Azure Firewall Manager Documentation
Azure Firewall Manager provides a centralized management experience for your Azure Firewall deployments. It allows you to manage firewall policies and routes for multiple firewall instances across different environments, including Hub-and-Spoke and Network Virtual Network (VNet) deployments.
Key Concepts
Understanding the core components is crucial for effectively using Azure Firewall Manager:
- Azure Firewall Manager: A cloud-native service that provides centralized management for Azure Firewall.
- Azure Firewall: A cloud-native and intelligent network security service that protects your Azure Virtual Networks.
- Firewall Policy: A collection of security rules (network, application, NAT) that define the traffic allowed or denied by Azure Firewall. These policies can be managed centrally.
- Hub VNet: A virtual network that acts as a central hub, typically hosting shared services like Azure Firewall, VPN Gateway, or ExpressRoute Gateway.
- Spoke VNet: A virtual network that is connected to the Hub VNet and hosts your workloads.
- Global VNet Treat: A feature that allows a single Firewall Manager instance to manage firewalls in multiple regions.
Features
Azure Firewall Manager offers a robust set of features for managing your network security:
- Centralized Policy Management: Define, manage, and deploy firewall policies from a single location.
- Hierarchical Policy Inheritance: Apply policies at the Firewall Manager level and inherit them to individual firewall instances, allowing for granular overrides.
- Simplified Hub-and-Spoke Deployments: Easily deploy and manage firewalls in your hub VNets to protect traffic between spoke VNets and to/from the internet.
- Management of Firewall Instances: Provision, configure, and monitor Azure Firewall instances deployed across different regions and VNets.
- Route Management: Centralized control over routing for traffic inspection through Azure Firewall.
- Integration with Azure Monitor: Gain insights into firewall activity, threats, and performance through comprehensive logging and analytics.
Deployment
Deploying Azure Firewall Manager involves setting up a Firewall Manager instance and associating it with your Azure Firewall deployments. Here's a high-level overview:
- Create a Firewall Manager instance: This is the central management resource.
- Create or select a Hub VNet: This VNet will host your Azure Firewall instances.
- Deploy Azure Firewall(s): Deploy Azure Firewall instances within the Hub VNet.
- Associate Firewalls with Firewall Manager: Link your deployed firewalls to the Firewall Manager instance.
- Create and assign Firewall Policies: Define your security rules and apply them to the associated firewalls.
Firewall Policies
Firewall policies are the core of your security configuration. They consist of:
- Network Rules: Control traffic based on IP addresses, ports, and protocols.
- Application Rules: Control access to fully qualified domain names (FQDNs) and applications.
- NAT Rules: Translate private IP addresses and ports to public ones for inbound traffic.
With Firewall Manager, you can create these policies once and apply them to multiple firewalls, ensuring consistency. You can also define specific overrides at the individual firewall or VNet level for more granular control.
Hub and Spoke Deployments
Azure Firewall Manager is particularly effective in Hub-and-Spoke network architectures:
- Centralized Inspection Point: All traffic entering or leaving a spoke VNet must pass through the Azure Firewall in the Hub VNet.
- Simplified Management: Manage policies for all firewalls across multiple spokes from the central Firewall Manager instance.
- Consistent Security: Apply uniform security policies, reducing the risk of misconfigurations and ensuring compliance.
Centralized Management
Firewall Manager offers a unified portal experience for:
- Creating and managing firewall policies.
- Associating and disassociating Azure Firewall instances.
- Configuring network and application rule collections.
- Viewing the security state of your firewalls.
Monitoring and Logging
Leverage Azure Monitor and Azure Sentinel for comprehensive visibility:
- Diagnostic Settings: Configure logs for Firewall Manager and Azure Firewall to capture network, application, and threat intelligence events.
- Log Analytics: Store and query logs for analysis and threat detection.
- Azure Monitor Dashboards: Visualize key metrics and security events.
# Example: Configuring diagnostic settings for Azure Firewall
# In Azure Portal, navigate to your Firewall -> Diagnostic settings
# Select 'Send to Log Analytics workspace'
# Choose categories like 'AzureFirewallNetworkRule', 'AzureFirewallApplicationRule', 'AzureFirewallThreatIntel'
Best Practices
- Use a dedicated Hub VNet: Isolate your shared services and firewalls for better security and manageability.
- Implement a layered security approach: Combine Firewall Manager with other Azure security services like Network Security Groups (NSGs) and Azure Security Center.
- Regularly review and update firewall policies: Ensure policies align with evolving security requirements and threat landscapes.
- Utilize threat intelligence-based filtering: Enable built-in threat intelligence to block known malicious IPs and domains.
- Monitor logs diligently: Proactively identify and respond to security incidents.
Frequently Asked Questions
Azure Firewall is the network security service that protects your VNet resources. Azure Firewall Manager is a management service that simplifies the deployment and operation of multiple Azure Firewall instances and their policies.
Yes, Firewall Manager can manage Azure Firewall instances across different subscriptions within the same Azure Active Directory tenant.
Firewall Manager allows you to define and manage routes for Hub-and-Spoke deployments, ensuring that traffic is correctly directed to the Azure Firewall for inspection.