Azure Documentation

Azure Firewall

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Key Features

  • Stateful Firewall: Inspects network traffic based on source and destination IP addresses, ports, and protocols.
  • Application Filtering: Allows or denies traffic to specific FQDNs (Fully Qualified Domain Names) or applications.
  • Network Rules: Control traffic flow at the IP address, port, and protocol level.
  • Threat Intelligence-based Filtering: Integrates with Azure threat intelligence feeds to identify and block malicious IP addresses and domains.
  • Centralized Logging: Provides comprehensive logs for security analysis and auditing.
  • High Availability and Scalability: Built to be highly available and can scale to meet your network demands.

When to Use Azure Firewall

Azure Firewall is ideal for scenarios where you need a centralized, managed network security solution. Consider using it for:

  • Protecting multiple virtual networks and on-premises networks through a hub-and-spoke topology.
  • Enforcing consistent security policies across your Azure environment.
  • Controlling outbound internet access from your virtual machines.
  • Segmenting traffic between different workloads or applications.

Deployment Scenarios

Azure Firewall can be deployed in various topologies. A common pattern is the hub-and-spoke model, where Azure Firewall resides in a central hub virtual network and is used to route traffic to and from spoke virtual networks.

Important: Azure Firewall is a managed service, meaning Microsoft handles the underlying infrastructure, high availability, and patching. This allows you to focus on configuring your security rules.

Configuring Network and Application Rules

You can define two types of rules for Azure Firewall:

  • Network Rules: These rules allow or deny traffic based on Layer 3 (IP address) and Layer 4 (port and protocol) information.
  • Application Rules: These rules allow or deny traffic to specific FQDNs (Fully Qualified Domain Names) or applications. This is particularly useful for controlling access to web-based applications or services.

Example: Allowing outbound HTTPS to a specific FQDN

You can create an application rule to allow outbound HTTPS traffic to a specific FQDN, for example, storage.azure.com.


# Example CLI command for creating an application rule collection
az network firewall rule-collection create \
    --collection-name AppRuleCollection \
    --firewall-name YourFirewallName \
    --resource-group YourResourceGroup \
    --rule-collection-priority 100 \
    --rule-name AllowSpecificStorageAccess \
    --rule-type NetworkRule \
    --protocol Tcp \
    --source-addresses '*' \
    --destination-addresses 'storage.azure.com' \
    --destination-ports 443
Note: When using application rules, ensure that the FQDNs are resolvable and that DNS is correctly configured.

Azure Firewall Manager

For organizations with complex network infrastructures, Azure Firewall Manager provides a centralized management experience for deploying and managing Azure Firewall instances. It allows you to manage firewall policies and secure virtual hubs.

Next Steps

To learn more about implementing Azure Firewall, consider these resources: