Azure Firewall
Azure Firewall is a cloud-native and intelligent network security service that protects your Azure Virtual WAN and hybrid cloud deployments. It's a fully stateful firewall as a service with built-in high availability and unconstrained scalability.
Key Features and Benefits
Centralized Policy Management
Azure Firewall enables centralized policy management and threat intelligence, allowing you to create, deploy, and manage firewall rules across your subscriptions and virtual networks from a single management interface.
Threat Intelligence-Based Filtering
It integrates with Azure's threat intelligence feeds to identify and block malicious IP addresses, domains, and URLs. This helps protect your resources from known threats and reduce the attack surface.
Network and Application Rule Support
Azure Firewall supports both network rules (IP addresses, ports, protocols) and application rules (FQDNs, specific applications like `www.google.com`). This granular control allows for precise traffic management.
High Availability and Scalability
Built on Azure's robust infrastructure, Azure Firewall offers built-in high availability and can automatically scale to meet demand, ensuring your network security is always operational and responsive.
Integration with Azure Ecosystem
It seamlessly integrates with other Azure networking services like Virtual Networks, Azure Firewall Manager, Azure Monitor, and Security Center, providing a comprehensive security solution.
Deployment Scenarios
Azure Firewall can be deployed in various scenarios:
- Hub-Spoke Architecture: As a central security component in a hub-spoke network topology, filtering traffic between spokes and from spokes to the internet or on-premises networks.
- Virtual WAN: As a managed firewall service within Azure Virtual WAN, simplifying the management of global network security.
- Workload Protection: To protect specific workloads or applications within isolated virtual networks.
Getting Started with Azure Firewall
To deploy Azure Firewall, you typically follow these steps:
- Create a Firewall Subnet: A dedicated subnet named
AzureFirewallSubnetmust be created in your virtual network. - Deploy Azure Firewall: Use the Azure portal, Azure PowerShell, or Azure CLI to create an Azure Firewall instance in the designated subnet.
- Configure Firewall Policies: Define network and application rules to control traffic flow.
- Route Traffic: Update route tables to direct traffic through the Azure Firewall.
AzureFirewallSubnet subnet has specific requirements and cannot be used for other resources. Ensure it is properly sized for your expected traffic.
Azure Firewall Rules
Azure Firewall uses a rule-based system to filter traffic. The primary types of rules are:
Network Rules
Network rules allow you to filter traffic based on:
- Source IP address/range
- Protocol (TCP, UDP, ICMP, Any)
- Destination IP address/range
- Destination port
Application Rules
Application rules allow you to filter network traffic based on FQDNs (Fully Qualified Domain Names) and specific application protocols. This is useful for controlling access to web-based applications and services.
- Source IP address/range
- Protocol (HTTP, HTTPS, Any)
- Target FQDNs
- Web categories (e.g., Social Networking, Streaming Media)
DefaultNetworkRuleCollection and a DefaultApplicationRuleCollection that allow all traffic by default. It's crucial to review and configure these rules to align with your security policies.
Further Reading
For detailed configuration and management information, refer to the official Azure documentation: