Azure Firewall
Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Key Features
- High Availability and Scalability: Built to be highly available and scalable to meet your network demands.
- Stateful Firewall: Inspects traffic based on connection state.
- Network and Application Layer Filtering: Supports filtering rules for both Layer 4 (TCP/UDP) and Layer 7 (HTTP/S).
- Threat Intelligence: Integrates with Microsoft's Threat Intelligence feeds to block known malicious IP addresses and domains.
- Centralized Logging and Monitoring: Provides comprehensive logs for security and troubleshooting.
- Region-Specific Deployment: Deploy Azure Firewall in any Azure region.
Deployment Scenarios
Azure Firewall can be deployed in various scenarios to protect your Azure and on-premises resources:
- Hub-Spoke Topology: A central hub VNet contains the Azure Firewall, routing traffic between spokes and to/from on-premises networks.
- Traffic Inspection: All inbound and outbound traffic to/from the internet and on-premises can be funneled through Azure Firewall.
- Inter-VNet Communication: Control and inspect traffic between VNets in a hub-spoke architecture.
Pricing Tiers
Azure Firewall offers different tiers to suit various needs:
| Tier | Features | Use Case |
|---|---|---|
| Standard | Stateful filtering, Threat Intelligence, Network rules, Application rules (basic FQDN), NAT rules. | General purpose network security. |
| Premium | All Standard features plus: TLS inspection, Web categories, URL filtering, Network FQDN tags, Private IP networks, Advanced Malware Protection. | Advanced security needs, compliance requirements. |
Getting Started
To deploy and configure Azure Firewall:
- Create a Hub VNet: A dedicated VNet to host the Azure Firewall.
- Deploy Azure Firewall: Use the Azure portal, Azure CLI, or PowerShell.
- Configure Routing: Update route tables to direct traffic through the firewall.
- Define Firewall Policies: Create network, application, and NAT rules to control traffic flow.
Note: Azure Firewall requires a dedicated subnet named
AzureFirewallSubnet. This subnet must be at least a /26 CIDR block.
Example: Network Rule
This example shows a network rule that allows outbound HTTP traffic to a specific web server:
{
"properties": {
"ruleCollectionGroups": [
{
"properties": {
"priority": 200,
"ruleCollections": [
{
"ruleCollectionType": "FirewallNetworkRuleCollection",
"properties": {
"priority": 1000,
"rules": [
{
"ruleType": "NetworkRule",
"name": "AllowHTTPToWebServer",
"ipProtocols": [
"TCP"
],
"sourceAddresses": [
"10.0.1.0/24"
],
"destinationAddresses": [
"203.0.113.5"
],
"destinationPorts": [
"80"
],
"action": {
"type": "Allow"
}
}
]
}
}
]
}
}
]
}
}
Example: Application Rule
This example shows an application rule that allows outbound access to specific Microsoft domains:
{
"properties": {
"ruleCollectionGroups": [
{
"properties": {
"priority": 210,
"ruleCollections": [
{
"ruleCollectionType": "FirewallApplicationRuleCollection",
"properties": {
"priority": 1100,
"rules": [
{
"ruleType": "ApplicationRule",
"name": "AllowMicrosoftDomains",
"sourceAddresses": [
"10.0.0.0/16"
],
"protocols": [
{
"protocolType": "Https",
"port": 443
}
],
"targetFqdns": [
"*.microsoft.com",
"*.azure.com"
],
"terminateTls": true,
"webFilter": "Allow",
"action": {
"type": "Allow"
}
}
]
}
}
]
}
}
]
}
}