Azure Firewall Manager
Azure Firewall Manager is a network security service that you can use to centrally manage and monitor your Azure Firewall and Azure Firewall Premium deployments in all subscriptions and regions.
Note: Azure Firewall Manager provides a unified management experience for Azure Firewall and Firewall Premium, allowing you to enforce consistent security policies across your cloud network environments.
Key Features
- Centralized Management: Deploy, configure, and manage multiple Azure Firewall instances from a single pane of glass.
- Policy Management: Create and assign security policies (Network rules, Application rules, NAT rules) to Firewall policies.
- Hierarchical Policies: Leverage hierarchical policies for more granular control and inheritance of rules.
- Secure Virtual Hubs: Integrate Azure Firewall with Azure Virtual WAN for a scalable and secure hub-and-spoke architecture.
- Threat Intelligence: Integrate with Microsoft Threat Intelligence feeds for advanced protection against known exploits.
- Logging and Monitoring: Comprehensive logging and integration with Azure Monitor for security event analysis.
Getting Started
1. Deploy a Firewall Policy
A Firewall Policy is the central resource used to manage your Azure Firewall configurations. It contains network, application, and NAT rules.
# Example using Azure CLI to create a Firewall Policy
az network firewall policy create \
--name MyFirewallPolicy \
--resource-group MyResourceGroup \
--location eastus \
--sku Premium
2. Create Firewall Rules
Define rules to permit or deny traffic based on source IP, destination IP, ports, protocols, and application IDs.
Network Rules
Control traffic based on IP addresses, ports, and protocols.
az network firewall policy rule-collection-group collection add-network-rule \
--policy-name MyFirewallPolicy \
--collection-name AllowWebTraffic \
--rule-name AllowHTTP \
--rule-type NetworkRule \
--protocols TCP \
--source-addresses '*' \
--destination-addresses '*' \
--destination-ports 80 \
--priority 200
Application Rules
Control HTTP/S and other web protocols based on FQDNs, FQDN tags, and application IDs.
az network firewall policy rule-collection-group collection add-app-rule \
--policy-name MyFirewallPolicy \
--collection-name AllowSocialMedia \
--rule-name AllowFacebook \
--rule-type ApplicationRule \
--source-addresses 10.0.0.0/24 \
--protocols http https \
--target-fqdns www.facebook.com \
--terminate-tls true \
--priority 300
3. Associate Policy with Azure Firewall
Link your Firewall Policy to an Azure Firewall instance or a Secure Virtual Hub.
For a Standalone Azure Firewall:
az network firewall update \
--name MyAzureFirewall \
--resource-group MyResourceGroup \
--policy-id "/subscriptions/YOUR_SUBSCRIPTION_ID/resourceGroups/MyResourceGroup/providers/Microsoft.Network/firewallPolicies/MyFirewallPolicy"
For a Secure Virtual Hub:
You typically associate the Firewall Policy with the Secure Virtual Hub itself, which then applies it to the Azure Firewall deployed within it.
Tip: For enhanced security and manageability, consider using Azure Firewall Premium and its advanced features like TLS inspection and Intrusion Detection and Prevention System (IDPS).