Azure Firewall Integration with Virtual WAN

This document details how to integrate Azure Firewall with Azure Virtual WAN to provide centralized network security and advanced threat protection for your virtual networks.

Key Benefits of Integration

• Centralized Security: Enforce consistent security policies across your entire virtual WAN environment from a single pane of glass.
• Threat Protection: Leverage built-in threat intelligence to detect and prevent malicious activities.
• Advanced Filtering: Apply granular network and application-level filtering.
• Network Address Translation (NAT): Configure DNAT and SNAT rules.
• Logging and Monitoring: Gain deep insights into traffic flows and security events.
• Scalability and High Availability: Azure Firewall is inherently scalable and highly available.

Deployment Scenarios

1. Firewall in a Hub Virtual Network

This is the most common scenario. Azure Firewall is deployed in the Virtual WAN hub's virtual network. All traffic from spokes, on-premises networks, and other connections transits through the hub and is inspected by the firewall.

Traffic Flow:

• Spoke VNet to Internet: Spoke VNet -> Virtual WAN Hub -> Azure Firewall -> Internet
• Spoke VNet to On-Premises: Spoke VNet -> Virtual WAN Hub -> Azure Firewall -> VPN/ExpressRoute Gateway -> On-Premises
• On-Premises to Spoke VNet: On-Premises -> VPN/ExpressRoute Gateway -> Virtual WAN Hub -> Azure Firewall -> Spoke VNet

To achieve this, you need to configure routing in your spoke virtual networks to direct traffic to the Virtual WAN hub. Azure Firewall is then configured within the hub to inspect this traffic.

2. Firewall in a Spoke Virtual Network (Less Common for Centralized Security)

While possible, deploying Azure Firewall in a spoke is generally not recommended for achieving centralized security for the entire WAN. It would typically be used to protect resources within that specific spoke.

Configuration Steps

Prerequisites:

• An existing Azure Virtual WAN resource.
• One or more connected virtual networks (spokes).
• Connectivity to on-premises networks (VPN or ExpressRoute) if required.

Steps:

1. Deploy Azure Firewall: Deploy an Azure Firewall instance within your Virtual WAN hub's virtual network. During deployment, associate it with the Virtual WAN hub.
2. Configure Hub Route Table: Ensure that the hub route table is configured to send traffic from spokes and other connections to the Azure Firewall's private IP address. This is typically achieved using a User Defined Route (UDR) or by leveraging Virtual WAN's automatic route propagation.
3. Configure Firewall Policies and Rules:
   • Network Rules: Control inbound and outbound traffic based on IP addresses, ports, and protocols.
   • Application Rules: Control HTTP/S traffic based on fully qualified domain names (FQDNs), FQDN tags, and application IDs.
   • NAT Rules: Configure destination network address translation (DNAT) for inbound connections and source network address translation (SNAT) for outbound connections.
4. Route Spoke Traffic: In each spoke virtual network, create a UDR that points the default route (0.0.0.0/0) to the Virtual WAN hub's IP address. The hub will then handle routing this traffic to the Azure Firewall for inspection. Alternatively, Virtual WAN's routing capabilities can often manage this automatically for standard transit routing.
5. Monitor and Audit: Utilize Azure Firewall's diagnostic logs and Azure Monitor to track security events, traffic flows, and performance.

Key Concepts

• Hub Firewall: Azure Firewall deployed within the Virtual WAN hub.
• Spoke VNet: A virtual network connected to the Virtual WAN hub.
• User Defined Routes (UDRs): Routes you define to control network traffic flow in Azure.
• Azure Firewall Policies: Centralized management for network and application rules.
• FQDN Tags: Pre-defined sets of FQDNs associated with Azure services (e.g., WindowsUpdate).

Further Reading

• What is Azure Firewall?
• About Azure Virtual WAN
• How to configure Azure Firewall in a Virtual WAN hub