Introduction to Microsoft Network Firewall
Microsoft Network Firewall is a cloud-native and scalable network security service that protects your virtual network resources. It's a fully stateful firewall as a service with high availability and unrestricted cloud scalability.
This service allows you to centrally create, deploy, and manage network security policies across your subscriptions and workloads. It enables you to classify and control inbound and outbound application traffic with clear, granular visibility.
Key Features
- Centralized Policy Management: Define and enforce security policies from a single pane of glass.
- Stateful Inspection: Tracks the state of active network connections and makes access-control decisions based on context.
- Threat Intelligence: Integrates with Microsoft's threat intelligence feeds for advanced protection.
- Application-Aware Filtering: Allows or denies traffic based on the application generating it, not just ports and protocols.
- Network Address Translation (NAT): Supports inbound and outbound NAT rules for IP address translation.
- High Availability: Built for resilience with automatic failover.
- Scalability: Scales automatically to meet the demands of your network.
Configuration Guide
Creating Firewall Rules
Firewall rules define the traffic that is allowed or denied. Rules are grouped into rule collections, which can be of type Network, Application, or NetworkRuleCollection.
Network Rules
Network rules apply to Layer 3 and Layer 4 traffic. They are defined by specifying:
- Source and destination IP addresses/CIDR blocks.
- Protocols (TCP, UDP, ICMP, Any).
- Source and destination ports.
- Action (Allow/Deny).
# Example Network Rule (Conceptual)
{
"ruleCollectionType": "NetworkRule",
"ruleCollectionName": "AllowInternalWebServers",
"action": "Allow",
"rules": [
{
"name": "AllowHTTPToWebServers",
"protocol": "TCP",
"sourceAddresses": [ "10.0.1.0/24" ],
"destinationAddresses": [ "10.0.2.0/24" ],
"destinationPorts": [ "80", "443" ]
}
]
}
Application Rules
Application rules allow for more granular control based on L7 protocols and FQDNs. They are defined by specifying:
- Source IP addresses/CIDR blocks.
- Target FQDNs or FQDN tags.
- Web application protocols (e.g., http, https).
- Request methods.
- Action (Allow/Deny).
# Example Application Rule (Conceptual)
{
"ruleCollectionType": "ApplicationRule",
"ruleCollectionName": "AllowExternalServices",
"action": "Allow",
"rules": [
{
"name": "AllowOffice365",
"sourceAddresses": [ "*" ],
"targetFqdns": [ "*.office365.com" ],
"protocols": [ "http:80", "https:443" ]
}
]
}
Advanced Topics
Threat Intelligence Feeds
Leverage Microsoft's extensive threat intelligence to automatically block known malicious IPs and domains. This is crucial for proactive security.
Service Endpoints and Private Endpoints
Understand how to secure access to Azure PaaS services using Service Endpoints or Private Endpoints in conjunction with your firewall rules.
Firewall Manager Integration
Learn how to manage multiple firewalls and policies centrally using Azure Firewall Manager.
Troubleshooting
Common issues and their resolutions include:
- Connectivity Problems: Verify NAT rules, network security group (NSG) rules, and route tables.
- Application Rule Mismatches: Ensure the correct protocols and FQDNs are specified. Check firewall logs for detailed request information.
- Performance Bottlenecks: Monitor firewall throughput and consider scaling options or optimizing rule sets.
Utilize Azure Network Watcher and Firewall logs for deep packet inspection and analysis.