MSDN Azure Networking Tutorials

All Tutorials

What is Azure Firewall?

Azure Firewall is a cloud‑native, stateful firewall as a service with built‑in high availability and unrestricted cloud scalability. It protects your Azure Virtual Network resources from inbound and outbound traffic threats.

Prerequisites

Deploying Azure Firewall

Follow these steps to deploy a firewall instance using Azure CLI.

# Create a resource group
az group create --name MyFirewallRG --location eastus

# Create a Virtual Network
az network vnet create \
  --resource-group MyFirewallRG \
  --name MyVNet \
  --address-prefix 10.0.0.0/16 \
  --subnet-name AzureFirewallSubnet \
  --subnet-prefix 10.0.1.0/24

# Deploy Azure Firewall
az network firewall create \
  --resource-group MyFirewallRG \
  --name MyFirewall \
  --location eastus

# Configure firewall IP configuration
az network firewall ip-config create \
  --resource-group MyFirewallRG \
  --firewall-name MyFirewall \
  --name fw-ipconfig \
  --vnet-name MyVNet \
  --public-ip-address $(az network public-ip create \
    --resource-group MyFirewallRG \
    --name MyFWPublicIP \
    --sku Standard \
    --query publicIp.id -o tsv)

Creating Network & Application Rules

Define rule collections to control traffic.

# Create a network rule collection to allow outbound HTTP/HTTPS
az network firewall network-rule create \
  --resource-group MyFirewallRG \
  --firewall-name MyFirewall \
  --collection-name OutboundWeb \
  --action Allow \
  --priority 100 \
  --protocols TCP \
  --source-addresses * \
  --destination-addresses * \
  --destination-ports 80 443

# Create an application rule collection to allow traffic to Microsoft sites
az network firewall application-rule create \
  --resource-group MyFirewallRG \
  --firewall-name MyFirewall \
  --collection-name AllowMicrosoft \
  --action Allow \
  --priority 200 \
  --protocols Http=80 Https=443 \
  --target-fqdns www.microsoft.com login.microsoftonline.com

Monitoring & Logging

Enable diagnostic settings to stream logs to Log Analytics.

# Create Log Analytics workspace
az monitor log-analytics workspace create \
  --resource-group MyFirewallRG \
  --workspace-name FWLogWorkspace \
  --location eastus

# Link firewall diagnostics
az monitor diagnostic-settings create \
  --name FWDiag \
  --resource MyFirewall \
  --resource-group MyFirewallRG \
  --workspace $(az monitor log-analytics workspace show \
    --resource-group MyFirewallRG \
    --workspace-name FWLogWorkspace \
    --query id -o tsv) \
  --logs '[{"category":"AzureFirewallApplicationRuleLog","enabled":true},{"category":"AzureFirewallNetworkRuleLog","enabled":true}]' \
  --metrics '[{"category":"AllMetrics","enabled":true}]'

Clean‑up

When finished, delete the resources to avoid charges.

az group delete --name MyFirewallRG --yes --no-wait
Quick FAQ
  • Can I use a single firewall for multiple VNets? Yes, by peering VNets to the firewall’s hub network.
  • Is there a free tier? Azure Firewall is billed per deployment; no free tier exists.
  • How does scaling work? Azure Firewall scales automatically based on traffic volume.