Azure Firewall
Azure Firewall is a cloud-native and intelligent network security service that protects your virtual network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Key Features
- Built-in High Availability and Scalability: Azure Firewall is deployed as a managed service, offering high availability and automatic scaling to meet your needs.
- Network Traffic Filtering: Define granular rules to allow or deny network traffic based on source/destination IP addresses, ports, and protocols.
- Threat Intelligence-Based Filtering: Automatically block traffic to and from known malicious IP addresses and domains identified by Microsoft's Threat Intelligence.
- Centralized Logging and Analytics: Gain visibility into your network traffic and security events through comprehensive logging and integration with Azure Monitor and Sentinel.
- Application-Aware Filtering: Control outbound traffic based on application FQDNs (Fully Qualified Domain Names) without the need for static IPs.
- Web Category Filtering: Block or allow user access to broad categories of websites, such as social media, gambling, or adult content.
Deployment Scenarios
Azure Firewall can be deployed in various scenarios to protect your Azure and on-premises resources:
- Hub-and-Spoke Networks: Deploy Azure Firewall in a central hub virtual network (VNet) to filter traffic flowing between spokes, and between spokes and the internet or on-premises networks.
- Workload Protection: Deploy Azure Firewall directly in front of your applications to inspect and filter traffic to and from your application subnets.
- Internet Egress Control: Force all internet-bound traffic from your VNets through Azure Firewall for inspection and policy enforcement.
Azure Firewall SKUs
Azure Firewall offers different SKUs to suit your specific requirements:
| SKU | Features | Throughput | Advanced Features |
|---|---|---|---|
| Azure Firewall Standard | Stateful firewall, Network & Application rules, Threat Intelligence Filtering, Web Categories, SNAT support | Up to 30 Gbps | No |
| Azure Firewall Premium | All Standard features plus TLS inspection, Intrusion Detection and Prevention System (IDPS), Enhanced URL Filtering, URL Rewrite | Up to 100 Gbps | Yes |
Network and Application Rules
Azure Firewall uses two types of rules to manage traffic:
Network Rules
Network rules allow you to filter traffic based on Layer 3 (IP addresses) and Layer 4 (TCP/UDP ports) information. They are useful for filtering traffic to and from specific IP addresses, ranges, or services.
{
"properties": {
"ruleCollectionGroups": [
{
"properties": {
"priority": 200,
"ruleCollections": [
{
"ruleType": "NetworkRuleCollection",
"ruleCollectionType": "FirewallNetworkRuleCollection",
"name": "DefaultNetworkRuleCollection",
"rules": [
{
"name": "AllowSSH",
"protocols": [
"TCP"
],
"sourceAddresses": [
"10.0.1.0/24"
],
"destinationAddresses": [
"*"
],
"destinationPorts": [
"22"
]
}
]
}
]
}
}
]
}
}
Application Rules
Application rules allow you to filter traffic based on FQDNs (Fully Qualified Domain Names) at Layer 7 (HTTP/HTTPS). This is useful for controlling access to specific web applications or services.
{
"properties": {
"ruleCollectionGroups": [
{
"properties": {
"priority": 100,
"ruleCollections": [
{
"ruleType": "ApplicationRuleCollection",
"ruleCollectionType": "FirewallApplicationRuleCollection",
"name": "DefaultAppRuleCollection",
"rules": [
{
"name": "AllowMicrosoftDownloadCenter",
"protocols": [
{
"protocolType": "Http",
"port": 80
},
{
"protocolType": "Https",
"port": 443
}
],
"sourceAddresses": [
"10.0.2.0/24"
],
"targetFqdns": [
"*.download.microsoft.com"
]
}
]
}
]
}
}
]
}
}
Note:
Azure Firewall processes rules in order of priority. Network rules are processed before application rules.