Azure Firewall

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Azure Firewall features include:

  • Network and Application Rule Collections: Control access to and from your virtual networks based on IP addresses, ports, and application protocols.
  • Threat Intelligence-based Filtering: Automatically block malicious IP addresses and domains based on Microsoft's threat intelligence feeds.
  • Centralized Logging and Monitoring: Gain insights into firewall traffic and security events through Azure Monitor and Log Analytics.
  • High Availability and Scalability: Built-in redundancy and automatic scaling to meet your network demands.
  • Global Distribution: Deploy Azure Firewall in any Azure region for consistent security across your hybrid cloud environment.

Key Concepts

Firewall Policy

A firewall policy is a management object that contains rules for Azure Firewall. Policies centralize management and allow you to apply consistent security policies across multiple firewalls.

Rules

Azure Firewall uses three types of rules:

  • Network Rules: Filter traffic based on IP address, port, and protocol. Useful for filtering traffic to and from infrastructure resources.
  • Application Rules: Filter traffic based on FQDN (Fully Qualified Domain Name) and protocols (HTTP/HTTPS). Ideal for filtering web traffic.
  • DNAT Rules: Translate destination network address (NAT) to allow inbound traffic to reach specific resources within your virtual network.

Firewall Zones

Azure Firewall supports Availability Zones for high availability. You can deploy a firewall in one or more zones for resilience against datacenter failures.

Deployment and Configuration

Deploying Azure Firewall typically involves the following steps:

  1. Create a Dedicated Subnet: Create a subnet named AzureFirewallSubnet in your virtual network.
  2. Deploy Azure Firewall: Create an Azure Firewall instance in the AzureFirewallSubnet.
  3. Configure Routes: Update your virtual network's route tables to direct traffic through the Azure Firewall.
  4. Define Firewall Policies and Rules: Create network, application, and DNAT rules to control traffic flow.
Important: The AzureFirewallSubnet must have a /26 or larger address prefix.

Example Rule Configuration (Conceptual)

Below is a conceptual example of an Application Rule Collection allowing outbound access to specific Microsoft 365 FQDNs:

Rule Collection Name Priority Rule Type Source Addresses Protocol Target FQDNs Action
M365-Outbound 200 Application 10.0.1.0/24 http,https *.office365.com
*.microsoftonline.com		 Allow

Benefits of Azure Firewall

  • Enhanced Security Posture: Centralized control and threat protection.
  • Simplified Network Management: Consistent policy application across your environment.
  • Cost-Effectiveness: Pay-as-you-go pricing and built-in scalability reduce infrastructure overhead.
  • Compliance: Helps meet regulatory compliance requirements for network security.

Next Steps

To learn more about Azure Firewall, explore the following resources: