addresses, IP Groups, Service Tags, Application Security Groups.
- Destination Type: IP Addresses, IP Groups, Service Tags, Application Security Groups.
- Protocol: TCP, UDP, ICMP, Any.
-
Application Rules
These rules apply to traffic based on Layer 7 information, such as fully qualified domain names (FQDNs), FQDN tags, and HTTP/S headers.
- Source Type: IP Addresses, IP Groups, Service Tags, Application Security Groups.
- Target FQDNs: Specific FQDNs to allow or deny.
- FQDN Tags: Predefined tags for common Microsoft services (e.g., Windows Update, Microsoft SQL).
- Web Categories: Block access to entire categories of websites.
-
Network Address Translation (NAT) Rules
These rules are used to translate private IP addresses and ports to public IP addresses and ports, typically for inbound traffic.
- Protocol: TCP, UDP.
- Destination Address: Public IP address of the firewall.
- Destination Port: Port on the public IP.
- Translated Address/Port: Internal IP address and port of the target resource.
Deployment Considerations
When deploying Azure Firewall, consider the following:
- Hub-and-Spoke Architecture: Azure Firewall is commonly deployed in a hub virtual network to centrally manage traffic for spoke virtual networks.
- Firewall Rules Management: Plan your rule sets carefully to ensure security while allowing necessary traffic.
- Logging and Diagnostics: Enable logging to Azure Monitor, Log Analytics, or Event Hubs for security analysis.
Note
Azure Firewall Manager provides a centralized way to manage firewall policies and deploy firewalls across multiple regions and subscriptions.
Getting Started
To deploy Azure Firewall:
- Create a dedicated subnet named
AzureFirewallSubnetin your virtual network. - Deploy an Azure Firewall instance within that subnet.
- Configure firewall policies with your desired network and application rules.
- Update route tables to direct network traffic through the firewall.
Tip
For complex scenarios, consider using Azure Firewall Premium for advanced features like TLS inspection and intrusion detection/prevention.
Explore the advanced features of Azure Firewall, including Threat Intelligence-based filtering and TLS inspection.