Azure Firewall Manager is a network security service that allows you to centrally deploy, manage, and monitor your Azure Firewall and Azure Virtual WAN firewall policies across your organization.
Note
Azure Firewall Manager provides a hierarchical approach to security policy management, enabling you to define security rules at a higher scope (e.g., management group or subscription) and inherit them to lower scopes.
What is Azure Firewall Manager?
Azure Firewall Manager helps you to:
- Centrally manage firewall policies: Define and manage security rules, network rules, and application rules in a single pane of glass.
- Deploy firewalls at scale: Deploy Azure Firewall instances in various network topologies, including Hub-and-Spoke and Traditional (Transitive).
- Secure virtual networks: Enforce security policies consistently across your Azure and hybrid environments.
- Monitor security posture: Gain insights into firewall activity, threat intelligence, and compliance status.
Key Concepts
Firewall Policies
Firewall policies are the core of Azure Firewall Manager. They contain the security rules that are applied to your firewalls. You can create:
- Global Firewall Policies: Applied to multiple Azure Firewall instances across different regions and subscriptions.
- Dedicated Firewall Policies: Applied to a single Azure Firewall instance.
Security Rules
Security rules define what traffic is allowed or denied. They are categorized into:
- Network Rules: Filter traffic based on IP address, port, and protocol.
- Application Rules: Filter traffic based on FQDN, application, and protocol.
- NAT Rules: Translate public IP addresses and ports to private IP addresses and ports.
Tip
When designing your firewall policies, consider a 'deny by default' approach and explicitly allow only the necessary traffic.
Use Cases
- Centralized Security for Hub-and-Spoke Networks: Deploy a centralized Azure Firewall in a hub VNet to inspect traffic flowing between spokes and to/from the internet.
- Securing Workload VNets: Apply consistent security policies to VNet deployments, regardless of their location.
- Compliance Requirements: Ensure your network traffic adheres to industry regulations and compliance standards by enforcing granular security controls.
- Threat Prevention: Leverage Azure Firewall's threat intelligence feeds to block known malicious IPs and domains.
Getting Started with Azure Firewall Manager
To start using Azure Firewall Manager, you typically follow these steps:
- Create a Firewall Policy: Define your security rules, including network, application, and NAT rules.
- Create a Firewall Manager (if you don't have one already).
- Associate Firewall Policy with Virtual Hubs or Firewalls: Link your policy to the desired network resources.
- Configure Route Tables: Ensure traffic is directed to the Azure Firewall for inspection.
For detailed configuration steps, refer to the following resources:
- Quickstart: Deploy a global firewall policy using Azure Firewall Manager
- Scenario: Perimeter network with Azure Firewall Manager and Azure Virtual WAN
Here's an example of how you might define a network rule:
{
"ruleCollectionType": "NetworkRule",
"ruleCollectionName": "Allow_Web_Traffic",
"priority": 200,
"rules": [
{
"ruleType": "NetworkRule",
"name": "Allow_HTTP_HTTPS",
"protocols": ["TCP"],
"sourceAddresses": ["*"],
"destinationAddresses": ["*"],
"destinationPorts": ["80", "443"],
"description": "Allow all outbound HTTP and HTTPS traffic"
}
]
}