Azure Firewall Policy Overview
This article provides an overview of Azure Firewall policies, a centralized way to manage firewall rules across your Azure Firewall instances. Azure Firewall policies offer a structured and scalable approach to defining and enforcing network security rules.
What is an Azure Firewall Policy?
An Azure Firewall Policy is a container for all your firewall rules. It allows you to group and manage Network Rules, Application Rules, and DNAT Rules in a centralized location. This policy is then associated with one or more Azure Firewall instances, ensuring consistent security enforcement across your network infrastructure.
Key Components of a Firewall Policy
- Rule Collection Groups: Policies are organized into Rule Collection Groups. Each group can contain Network Rule Collections, Application Rule Collections, and DNAT Rule Collections.
- Network Rule Collections: Define rules for filtering network traffic based on Layer 3 and Layer 4 information (IP addresses, ports, protocols).
- Application Rule Collections: Define rules for filtering HTTP and HTTPS traffic based on FQDNs (Fully Qualified Domain Names), protocols, and ports.
- DNAT Rule Collections: Define rules for Network Address Translation (NAT) to forward inbound traffic to specific internal resources.
- Threat Intelligence: Policies can integrate with Azure Firewall's threat intelligence-based filtering to block traffic to and from known malicious IP addresses and domains.
- Managed Rule Sets: Optionally, you can enable and configure managed rule sets for enhanced protection against web vulnerabilities.
Benefits of Using Firewall Policies
- Centralized Management: Manage all firewall rules from a single pane of glass, simplifying administration and reducing the risk of misconfigurations.
- Consistency: Ensure uniform security policies across multiple Azure Firewall instances and subscriptions.
- Scalability: Easily scale your security posture by associating policies with new or existing firewall deployments.
- Granular Control: Define fine-grained rules to allow or deny specific types of traffic.
- Integration: Seamlessly integrate with other Azure security services and threat intelligence feeds.
Creating and Managing Firewall Policies
You can create and manage Azure Firewall Policies using the Azure portal, Azure CLI, Azure PowerShell, or REST APIs.
Using the Azure Portal
- Navigate to the Azure portal and search for "Firewall Policies".
- Click "Create firewall policy".
- Fill in the required details, including the policy name, resource group, and region.
- Define your Rule Collection Groups and the rules within them.
- Associate the policy with your Azure Firewall instance(s).
Example: Allowing Web Traffic
Here's a simplified example of an Application Rule Collection that allows outbound HTTP and HTTPS traffic to specific web servers:
{
"ruleCollectionGroupName": "AppRuleCollectionGroup",
"ruleCollections": [
{
"ruleCollectionType": "ApplicationRuleCollection",
"name": "AllowSpecificWebsites",
"priority": 200,
"action": {
"type": "Allow"
},
"rules": [
{
"name": "AllowExample.com",
"protocols": [
{ "protocolType": "Http", "port": 80 },
{ "protocolType": "Https", "port": 443 }
],
"sourceAddresses": [ "*" ],
"targetFqdns": [ "www.example.com" ]
}
]
}
]
}