Azure Firewall

Last updated: October 26, 2023

Azure Firewall is a cloud-native network security service that protects your virtual network resources. It's a managed, cloud-based network security service that protects your Azure Virtual Network resources. Azure Firewall is a fully stateful firewall as a service (FWaaS) with built-in high availability and unrestricted cloud scalability.

Key Features

• High Availability and Scalability: Built-in redundancy and automatic scaling to meet demand.
• Stateful Firewall: Tracks the state of active network connections and makes decisions based on the context of traffic.
• Network and Application Traffic Filtering: Control access to and from your virtual networks based on source/destination IP addresses, ports, and application FQDNs.
• Threat Intelligence: Integrate with Microsoft's threat intelligence feeds to automatically block malicious IPs and domains.
• Centralized Logging and Monitoring: Comprehensive logs for auditing and troubleshooting network traffic.
• Centrally Managed Policies: Define and manage firewall rules from a central location.

How Azure Firewall Works

Azure Firewall is deployed as a network virtual appliance (NVA) within a dedicated subnet in your virtual network. All network traffic from your virtual network subnets can be routed to the Azure Firewall using User Defined Routes (UDRs). The firewall then applies configured network and application rules to allow or deny traffic.

Rule Types

Azure Firewall supports three types of rules:

• Network Rules

  Network rules allow you to filter traffic based on Layer 3 (IP address) and Layer 4 (port) information. These rules are useful for filtering traffic to and from specific IP addresses and ports.

  
  # Example Network Rule (Allowing outbound HTTP/S to specific IPs)
  {
      "ruleCollection": "NetworkRuleCollection1",
      "priority": 200,
      "action": {
          "type": "Allow"
      },
      "rules": [
          {
              "name": "AllowOutboundHTTPSSpecific",
              "protocols": [
                  "TCP"
              ],
              "sourceAddresses": [
                  "10.1.0.0/16"
              ],
              "destinationAddresses": [
                  "203.0.113.1",
                  "203.0.113.2"
              ],
              "destinationPorts": [
                  "80",
                  "443"
              ]
          }
      ]
  }
                      

• Application Rules

  Application rules allow you to filter HTTP and HTTPS traffic based on FQDNs (Fully Qualified Domain Names). This provides more granular control, allowing you to permit or deny access to specific websites or services.

  
  # Example Application Rule (Allowing outbound access to specific FQDNs)
  {
      "ruleCollection": "AppRuleCollection1",
      "priority": 300,
      "action": {
          "type": "Allow"
      },
      "rules": [
          {
              "name": "AllowSpecificWebsites",
              "sourceAddresses": [
                  "10.1.1.0/24"
              ],
              "targetFqdns": [
                  "*.microsoft.com",
                  "www.example.com"
              ],
              "protocols": [
                  {
                      "protocolType": "Http",
                      "port": 80
                  },
                  {
                      "protocolType": "Https",
                      "port": 443
                  }
              ]
          }
      ]
  }
                      

• Network Security Group (NSG) Rules (Not directly Azure Firewall rules)

  While Azure Firewall uses its own rule sets, Network Security Groups (NSGs) are also crucial for network security in Azure. NSGs provide network traffic filtering at the NIC or subnet level.

  You can leverage both Azure Firewall and NSGs for a layered security approach.

Next Steps

• Deploy Azure Firewall
• Configure Firewall Policies
• Monitor Azure Firewall Logs