Before the public cloud, we depended on third-party software from firewall network device vendors to handle all firewall devices in our data centre. However, the transition to the public cloud posed operational hurdles when dealing with several cloud-based firewall devices. We needed software that could efficiently manage these devices or appliances centrally. Thankfully, cloud providers eventually introduced a centralised firewall manager service, such as Azure Firewall Manager, which provides centralised management and administration for our Azure Firewalls. This has made our transition to the public cloud much smoother and more efficient. In this blog post, let’s gain more insights about the Azure Firewall Manager service. Are you looking to manage security policy configuration and logging across multiple Azure Firewall instances? Azure Firewall Manager is an excellent solution for you!
Azure Firewall Manager – Features
Azure Firewall Manager is an imperative cloud-based security management service for centralising security policy and route management. It’s used for centralised configuration and management of multiple Azure Firewall instances across Azure regions and subscriptions.
With Azure Firewall Manager, you can automate traffic routing for security filtering in secured virtual hubs. This is achieved by creating global and local security policies for your Azure Firewall instances, allowing DevOps teams to apply relevant, local policies while enforcing all global policy requirements. Using this tool, you can streamline your security management in the public cloud and improve your organisation’s overall security.
With Azure Firewall Manager, you can manage your Azure DDoS Protection plans, Azure Web Application Firewall (WAF) policies, and your Azure Firewall Policies. It’s important to note that there is no fee for using Azure Firewall Manager, but remember that you will be charged for any policies or deployments created through this platform. It is fully compatible with Azure Architecture patterns, including Hub-Spoke and Virtual WAN Hub. It is an indispensable tool for any organisation serious about its Azure security.
Azure Firewall Manager – Policy and RBAC
- Global policies determine the rules and settings that govern all firewall instances.
- Each Azure Firewall instance has its own local /child policy, which can include unique rules for north-south or east-west access while still inheriting from the parent policy.
- Firewall policies are often shared among firewalls; DNAT rules are specific to each firewall and cannot be shared.
- The Azure Firewall policies come with built-in high availability, so there’s no need for any configuration on your part. These policies are replicated in a paired Azure region. The policy becomes active in the paired region if one region goes down. The selection of the paired region is automatic and based on the location where the policy was created.
Azure Firewall Manager – Policy processing logic
- When using network rule collections, those inherited from a parent policy will take priority over those defined locally.
- This applies to application rule collections, but network rule collections will always be processed before application rules, regardless of inheritance.
- It’s important to note that DNAT rules are exclusive to firewalls and can only be defined in local policy, not in global policy.
- NAT rules are applied in priority before network rules. If a match is found, the traffic is translated according to the DNAT rule and allowed by the firewall.
Implementing Azure Firewall Manager for centralized policy enforcement and improved management capabilities is highly recommended.
Santhosh has over 15 years of experience in the IT organization. Working as a Cloud Infrastructure Architect and has a wide range of expertise in Microsoft technologies, with a specialization in public & private cloud services for enterprise customers. My varied background includes work in cloud computing, virtualization, storage, networks, automation and DevOps.