Azure Firewall

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and cloud scalability.

Azure Firewall is a network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and cloud scalability. You can use Azure Firewall to centralize your network traffic filtering policies across subscriptions and virtual networks, providing a single pane of glass for network security.

Key Features

Stateful Inspection: Tracks the state of active network connections and uses this context to associate traffic with the recognized connections.
High Availability and Scalability: Built-in redundancy and automatic scaling to meet demand.
Threat Intelligence-based Filtering: Helps protect against known exploits by using Microsoft's Threat Intelligence feed.
Network and Application Rule Processing: Allows filtering of traffic based on IP addresses, ports, protocols, and fully qualified domain names (FQDNs).
Centralized Policy Management: Define and manage firewall rules centrally for multiple VNets.
DNAT Support: Translates Destination Network Address Translation (DNAT) to forward traffic destined for a public IP address to a private IP address.

Architecture

Azure Firewall is deployed as a network virtual appliance (NVA) within a dedicated subnet named AzureFirewallSubnet. This subnet must have a minimum prefix of /26. The firewall acts as a central inspection point for traffic from various sources, including:

On-premises networks connected via VPN or ExpressRoute.
Other Azure Virtual Networks.
Internet-bound traffic.

Traffic is routed to the Azure Firewall using User Defined Routes (UDRs) defined on the associated subnets.

Deployment

You can deploy Azure Firewall using the Azure portal, Azure PowerShell, Azure CLI, or ARM templates.

Steps to Deploy (Azure Portal)

Navigate to the Azure portal.
Search for "Firewall" and select "Firewalls".
Click "Create firewall".
Fill in the required details: Subscription, Resource group, Name, Region, Firewall name, Firewall SKU, and select a Virtual Network.
Create a dedicated subnet named AzureFirewallSubnet with at least a /26 address prefix.
Configure public IP address if needed.
Review and create the firewall.

Rule Management

Azure Firewall uses three types of rules:

Network Rules

Network rules filter traffic based on Layer 3 and Layer 4 information, including:

Source IP address/range
Protocol (TCP, UDP, ICMP, Any)
Source port
Destination IP address/range
Destination port

Example Network Rule: Allow outbound HTTP traffic to a specific IP address.

{
    "ruleType": "NetworkRule",
    "sourceAddresses": [
        "10.0.1.0/24"
    ],
    "destinationAddresses": [
        "203.0.113.5"
    ],
    "protocols": [
        "TCP"
    ],
    "destinationPorts": [
        "80"
    ],
    "name": "Allow-Outbound-HTTP"
}

Application Rules

Application rules filter HTTP and HTTPS traffic based on fully qualified domain names (FQDNs) or FQDN tags. This provides more granular control at Layer 7.

Source type (IP Address, IP Group, Service Tag)
Source
Protocol (Http, Https)
Target FQDNs
Web categories (for blocking or allowing broad categories of websites)

Example Application Rule: Allow access to a specific set of Microsoft update servers.

{
    "ruleType": "ApplicationRule",
    "sourceAddresses": [
        "10.0.1.0/24"
    ],
    "protocols": [
        {
            "protocolType": "Https",
            "port": 443
        }
    ],
    "targetFqdns": [
        "*.windowsupdate.microsoft.com",
        "*.ntp.org"
    ],
    "name": "Allow-Microsoft-Updates"
}

DNAT Rules

DNAT rules translate Destination Network Address Translation (DNAT) to forward traffic destined for a public IP address and port to a private IP address and port within your VNet. This is commonly used for inbound access to services.

Rule Collection Type (Network, Application)
Protocol (TCP, UDP)
Frontend IP address
Backend port
Backend IP address
Destination type (IP Address, Network Interface)

Example DNAT Rule: Forward inbound RDP traffic to a specific virtual machine.

{
    "ruleType": "DnatRule",
    "sourceAddresses": [
        "*"
    ],
    "destinationAddresses": [
        "20.1.1.1"  // Public IP of Azure Firewall
    ],
    "protocols": [
        "TCP"
    ],
    "destinationPorts": [
        "3389"
    ],
    "translatedAddress": "10.0.2.4", // Private IP of VM
    "translatedPort": "3389",
    "name": "Allow-RDP-Inbound"
}

Use Cases

Hub-and-Spoke Network Topology: Azure Firewall in the hub VNet inspects traffic between spoke VNet workloads and between spokes and on-premises networks.
Centralized Network Security: Centralize network security policies for your entire Azure environment.
Outbound Filtering: Control and log outbound traffic from VNet workloads to the internet.
Inbound Filtering: Securely expose specific services to the internet using DNAT rules.

Previous: Network Security Groups Next: VPN Gateway