Azure Virtual WAN Networking

Managing Azure Firewall Policies with Virtual WAN

This guide provides detailed instructions on how to effectively manage Azure Firewall policies within your Azure Virtual WAN environment. Azure Firewall policies are central to defining and enforcing security rules across your virtual network resources.

What are Azure Firewall Policies?

Azure Firewall policies are a collection of security rules that control traffic flow to and from your Azure resources. They are essential for implementing a robust security posture, allowing you to granularly define what traffic is permitted or denied.

• Network Rules: Control traffic to and from Azure resources based on IP addresses, ports, and protocols.
• Application Rules: Control HTTP/S traffic based on fully qualified domain names (FQDNs), FQDN tags, and application identifiers.
• DNAT Rules: For translating destination network addresses and ports, enabling secure inbound access to your services.

Key Concepts for Policy Management

• Policy Hierarchy: Understand how policies are applied at different levels (global, per-Virtual Hub).
• Rule Collections: Group similar rules for better organization and management.
• Priority: Rules are evaluated based on their priority. Lower numbers indicate higher priority.
• Threat Intelligence: Leverage Microsoft's threat intelligence feeds to block malicious IPs and domains automatically.
• IP Groups: Reusable collections of IP addresses to simplify rule creation and management.

Creating and Managing Firewall Policies

You can manage Azure Firewall policies through the Azure portal, Azure CLI, PowerShell, or ARM templates.

Using the Azure Portal

1. Navigate to the Virtual WAN resource in the Azure portal.
2. In the left-hand menu, select Azure Firewall under the Security + networking section.
3. Choose the specific Azure Firewall instance you want to manage.
4. Select Policies from the left-hand menu.
5. Click + Create policy to create a new policy, or select an existing one to edit.
6. Within a policy, you can manage Rule collections, Threat intelligence, and IP groups.

Azure CLI Example: Creating a Network Rule Collection

az network firewall policy rule-collection-group collection add \
    --policy-name MyFirewallPolicy \
    --resource-group MyResourceGroup \
    --collection-name AllowWebTraffic \
    --rule-collection-type NetworkRule \
    --rule-type Allow \
    --rules '[{"name": "AllowHTTP", "protocol": "TCP", "sourceAddresses": ["*"], "destinationAddresses": ["*"], "destinationPorts": ["80"], "destinationFqdns": null, "terminateTLS": false, "webCategories": null, "fqdnTags": null}]' \
    --priority 200

Azure CLI Example: Creating an Application Rule Collection

az network firewall policy rule-collection-group collection add \
    --policy-name MyFirewallPolicy \
    --resource-group MyResourceGroup \
    --collection-name AllowAppTraffic \
    --rule-collection-type ApplicationRule \
    --rule-type Allow \
    --rules '[{"name": "AllowMicrosoft365", "protocol": {"type": "HTTP", "port": 80}, "sourceAddresses": ["10.0.1.0/24"], "destinationFqdns": ["*.office365.com"], "webCategories": null, "fqdnTags": ["Office365PortsAndProtocols"]}]' \
    --priority 100

Best Practices for Policy Management

• Least Privilege: Grant only the necessary permissions and access.
• Naming Conventions: Use clear and consistent naming conventions for policies and rules.
• Rule Organization: Group related rules into logical collections.
• Use FQDN Tags and IP Groups: These simplify management and ensure up-to-date rule definitions.
• Leverage Threat Intelligence: Enable threat intelligence-based filtering for proactive protection.
• Test Changes: Always test policy changes in a non-production environment before deploying to production.

Advanced Scenarios

Explore advanced topics such as integrating with Network Security Groups (NSGs), managing policies for multiple Virtual Hubs, and using Azure Policy for governance.

• Integrating Azure Firewall with Azure Firewall Manager for centralized policy management.
• Configuring threat intelligence settings and custom identifiers.
• Understanding SNAT and DNAT configurations in Virtual WAN.

Further Reading

• Azure Firewall rule processing order
• Azure Firewall policy overview
• Azure Firewall policy ARM template samples