Microsoft Docs

Azure Virtual WAN Firewall Integration

This document provides comprehensive guidance on integrating Azure Firewall with Azure Virtual WAN to enhance your network security posture. Learn how to centralize firewall management, enforce security policies, and protect your virtual network traffic.

Introduction to Azure Firewall in Virtual WAN

Azure Firewall is a cloud-native network security service that protects your virtual network resources. When deployed in a Virtual WAN hub, it acts as a centralized firewall for all traffic flowing through the hub, including traffic between VNets, VNet-to-Internet, and VNet-to-On-premises. This approach simplifies management and provides consistent security across your Azure network.

Key Benefits

• Centralized Security Policy: Define and enforce security rules from a single location.
• Traffic Filtering: Control inbound and outbound network traffic based on FQDNs, IP addresses, and application protocols.
• Threat Intelligence: Leverage Microsoft's threat intelligence feeds to block known malicious IPs and domains.
• Network Address Translation (NAT): Perform SNAT and DNAT for inbound and outbound connectivity.
• High Availability and Scalability: Built for resilience and can scale to meet your network demands.

Deploying Azure Firewall in a Virtual WAN Hub

Deploying Azure Firewall into your Virtual WAN hub is a critical step for centralizing security. This section outlines the deployment process and configuration considerations.

Deployment Steps:

1. Create a Virtual WAN Hub: If you don't already have one, provision a Virtual WAN hub.
2. Deploy Azure Firewall: Within the hub, select the Azure Firewall service and choose the desired tier (Standard or Premium).
3. Configure Hub Route Tables: Ensure that traffic destined for your VNets, the internet, or on-premises networks is routed through the Azure Firewall instance in the hub. This typically involves updating the default route table for VNet connections and any custom route tables used for traffic steering.
4. Associate VNets: Connect your spoke VNets to the Virtual WAN hub.

Configuration Best Practices:

• Use Azure Firewall Manager for centralized policy management across multiple Virtual WAN hubs.
• Define specific network rules to allow or deny traffic to specific FQDNs or IP addresses.
• Implement application rules for more granular control over application-level traffic.
• Configure NAT rules for managing outbound internet access and inbound access to specific services.

Configuring Firewall Rules

Effective security relies on robust firewall rule management. Azure Firewall offers network rules and application rules to precisely control traffic flow.

Network Rules:

Network rules operate at Layer 3 and Layer 4. They allow or deny traffic based on IP addresses, ports, and protocols.

• Source Type: IP Address, IP Group, Service Tag
• Protocol: TCP, UDP, ICMP, Any
• Destination Type: IP Address, IP Group, Service Tag, FQDN Tag
• Destination Port: Specific ports or port ranges

Example: Allowing outbound HTTPS traffic to a specific set of FQDN tags for software updates.

{
    "ruleCollection": "AllowWebAccess",
    "ruleCollectionType": "NetworkRule",
    "rules": [
        {
            "name": "AllowHTTPS_UpdateServers",
            "protocols": [ "TCP:443" ],
            "sourceAddresses": [ "*" ],
            "destinationFqdnTags": [ "WindowsUpdate", "MicrosoftUpdate" ]
        }
    ]
}
        

Application Rules:

Application rules operate at Layer 7 and allow you to filter traffic based on Fully Qualified Domain Names (FQDNs). This provides more context-aware security.

• Source Type: IP Address, IP Group
• Protocol: HTTP, HTTPS, Or both
• Target FQDNs: List of allowed FQDNs
• Web Categories: Block or allow access to predefined categories of websites.

Example: Allowing access to internal SharePoint sites while blocking general internet browsing.

{
    "ruleCollection": "AllowInternalApps",
    "ruleCollectionType": "ApplicationRule",
    "rules": [
        {
            "name": "AllowSharePoint",
            "protocols": [ "http:80", "https:443" ],
            "sourceAddresses": [ "10.1.0.0/16" ],
            "targetFqdns": [ "*.contoso.com", "*.sharepoint.internal" ]
        }
    ]
}
        

Advanced Security Features

Azure Firewall in Virtual WAN supports advanced features for comprehensive security management.

Threat Intelligence-Based Filtering

Enable threat intelligence-based filtering to automatically block traffic to and from known malicious IP addresses and domains, based on Microsoft's Threat Intelligence feed. This is a crucial defense layer.

Azure Firewall Private IP Address Functionality

Azure Firewall can be configured with a private IP address, allowing it to process traffic destined for private IP address ranges. This is essential for securing internal network communications.

Integration with Azure Security Center and Sentinel

Monitor your Azure Firewall logs and alerts within Azure Security Center for security posture management. Integrate logs with Azure Sentinel for advanced threat detection and response.