Azure Firewall Deployment

Last updated: November 15, 2023 Author: Microsoft Documentation Team Category: Networking, Security

This article guides you through the process of deploying and configuring Azure Firewall, a managed, cloud-native network security service that protects your Azure Virtual Network resources. Azure Firewall is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Key Features of Azure Firewall

  • High Availability and Unrestricted Cloud Scalability: Built-in resilience and scalability to meet your needs.
  • Network and Application Level Filtering: Control traffic based on FQDN tags, network rules, and application rules.
  • Threat Intelligence-based Filtering: Protect your network from known malicious IP addresses and domains.
  • Centralized Logging and Analytics: Monitor firewall activity and network traffic for security insights.
  • VNet Integration: Seamlessly integrates with your existing Azure Virtual Networks.

Deployment Steps

Deploying Azure Firewall involves several key steps. It's recommended to plan your network topology and firewall rules before starting the deployment.

1. Prerequisites

  • An Azure subscription.
  • A Virtual Network (VNet) where you want to deploy the firewall. It's best practice to have a dedicated subnet named AzureFirewallSubnet.
  • Appropriate permissions to create network resources.

2. Create the Azure Firewall Resource

You can create an Azure Firewall using the Azure portal, Azure CLI, or Azure PowerShell.

Using Azure Portal:

  1. Navigate to the Azure portal and search for "Firewall".
  2. Click "Create firewall".
  3. Fill in the required details:
    • Subscription: Select your Azure subscription.
    • Resource group: Create a new one or select an existing one.
    • Name: Provide a unique name for your firewall.
    • Region: Select the same region as your VNet.
    • Choose a firewall type: Standard or Premium (for advanced features).
    • Virtual network: Select the VNet where the firewall will be deployed.
    • Public IP address: Create a new standard SKU public IP or use an existing one.
  4. Review and create the firewall.

Using Azure CLI:

az network firewall create \
                    --name MyFirewall \
                    --resource-group MyResourceGroup \
                    --location eastus \
                    --vnet-name MyVNet \
                    --public-ip-name MyFirewallPublicIP \
                    --sku Standard

3. Configure Network Rules

Network rules allow you to filter traffic to and from your network based on IP addresses, ports, and protocols.

  • In the Azure portal, navigate to your firewall resource.
  • Under "Settings", select "Network rules".
  • Click "Add a rule collection".
  • Specify a name, priority, rule type (Network), and then add your rules.
Note: When configuring network rules, the source IP addresses/ranges can be CIDR blocks, service tags, or application security group (ASG) IDs.

4. Configure Application Rules

Application rules allow you to filter traffic based on fully qualified domain names (FQDNs) and protocols like HTTP/HTTPS.

  • Navigate to "Application rules" under "Settings".
  • Click "Add a rule collection".
  • Specify a name, priority, rule type (Application), and define your FQDN tags or custom FQDNs.
Tip: Use FQDN tags for common Microsoft services like Windows Update or Office 365 to simplify rule management.

5. Configure NAT Rules

NAT rules translate incoming traffic to a specific internal IP address and port.

  • Navigate to "NAT rules" under "Settings".
  • Click "Add a rule collection".
  • Specify a name, priority, rule type (NAT), and define your translation rules.

6. Route Traffic Through the Firewall

To ensure traffic flows through the Azure Firewall, you need to update your VNet's route table. The firewall itself needs an IP address in the AzureFirewallSubnet, and you'll create a route for your internal subnets to point to the firewall as the next hop.

  • Create or modify a route table.
  • Add a route with:
    • Address prefix: 0.0.0.0/0 (for all internet-bound traffic)
    • Next hop type: Virtual appliance
    • Next hop address: The private IP address of your Azure Firewall.
  • Associate this route table with your subnets that need to go through the firewall.
Warning: If you route all traffic through the firewall, ensure you have rules in place to allow necessary outbound traffic, such as DNS resolution and critical system updates.

Monitoring and Logging

Azure Firewall provides detailed logs that can be sent to Log Analytics, Storage Accounts, or Event Hubs. This is crucial for troubleshooting and security auditing.

  • Navigate to "Diagnostic settings" for your firewall.
  • Configure settings to send logs to your desired destination.
  • Analyze logs in Azure Monitor or Log Analytics to understand traffic patterns and identify potential security threats.

By following these steps, you can successfully deploy and configure Azure Firewall to enhance the security posture of your Azure network.