Azure Firewall

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with high availability and unrestricted cloud scalability.

Key Features

Built-in High Availability: Azure Firewall is deployed across multiple availability zones, providing automatic failover without any configuration.
Unrestricted Cloud Scalability: It scales automatically to meet your network traffic demands.
Stateful Firewall as a Service: Inspects network traffic at Layer 3 and Layer 4, and can also inspect traffic at Layer 7 for certain protocols.
Threat Intelligence-Based Filtering: Protects against known exploits and threats by identifying malicious IP addresses, domains, and URLs.
Application and Network Rules: Allows granular control over which applications and network traffic are allowed or denied.
Network Address Translation (NAT): Supports inbound and outbound NAT rules for precise control over traffic flow.
Centralized Logging and Monitoring: Integrates with Azure Monitor and Azure Sentinel for comprehensive security event analysis.
Private IP Address Support: Can protect both public and private IP addresses.

Deployment Options

Azure Firewall can be deployed in a few ways, depending on your network architecture and security needs:

Hub-Spoke Network Topology: The most common deployment, where Azure Firewall is placed in a central hub virtual network and routes traffic for spoke virtual networks.
Global Hub-Spoke: Extends the hub-spoke model across regions for large-scale deployments.
Azure Firewall Basic: A cost-effective option for smaller workloads with basic filtering needs.
Azure Firewall Standard: Offers advanced features like threat intelligence filtering and TLS inspection.
Azure Firewall Premium: Provides advanced capabilities such as TLS inspection, URL filtering, and network processing improvements.

Rule Types

Azure Firewall uses three types of rules to control traffic:

Network Rules

Network rules are used to allow or deny traffic to specific IP addresses, ports, and protocols (TCP, UDP, ICMP). These rules operate at Layer 3 (IP address) and Layer 4 (port).

Example of a network rule:

{
    "ruleCollectionType": "FirewallPolicyNetworkRuleCollection",
    "ruleCollectionName": "AllowInternalWebServers",
    "priority": 200,
    "action": {
        "type": "Allow"
    },
    "rules": [
        {
            "name": "AllowHTTP_HTTPS_to_WebServerPool",
            "ipProtocols": ["TCP"],
            "sourceAddresses": ["10.0.1.0/24"],
            "destinationAddresses": ["10.0.5.4"],
            "destinationPorts": ["80", "443"]
        }
    ]
}

Application Rules

Application rules allow you to control HTTP and HTTPS traffic based on the fully qualified domain name (FQDN) or FQDN tags. These rules operate at Layer 7.

Example of an application rule:

{
    "ruleCollectionType": "FirewallPolicyApplicationRuleCollection",
    "ruleCollectionName": "AllowAppAccess",
    "priority": 300,
    "action": {
        "type": "Allow"
    },
    "rules": [
        {
            "name": "AllowMicrosoftUpdate",
            "protocols": [{"protocolType": "Http", "port": 80}],
            "sourceAddresses": ["10.0.2.0/24"],
            "targetFqdns": ["*.windowsupdate.microsoft.com"]
        },
        {
            "name": "AllowAzureDevOps",
            "protocols": [{"protocolType": "Https", "port": 443}],
            "sourceAddresses": ["10.0.2.0/24"],
            "targetFqdns": ["dev.azure.com", "azure.microsoft.com"]
        }
    ]
}

DNAT Rules

Destination Network Address Translation (DNAT) rules translate incoming traffic destined for the firewall's public IP address and port to a private IP address and port in your virtual network. This is commonly used for accessing internal resources from the internet.

Example of a DNAT rule:

{
    "ruleCollectionType": "FirewallPolicyNatRuleCollection",
    "ruleCollectionName": "WebserverDNAT",
    "priority": 100,
    "action": {
        "type": "Dnat"
    },
    "rules": [
        {
            "name": "WebServerHTTP",
            "protocols": ["TCP"],
            "sourceAddresses": ["*"],
            "destinationAddresses": ["20.45.67.89"],
            "destinationPorts": ["80"],
            "translatedPort": "80",
            "translatedAddresses": "10.0.5.4"
        }
    ]
}

Configuration and Management

Azure Firewall can be configured and managed through several methods:

Azure Portal: A graphical user interface for creating, configuring, and monitoring firewalls.
Azure CLI: A command-line tool for automating firewall deployments and management tasks.
Azure PowerShell: Another scripting option for managing Azure Firewall.
Azure Resource Manager (ARM) Templates: For declarative, infrastructure-as-code deployments.
Azure Firewall Policy: A management construct for grouping rules and policies, enabling centralized management and inheritance across multiple firewalls.

To ensure optimal security and performance, consider the following best practices:

Deploy Azure Firewall in a dedicated hub virtual network for centralized network security.
Use Network Security Groups (NSGs) to filter traffic at the subnet level, complementing Azure Firewall's capabilities.
Leverage FQDN tags for simplified application rule management.
Regularly review firewall logs for suspicious activity and policy violations.
Implement Threat Intelligence-Based Filtering to block known malicious traffic.

Learn More on Microsoft Docs Azure Firewall Product Page

Azure Documentation

Networking

Compute

Storage