Microsoft Learn

Azure Firewall Policy Management

This document provides a comprehensive guide to managing Azure Firewall policies, including creation, configuration, and best practices.

Introduction to Azure Firewall Policies

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. Azure Firewall policies are the central mechanism for defining and enforcing your network security posture. They allow you to manage rules, network rules, application rules, and NAT rules in a centralized and structured manner.

Key Concepts

  • Firewall Policy: A container for firewall rules and settings. It enables centralized management of network security.
  • Network Rules: Control traffic flow based on IP address, port, and protocol.
  • Application Rules: Control traffic flow for FQDNs (Fully Qualified Domain Names) and protocols.
  • NAT Rules: Translate destination IP addresses and ports for inbound connections.
  • Threat Intelligence: Built-in protection against known malicious IP addresses and domains.

Creating a Firewall Policy

You can create a firewall policy using the Azure portal, Azure CLI, or Azure PowerShell. Here's a brief overview using the Azure portal:

  1. Navigate to the Azure Firewall resource in the Azure portal.
  2. In the firewall pane, select Policies.
  3. Click Create policy.
  4. Provide a name for your policy, select a resource group, and choose a region.
  5. Configure the desired rule collection groups and associated rules.

Managing Rule Collections

Firewall policies are organized into rule collections. Each rule collection can contain:

  • Network Rule Collection: For L3/L4 traffic.
  • Application Rule Collection: For L7 traffic (HTTP/S).
  • NAT Rule Collection: For inbound network address translation.

Within each collection, you define individual rules specifying source and destination, ports, protocols, and actions (Allow or Deny).

Example: Network Rule Collection

To allow outbound traffic to specific web servers on port 443:


{
  "ruleCollectionType": "NetworkRule",
  "name": "AllowWebAccess",
  "priority": 200,
  "rules": [
    {
      "name": "AllowHTTPS_to_AzureSites",
      "protocols": [ "TCP" ],
      "sourceAddresses": [ "*" ],
      "destinationAddresses": [ "20.190.127.10", "40.77.180.157" ],
      "destinationPorts": [ "443" ],
      "action": "Allow"
    }
  ]
}

Example: Application Rule Collection

To allow access to specific Microsoft update FQDNs:


{
  "ruleCollectionType": "ApplicationRule",
  "name": "AllowMicrosoftUpdates",
  "priority": 300,
  "rules": [
    {
      "name": "AllowWindowsUpdate",
      "protocols": [ "http:80", "https:443" ],
      "targetFqdns": [ "*.microsoft.com", "*.windowsupdate.com" ],
      "sourceAddresses": [ "10.0.1.0/24" ],
      "action": "Allow"
    }
  ]
}

Threat Intelligence Integration

Azure Firewall automatically integrates with Microsoft's threat intelligence feeds. You can enable this feature to automatically block traffic to and from known malicious IP addresses and URLs.

Note: Enabling threat intelligence protection provides an additional layer of security by leveraging real-time threat data.

Policy Inheritance and Association

Firewall policies can be associated with Virtual Hubs or directly with Azure Firewall instances. This association is crucial for the firewall to enforce the defined policies. For policies managed via Azure Firewall Policy (a separate resource), they can be associated with multiple firewalls, enabling consistent security across your environment.

Best Practices

  • Least Privilege: Grant only the necessary access required for applications and services.
  • Rule Prioritization: Define rules carefully to ensure the correct rule is applied. Lower numbers have higher priority.
  • Centralized Management: Utilize Azure Firewall Policy for managing policies across multiple firewalls.
  • Regular Review: Periodically review and update your firewall policies to adapt to changing security needs.
  • Logging and Monitoring: Enable diagnostic logs for your firewall and policies to monitor traffic and investigate security events.

Conclusion

Effective Azure Firewall policy management is vital for securing your cloud infrastructure. By understanding the concepts of rules, collections, and threat intelligence, and by following best practices, you can build a robust and resilient network security posture.