Next-Generation Firewalls in Azure

This document provides an overview of Next-Generation Firewalls (NGFWs) and how they can be deployed and managed within the Microsoft Azure cloud platform.

What are Next-Generation Firewalls?

Next-Generation Firewalls (NGFWs) are advanced network security devices that combine traditional firewall capabilities with additional security features. These features typically include:

• Intrusion Prevention Systems (IPS): Detects and blocks malicious network traffic.
• Application Awareness: Identifies and controls applications, regardless of port or protocol.
• User Identity Awareness: Enforces security policies based on user identity.
• Advanced Threat Protection: Integrates with threat intelligence feeds and sandboxing technologies to protect against zero-day threats.
• SSL/TLS Decryption: Inspects encrypted traffic for malicious content.

NGFWs in Azure

Azure provides several options for deploying NGFWs to protect your virtual networks:

• Azure Firewall Premium: A cloud-native, stateful firewall as a service with advanced threat protection capabilities.
• Third-Party Network Virtual Appliances (NVAs): Deploying NGFWs from leading security vendors directly into your Azure virtual networks.

Azure Firewall Premium

Azure Firewall Premium offers robust security features for your virtual networks. Key capabilities include:

• TLS Inspection: Decrypts and inspects outbound and inbound TLS traffic.
• Intrusion Detection and Prevention System (IDPS): Provides network-level threat protection.
• Web Filtering: Allows you to control access to websites based on category.
• Advanced Malware Protection (AMP): Integrates with Microsoft Threat Intelligence for enhanced protection.

For detailed configuration and deployment guidance for Azure Firewall Premium, refer to the Azure Firewall Premium documentation.

Third-Party Network Virtual Appliances (NVAs)

Many leading security vendors offer their NGFW solutions as NVAs in the Azure Marketplace. These solutions provide a familiar interface and advanced features tailored to specific security needs.

Deploying third-party NVAs typically involves:

1. Choosing an NVA from the Azure Marketplace.
2. Deploying the NVA into your virtual network.
3. Configuring routing to direct traffic through the NVA.
4. Managing the NVA using the vendor's specific tools and interfaces.

Common vendors include Palo Alto Networks, Fortinet, Check Point, and others.

Deployment Topologies

Several common topologies exist for deploying NGFWs in Azure:

• Hub-and-Spoke: NGFWs are deployed in a central hub VNet, and traffic from spoke VNets is routed through the hub for inspection.
• Per-VNet Deployment: NGFWs are deployed directly within individual VNets to protect local resources.
• Edge Deployment: NGFWs are deployed at the network edge to protect traffic entering and leaving your Azure environment from on-premises or the internet.

Key Considerations

• Performance and Throughput: Ensure the chosen NGFW solution can handle your expected network traffic volume.
• High Availability (HA): Implement HA configurations to ensure continuous network security.
• Management and Orchestration: Consider how you will manage and orchestrate your NGFWs, especially in large deployments.
• Integration with Azure Services: Leverage Azure services like Azure Security Center and Azure Monitor for comprehensive security management.

Best Practices

• Always enable logging and monitoring for your NGFWs.
• Regularly update firewall rules and threat intelligence feeds.
• Segment your network to minimize the attack surface.
• Test your firewall configurations thoroughly.

Example Configuration Snippet (Conceptual)

Below is a conceptual example of how you might configure routing to send traffic through an NVA.

For more information on securing your Azure network infrastructure, explore the full Azure Networking documentation.