Microsoft Azure

Documentation for Network Virtual Appliances

Azure Network Firewall

Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

Key Features

  • Policy-based application and network traffic filtering: You can centrally create, deploy, and manage firewall policies across your subscriptions and virtual networks.
  • Traffic Log: Logs all traffic that passes through the firewall for audit and analysis.
  • Azure Firewall Premium: Provides advanced threat protection features such as TLS inspection, intrusion detection and prevention system (IDPS), and enhanced URL filtering.
  • Network Rules: Filter traffic to and from resources in a virtual network based on IP address, port, and protocol.
  • Application Rules: Filter outbound traffic to and from a subnet based on the fully qualified domain name (FQDN) of the target.
  • High Availability and Scalability: Azure Firewall is a managed service that offers built-in high availability and can scale automatically to meet your network demands.

Scenarios

Azure Firewall is ideal for various network security scenarios, including:

  • Protecting virtual machine deployments in a hub-and-spoke topology.
  • Securing Internet-bound traffic from subnets.
  • Filtering traffic between virtual networks.
  • Centralized network security management.

Deployment

Deploying Azure Firewall involves several steps:

  1. Create a dedicated AzureFirewallSubnet within your virtual network.
  2. Deploy the Azure Firewall resource in the desired region.
  3. Configure network and application rules to define your security policies.
  4. Update route tables to direct traffic through the firewall.
Pro Tip: For advanced threat protection, consider using Azure Firewall Premium and integrating it with Azure Security Center for continuous security monitoring and threat detection.

Rule Types

Network Rules

Network rules allow you to control traffic based on IP addresses, ports, and protocols.

{
    "ruleCollection": [
        {
            "ruleCollectionType": "FirewallNetworkRuleCollection",
            "name": "AllowOutbound",
            "priority": 200,
            "rules": [
                {
                    "ruleType": "NetworkRule",
                    "name": "AllowHTTPS",
                    "ipProtocols": ["TCP"],
                    "sourceAddresses": ["10.0.1.0/24"],
                    "destinationAddresses": ["*"],
                    "destinationPorts": ["443"],
                    "terminateTLS": false
                }
            ]
        }
    ]
}

Application Rules

Application rules enable you to filter traffic based on FQDNs, providing more granular control over web-based access.

{
    "ruleCollection": [
        {
            "ruleCollectionType": "FirewallApplicationRuleCollection",
            "name": "AllowWebAccess",
            "priority": 100,
            "rules": [
                {
                    "ruleType": "ApplicationRule",
                    "name": "AllowMicrosoft365",
                    "protocols": [{"protocolType": "Https", "port": 443}],
                    "sourceAddresses": ["10.0.2.0/24"],
                    "targetFqdns": ["*.microsoftonline.com", "*.office.com"]
                }
            ]
        }
    ]
}

Learn More