Azure Firewall

Introduction to Azure Firewall

Azure Firewall is a cloud-native and intelligent network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Azure Firewall uses a static public IP address for your virtual network resources, allowing external clients to connect to your services. It provides central network security policy enforcement and threat intelligence that can block known malicious IP addresses and domains.

Key Features

• High Availability and Scalability: Built-in redundancy and ability to scale to handle demanding workloads.
• Stateful Firewall: Tracks the state of active network connections and makes security decisions based on the context of the traffic.
• Network and Application Rule Processing: Supports both network rules (IP, port, protocol) and application rules (FQDNs, FQDN tags) for granular control.
• Threat Intelligence-Based Filtering: Automatically blocks traffic to and from known malicious IP addresses and domains, sourced from Microsoft's Threat Intelligence.
• Centralized Logging and Monitoring: Integrates with Azure Monitor and Log Analytics for comprehensive security auditing and analysis.
• Policy Management: Define and manage firewall rules centrally across multiple VNets.
• SNAT Support: Automatically translates private IP addresses to the firewall's public IP address for outbound traffic.
• DNAT Support: Translates public IP addresses and ports to private IP addresses and ports for inbound traffic.

Architecture Overview

Azure Firewall is deployed in a dedicated subnet called AzureFirewallSubnet within your virtual network. It acts as a central network security hub, inspecting traffic between your subnets and between your virtual network and the internet.

It can be deployed in hub-and-spoke or VNet-peered architectures. In a hub-and-spoke topology, Azure Firewall in the hub VNet can protect resources in multiple spoke VNets.

Components:

• Firewall Policy: Defines network and application rules, DNAT rules, and threat intelligence settings.
• Network Rules: Filter traffic based on source/destination IP address, port, and protocol.
• Application Rules: Filter HTTP/S traffic based on fully qualified domain names (FQDNs) and FQDN tags.
• DNAT Rules: Used for inbound traffic translation (port forwarding).
• Threat Intelligence: Leverages Microsoft's threat intelligence feeds to identify and block malicious traffic.

Deployment and Configuration

Deploying Azure Firewall can be done through the Azure portal, Azure CLI, PowerShell, or ARM templates.

Key steps typically include:

1. Creating a dedicated subnet named AzureFirewallSubnet in your virtual network.
2. Deploying the Azure Firewall resource into this subnet.
3. Configuring route tables to force network traffic through the Azure Firewall.
4. Defining Firewall Policies with Network, Application, and DNAT rules.

Example: Creating a Network Rule using Azure CLI

az network firewall network-rule create \
    --collection-name AllowDns \
    --name Allow-Google-DNS \
    --firewall-name MyFirewall \
    --resource-group MyResourceGroup \
    --rule-type Network \
    --protocols TCP UDP \
    --source-addresses '*' \
    --destination-addresses '8.8.8.8' \
    --destination-ports '53'
            

Management and Monitoring

Azure Firewall integrates seamlessly with Azure Monitor and Azure Sentinel for comprehensive logging, alerting, and analysis.

You can view firewall logs, analyze traffic patterns, and set up alerts for suspicious activities directly within the Azure portal.

Log Categories:

• AzureFirewallNetworkRule: Logs network rule processing.
• AzureFirewallApplicationRule: Logs application rule processing.
• AzureFirewallDnatRule: Logs DNAT rule processing.
• AzureFirewallThreatIntelRule: Logs threat intelligence rule hits.