Home > Azure > Networking > Firewall > Configure Firewall Policy
Language:

Configure Firewall Policy for Azure Firewall

On this page

Introduction

Azure Firewall is a managed, cloud-native network security service that protects your virtual network resources. A firewall policy is a centralized management plane that allows you to define and manage firewall rules, network rules, and application rules.

This document guides you through the process of creating and configuring a firewall policy for Azure Firewall, ensuring robust network security for your Azure environment.

Prerequisites

  • An active Azure subscription.
  • Permissions to create and manage Azure Firewall and Firewall Policies.
  • An existing Azure Firewall instance or the ability to create one.
  • An Azure Virtual Network (VNet) where the firewall will be deployed or is already deployed.

Steps to Configure Firewall Policy

1. Create a Firewall Policy

You can create a firewall policy using the Azure portal, Azure CLI, or Azure PowerShell.

Using Azure Portal:

  1. Navigate to the Azure portal.
  2. Search for "Firewall Policy" and select it.
  3. Click "Create firewall policy".
  4. Fill in the required details: Subscription, Resource Group, Policy Name, Region.
  5. Click "Review + create" and then "Create".

Using Azure CLI:


az network firewall policy create --name MyFirewallPolicy \
    --resource-group MyResourceGroup \
    --location eastus \
    --sku Premium

2. Define Rule Collections

Firewall policies consist of rule collections. There are three types of rule collections:

  • Network Rule Collections: Filter traffic based on IP addresses, ports, and protocols.
  • Application Rule Collections: Filter traffic based on FQDNs (Fully Qualified Domain Names) and specific application protocols.
  • NAT Rule Collections: Used to translate source or destination IP addresses and ports.

To add a Network Rule Collection (Azure Portal):

  1. Open your created Firewall Policy.
  2. Under "Settings", select "Rule collection groups".
  3. Click "Add rule collection group".
  4. Provide a name, priority, and select "Network rules" as the rule type.
  5. Add rules specifying source type, source addresses, protocol, destination type, destination addresses, and destination ports.
  6. Click "Add".

Example of adding an Application Rule (Azure CLI):


az network firewall policy rule-collection-group collection add --policy-name MyFirewallPolicy \
    --resource-group MyResourceGroup \
    --collection-name AppRuleCollection \
    --collection-priority 200 \
    --rule-type ApplicationRule \
    --action Allow \
    --app-rules '[{"name": "AllowSpecificWebsite", "protocols": [{"protocoltype": "http", "port": 80}, {"protocoltype": "https", "port": 443}], "fqdn-tags": [], "web-categories": [], "target-fqdns": ["www.example.com"]}]'

Note: Rule priorities determine the order in which rules are evaluated. Lower numbers indicate higher priority.

3. Associate Policy with Firewall

Once the policy is configured, you need to associate it with your Azure Firewall instance.

Using Azure Portal:

  1. Navigate to your Azure Firewall resource.
  2. Under "Settings", select "Properties".
  3. Under "Firewall Policy", select your newly created policy from the dropdown.
  4. Click "Save".

Using Azure CLI:


az network firewall update --name MyAzureFirewall \
    --resource-group MyResourceGroup \
    --policy MyFirewallPolicy

4. Review and Deploy

After associating the policy, Azure Firewall will apply the new configuration. This process may take a few minutes.

Review your firewall logs and network traffic to ensure the policy is working as expected.

Best Practices

  • Least Privilege: Only allow necessary traffic. Deny by default and explicitly allow what's needed.
  • Centralized Management: Use firewall policies to manage rules across multiple firewalls.
  • Rule Organization: Group similar rules into collections for better manageability.
  • Meaningful Naming: Use descriptive names for policies, rule collections, and rules.
  • Regular Auditing: Periodically review firewall logs and policy configurations.
  • Use FQDN Tags and Web Categories: Leverage built-in tags and categories for easier management of common service endpoints.

Tip: Start with a broad set of rules and gradually tighten them based on observed traffic patterns and security requirements.

Next Steps