Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Key Features
- High Availability and Unrestricted Cloud Scalability: Azure Firewall is a platform as a service (PaaS) that scales automatically.
- Network and Application Rule Processing: You can centrally create, deploy, and manage firewall policies across subscriptions and resource groups.
- Threat Intelligence-based Filtering: Azure Firewall can be configured to block traffic to/from known malicious IP addresses and domains identified by Microsoft's Threat Intelligence.
- Centralized Logging and Analytics: Collect logs for network traffic and firewall rules to monitor and analyze your network.
- Service Tags: Group related services for easier rule management.
- Fully Stateful: Tracks the state of active network connections and makes decisions based on context.
Deployment Options
Azure Firewall can be deployed in a hub virtual network, providing centralized protection for workloads deployed in spoke virtual networks. This hub-and-spoke architecture is a common pattern for managing network security in Azure.
Hub-and-Spoke Architecture
In this model:
- A hub virtual network contains the Azure Firewall and other shared services.
- Spoke virtual networks contain your application workloads.
- Traffic between spokes and to the internet is routed through the Azure Firewall in the hub.
Rule Types
Azure Firewall supports three types of rules to control traffic:
Network Rules
Network rules allow you to filter traffic based on Layer 3 (IP address) and Layer 4 (port and protocol) information. This is useful for filtering traffic to and from specific IP addresses, ranges, or subnets.
Rules are evaluated in priority order (lowest number first).
Supported protocols: TCP, UDP, ICMP, Any.
Wildcard (*) can be used for ports.
Application Rules
Application rules allow you to filter HTTP and HTTPS traffic based on the fully qualified domain name (FQDN). This enables more granular control over web-based access.
Rules are evaluated in priority order.
Supported FQDN tags for common Microsoft services.
Can use wildcards for FQDNs.
Network Address Translation (NAT) Rules
NAT rules translate private IP addresses to public IP addresses for inbound connections. This is essential for making services hosted within your virtual network accessible from the internet.
Used for inbound connections.
Translates public IP address and port to private IP address and port.
Firewall Policies
Azure Firewall policies provide a centralized way to manage and reuse network and application rules across multiple firewalls. This simplifies rule management and ensures consistency.
Threat Intelligence
You can enable threat intelligence-based filtering to protect your network from known malicious IP addresses and domains. This feature is powered by Microsoft's Threat Intelligence.
Enabling Threat Intelligence
To enable this feature, configure the firewall policy to use the Threat Intelligence mode (e.g., 'Alert', 'Deny', 'Off').
Monitoring and Logging
Azure Firewall logs provide valuable insights into network traffic and firewall activity. These logs can be sent to Log Analytics, Event Hubs, or Storage Accounts for analysis.
| Log Type | Description |
|---|---|
| AzureDiagnostics | Contains network rule, application rule, and NAT rule log information. |
| FirewallPolicyLogs | Details of firewall policy rule processing. |
Refer to the official Azure Firewall documentation for the most up-to-date information and advanced configurations.