Azure Firewall is a fully managed, cloud-native network security service from Microsoft designed to protect Azure Virtual Network resources by filtering both inbound and outbound traffic with high availability and unlimited scalability.
Azure Firewall operates as a stateful firewall-as-a-service within the Azure cloud, meaning it tracks the state of network connections and makes intelligent security decisions based on that context. It inspects both east-west traffic (within the same network) and north-south traffic (between networks or to/from the internet), providing comprehensive network protection. Azure Firewall is integrated tightly with Azure’s infrastructure, allowing centralized, policy-driven security management across multiple subscriptions and virtual networks.
Key Features
- Stateful Inspection: Tracks connection states to allow or block traffic intelligently.
- Built-in High Availability: Automatically available with no need to deploy additional infrastructure.
- Cloud Scalability: Dynamically scales to handle fluctuating workloads and traffic volumes without manual intervention.
- Application and Network Filtering: Supports filtering based on fully qualified domain names (FQDNs), IP addresses, protocols, and ports.
- Threat Intelligence Integration: Constantly updated with Microsoft’s threat intelligence to block traffic from known malicious IPs and domains.
- Advanced Capabilities with Premium SKU: Includes features like TLS inspection (decrypting and inspecting encrypted traffic), Intrusion Detection and Prevention System (IDPS) for signature-based malware detection, URL filtering, and web category filtering.
- Logging and Monitoring: Seamlessly integrates with Azure Monitor for logging, diagnostics, and security analytics.
Comparison with Other Azure Security Tools
Azure Firewall complements Network Security Groups (NSGs) by providing a higher level of network and application-layer protection centrally across networks, while NSGs offer more distributed, subnet-level control. It also differs from Azure Web Application Firewall (WAF), which focuses specifically on protecting web applications from Layer 7 attacks.
In a scenario where an organization requires centralized network security for the application virtual network. As the application usage increases, more granular application-level filtering and advanced threat protection will be needed. Also, it is expected the application will need continuous updates from Azure DevOps pipelines. So to protect the inbound and outbound virtual networks, the following requirement is needed:
- Azure Firewall is required for additional security in the app-vnet.
- A firewall policy should be configured to help manage access to the application.
- A firewall policy application rule is required. This rule will allow the application access to Azure DevOps so the application code can be updated.
- A firewall policy network rule is required. This rule will allow DNS resolution.
To achieve this we have got to perform the following Tasks:
- Create an Azure Firewall.
- Create and configure a firewall policy
- Create an application rule collection.
- Create a network rule collection
Create Azure Firewall subnet in our existing virtual network
1.In the search box at the top of the portal, enter Virtual networks. Select Virtual networks in the search results.
2.Select app-vnet
3.Select Subnet
4.Select + Subnet
5.Enter the following information and select Save.
Name AzureFirewallSubnet
Address range 10.1.63.0/26
Note: Leave all other settings as default
Create an Azure Firewall
1.In the search box at the top of the portal, enter Firewall. Select Firewall in the search results.
2.Select + Create
3.Create a firewall by using the values in the following table. For any property that is not specified, use the default value
- Resource group RG1
- Name app-vnet-firewall
- Firewall SKU Standard
- Firewall management Use a Firewall Policy to manage this firewall
- Firewall policy select Add new
- Policy name fw-policy
- Region East US
- Policy Tier Standard
- Choose a virtual network Use existing
- Virtual network app-vnet (RG1)
- Public IP address Add new: fwpip
- Enable Firewall Management NIC uncheck the box
4.Select Review + Create
5.Select Create
Update the Firewall Policy
1.In the portal, search for and select Firewall Policies
2.Select fw-policy
Add an application rule
1.In the Rule blade, select Application rules and then Add a rule collection.
3.Create a firewall by using the values in the following table. For any property that is not specified, use the default value. Add
- Name app-vnet-fw-rule-collection
- Rule collection type Application
- Priority 200
- Rule collection action Allow
- Rule collection group DefaultApplicationRuleCollectionGroup
- Name AllowAzurePipelines
- Source type IP address
- Source 10.1.0.0/23
- Protocol https
- Destination type FQDN
- Destination dev.azure.com, azure.microsoft.com
Note: The AllowAzurePipelines rule allows the web application to access Azure Pipelines. The rule allows the web application to access the Azure DevOps service and the Azure website.
Add a network rule
1.In the Settings blade, select Network rules and then Add a network collection.
2.Configure the network rule and then select Add
- Name app-vnet-fw-nrc-dns
- Rule collection type Network
- Priority 200
- Rule collection action Allow
- Rule collection group DefaultNetworkRuleCollectionGroup
- Rule AllowDns
- Source 10.1.0.0/23
- Protocol UDP
- Destination ports 53
- Destination addresses 1.1.1.1, 1.0.0.1
Verify the firewall and firewall policy status
1.In the portal search for and select Firewall.
2.View the app-vnet-firewall and ensure the Provisioning state is Succeeded. This may take a few minutes.
3.In the portal serach for and select Firewall policies
4.View the fw-policy and ensure the Provisioning state is Succeeded. This may take a few minute
Top comments (0)