Azure Firewall

Last Updated: October 26, 2023 Author: Microsoft Azure Docs Team

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Key Features

High Availability and Scalability: Azure Firewall is a managed service that provides built-in high availability and automatically scales to meet your security needs.
Network and Application Filtering: You can define granular rules to allow or deny traffic based on source and destination IP addresses, ports, and protocols (Network Rules). You can also filter traffic based on FQDN (Fully Qualified Domain Name) for applications (Application Rules).
Threat Intelligence-Based Filtering: Integrate with Azure Firewall Threat Intelligence-based filtering to identify and block traffic to and from known malicious IP addresses, domains, and URLs.
Centralized Logging and Monitoring: Azure Firewall logs network traffic and provides detailed insights into your network security posture through Azure Monitor.
Global Distribution: Deploy Azure Firewall in any Azure region to protect your resources consistently across your hybrid and multi-cloud environments.

Azure Firewall Architecture

Azure Firewall is deployed in a specific Azure region and is associated with a virtual network. It acts as a gateway for traffic flowing between subnets within the virtual network, between virtual networks, and between the virtual network and the internet.

Typically, Azure Firewall is deployed in its own dedicated subnet named AzureFirewallSubnet. This subnet must be named exactly AzureFirewallSubnet and have a minimum prefix size of /26.

Network Rules

Network rules allow you to filter traffic based on:

Source and destination IP addresses
Source and destination ports
Protocols (TCP, UDP, ICMP, Any)

Example of a network rule definition:

{
    "ruleCollectionType": "NetworkRule",
    "ruleCollectionName": "AllowWebTraffic",
    "priority": 200,
    "rules": [
        {
            "name": "AllowHTTP",
            "protocols": [ "TCP" ],
            "sourceAddresses": [ "10.0.1.0/24" ],
            "destinationPorts": [ "80" ],
            "destinationAddresses": [ "*" ],
            "destinationFqdns": null
        }
    ]
}

Application Rules

Application rules allow you to filter HTTP and HTTPS traffic based on:

FQDN tags (e.g., AzureCloud, WindowsUpdate)
Specific FQDNs
Web Categories

Example of an application rule definition:

{
    "ruleCollectionType": "ApplicationRule",
    "ruleCollectionName": "AllowSpecificApps",
    "priority": 300,
    "rules": [
        {
            "name": "AllowGitHub",
            "protocols": [ { "protocolType": "Https", "port": 443 } ],
            "sourceAddresses": [ "10.0.2.0/24" ],
            "targetFqdns": [ "*.github.com" ],
            "webCategories": null
        }
    ]
}

Note: Azure Firewall integrates with Network Security Groups (NSGs) and Azure DDoS Protection for comprehensive network security.

Deploying Azure Firewall

You can deploy Azure Firewall using the Azure portal, Azure CLI, PowerShell, or ARM templates. For detailed deployment steps, refer to the official Azure Firewall deployment guide.

Use Cases

Protecting workloads deployed in Azure Virtual Networks.
Centralized network policy enforcement for hybrid and multi-cloud environments.
Filtering egress internet traffic to prevent malware infections and data exfiltration.
Securing communication between different virtual networks.

Azure Firewall is a powerful tool for enhancing the security posture of your Azure deployments. By understanding its features and capabilities, you can effectively protect your network resources from a wide range of threats.