Azure Network Firewalls

Comprehensive documentation and guidance for securing your Azure network resources.

Understanding Azure Network Firewalls

Azure Firewall is a cloud-native network security service that protects your Azure Virtual Network resources. It is a managed, cloud-based network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Key Features and Benefits

  • Centralized Policy Management: Define and manage firewall rules across your entire network from a single pane of glass.
  • Threat Intelligence-Based Filtering: Integrate with Microsoft's Threat Intelligence feed to block known malicious IPs and domains.
  • Network Address Translation (NAT): Supports both Source Network Address Translation (SNAT) and Destination Network Address Translation (DNAT) for inbound and outbound traffic.
  • High Availability and Scalability: Built-in redundancy and automatic scaling ensure continuous protection and performance.
  • Logging and Monitoring: Comprehensive logging capabilities with integration to Azure Monitor, Azure Sentinel, and SIEM solutions.
  • Web Filtering: Control outgoing HTTP/S traffic to specific categories of websites.
  • Advanced Network Analytics: Gain insights into traffic flows and security events.

Deployment Scenarios

Azure Firewall can be deployed in various network architectures to provide security:

  • Hub-Spoke Topology: Centralize firewall deployment in the hub VNet to inspect traffic flowing between spokes and to/from the internet.
  • On-premises Connectivity: Route traffic from on-premises networks to Azure through the firewall for consistent security policies.
  • Multi-VNet and VNet Peering: Secure traffic between multiple VNets and peered networks.

Configuration Essentials

Deploying and configuring Azure Firewall involves several key components:

  1. Firewall Policy: The central object that defines rules, threat intelligence settings, and other security configurations.
  2. Rule Collections: Groupings of rules that can be managed and applied to the firewall policy. These include:
    • Network Rule Collections: For filtering IP traffic based on protocol, source/destination IP addresses, ports, and FQDN tags.
    • Application Rule Collections: For filtering FQDNs, FQDN tags, and fully qualified domain names (FQDNs) for HTTP/S traffic.
  3. NAT Rule Collections: For configuring DNAT rules to translate destination IP addresses and ports for inbound traffic.
  4. Private IP Address: The internal IP address used by the firewall instance.
  5. Public IP Address: The external IP address used for SNAT and DNAT.

Example: Creating a Network Rule

This example shows how to create a network rule to allow outbound HTTP traffic to a specific FQDN:


{
  "name": "AllowWebAccess",
  "ruleType": "NetworkRule",
  "properties": {
    "sourceAddresses": [ "*" ],
    "destinationAddresses": [ "www.example.com" ],
    "ipProtocols": [ "TCP" ],
    "destinationPorts": [ "80", "443" ],
    "terminationType": "Vnet"
  }
}

Example: Creating an Application Rule

This example shows how to create an application rule to allow outbound HTTPS traffic to a specific website:


{
  "name": "AllowHTTPSExample",
  "ruleType": "ApplicationRule",
  "properties": {
    "sourceAddresses": [ "10.0.1.0/24" ],
    "targetFqdns": [ "www.another-example.com" ],
    "protocols": [ { "protocolType": "Https", "port": 443 } ],
    "webCategories": []
  }
}
Note: Always test your firewall rules thoroughly after implementation to ensure they do not inadvertently block legitimate traffic.

Best Practices

  • Implement a principle of least privilege, allowing only necessary traffic.
  • Use FQDN tags for common Microsoft services to simplify management.
  • Regularly review and update firewall rules.
  • Enable and monitor logs for security events and network activity.
  • Integrate with Azure Sentinel for advanced threat detection and response.