On this page
Introduction
Azure Firewall is a cloud-native network security service that protects your Azure Virtual Network resources. It's a managed, cloud-based network security service that protects your virtual network resources. It provides threat intelligence-based filtering, application and network-level connectivity policies, and threat protection.
Azure Firewall is a Platform as a Service (PaaS) offering that scales dynamically to meet your security needs. It can be deployed to a Virtual Network (VNet) and protects all resources within the VNet by using a highly available and fully stateful firewall.
What is Azure Firewall?
Azure Firewall is a fully stateful firewall as a service that acts as a cloud-native network security hub. It offers:
- Centralized network security: Provides a single pane of glass for managing security policies across your Azure environment.
- Application-level filtering: Allows you to control access to specific applications and websites.
- Network-level filtering: Enables granular control over inbound and outbound traffic based on IP addresses, ports, and protocols.
- Threat intelligence-based filtering: Leverages Microsoft's threat intelligence feed to block malicious traffic.
- High availability and scalability: Built to be highly available and scales automatically to handle varying traffic loads.
Key Features
Network rule processing
Allows filtering of traffic to and from Azure resources, defined by source IP address, destination IP address, destination port, and protocol.
Application rule processing
Allows filtering of outbound HTTP and HTTPS traffic based on fully qualified domain names (FQDNs) and the application FQDN tags.
Threat intelligence-based filtering
Enables you to block traffic to and from known malicious IP addresses, domains, and URLs based on Microsoft's threat intelligence feed.
Network Address Translation (NAT) support
Supports Destination Network Address Translation (DNAT) for inbound traffic and Source Network Address Translation (SNAT) for outbound traffic.
Centralized logging and monitoring
Integrates with Azure Monitor and Log Analytics for comprehensive logging and analysis of firewall activity.
Azure Firewall Premium
Offers advanced capabilities including TLS inspection, Intrusion Detection and Prevention System (IDPS), and web filtering.
How it Works
Azure Firewall is deployed in a trusted central virtual network (VNet). You can route traffic from other VNets, on-premises networks, or directly from the internet through the Azure Firewall. This centralized approach ensures consistent security policies across your entire cloud infrastructure.
When traffic flows through Azure Firewall, it evaluates network and application rules, threat intelligence feeds, and custom FQDN tags to determine whether to allow or deny the traffic. The firewall is fully stateful, meaning it tracks the state of active network connections and makes decisions based on the context of the traffic flow.
Stateful Inspection: Azure Firewall tracks the state of active network connections, enabling it to make more intelligent decisions about which traffic to allow or deny.
Architecture
Azure Firewall is a managed service, meaning Microsoft handles the underlying infrastructure, patching, and maintenance. It's deployed as a highly available cluster in each region, ensuring resilience. Traffic routing is typically configured using User Defined Routes (UDRs) in your VNets to direct traffic to the Azure Firewall's private IP address.
(Diagram illustrating Azure Firewall's central deployment and traffic flow)
Benefits
- Enhanced Security Posture: Protects against threats and secures your cloud applications.
- Simplified Management: Centralized policy management reduces complexity.
- Cost-Effective: Pay-as-you-go model with predictable pricing.
- High Availability and Scalability: Built-in resilience and automatic scaling.
- Compliance: Helps meet various regulatory and compliance requirements.
Common Scenarios
Hub-and-Spoke Network Topologies
Azure Firewall is ideal for securing spoke VNets in a hub-and-spoke architecture, centralizing security controls.
Securing Web Applications
Protecting web servers by controlling inbound and outbound traffic, and leveraging application rules for granular control.
Compliance Requirements
Meeting industry compliance standards by enforcing strict network security policies and logging traffic for auditing.
Branch Office Connectivity
Securing traffic between on-premises branch offices and Azure VNets.
Getting Started
Deploying Azure Firewall involves creating a Firewall policy, defining network and application rules, and configuring route tables to direct traffic through the firewall. For detailed deployment steps, refer to the official Azure documentation.
For pricing information, please visit the Azure Firewall Pricing page.
Learn More: Explore the comprehensive Azure Firewall documentation for in-depth guides and tutorials.