Introduction to Azure Firewalls
Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a managed, cloud-based network security service that protects your virtual network resources in Azure. It acts as a managed, cloud-based firewall, offering your virtual network traffic filtering.
What is Azure Firewall?
Azure Firewall is a stateful firewall as a service (FWaaS) that runs in the cloud. It provides network traffic filtering and threat intelligence-based blocking to protect your cloud resources. It supports network and application level filtering with the ability to define rules to allow or deny traffic to and from your Azure resources.
Key Features of Azure Firewall
- High Availability and Scalability: Built-in redundancy and automatic scaling to meet your network demands.
- Threat Intelligence-based Filtering: Helps protect against known exploits and vulnerabilities.
- Network Rule Processing: Allows or denies traffic based on IP address, port, and protocol.
- Application Rule Processing: Allows or denies traffic based on fully qualified domain names (FQDNs) and allows for wildcard usage.
- TLS Inspection: Decrypts outbound traffic for inspection and then re-encrypts it before sending it to its destination.
- Centralized Logging and Monitoring: Integrates with Azure Monitor for comprehensive visibility.
- Global Distribution: Deploy firewalls in multiple regions for consistent security.
Common Use Cases
- Hub-and-Spoke Architectures: Centralized security enforcement for traffic flowing between VNets and on-premises networks.
- Web Application Filtering: Protecting web applications from common exploits by filtering based on FQDNs.
- Denial of Service (DoS) Protection: Blocking known malicious IP addresses and preventing unauthorized access.
- Secure Remote Access: Controlling traffic to and from virtual machines and other resources.
Deployment Options
Azure Firewall can be deployed in various network topologies. The most common include:
- Single VNet: Deploying Azure Firewall in the same VNet as your protected resources.
- Hub-and-Spoke: Deploying Azure Firewall in a central hub VNet to protect multiple spoke VNets.
- Multi-Cloud/Hybrid: Integrating Azure Firewall with on-premises networks and other cloud environments.
Getting Started and Next Steps
To effectively utilize Azure Firewall, consider the following:
- Understand Concepts: Familiarize yourself with the core concepts, including firewall policies, rules, and collections. Read more about Azure Firewall Concepts.
- Plan Your Deployment: Determine the best architecture for your needs and identify the necessary firewall rules. Explore Azure Firewall Deployment options.
- Configure and Manage: Learn how to create, configure, and manage firewall policies and rules. See management guides.
- Review Best Practices: Understand recommended configurations and security best practices. View best practices.
Example: Creating a Network Rule
Below is an example of how you might define a network rule to allow outbound HTTP traffic to a specific FQDN.
{
"name": "AllowHttpToContoso",
"properties": {
"ruleType": "NetworkRule",
"ipProtocols": ["TCP"],
"sourceAddresses": ["*"],
"destinationAddresses": ["*.contoso.com"],
"destinationPorts": ["80"],
"priority": 200
}
}
Example: Creating an Application Rule
An example of an application rule to allow access to specific websites:
{
"name": "AllowSpecificWebsites",
"properties": {
"ruleType": "ApplicationRule",
"protocols": [{
"protocolType": "Https",
"port": 443
}],
"sourceAddresses": ["10.1.0.0/24"],
"destinationAddresses": ["*.microsoft.com", "*.azure.com"],
"webCategories": ["Blogging"],
"priority": 300
}
}