Azure Firewall

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best-of-breed threat protection for your cloud workloads running in Azure. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.

Azure Firewall is offered in Standard, Premium, and Basic SKUs.

Azure Firewall Features:

  1. Application Rules

We can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN), including wild cards. This feature doesn’t require TLS termination.

Azure Firewall supports inbound and outbound filtering. Inbound protection is typically used for non-HTTP/S protocols such as RDP, SSH, and FTP. For the best inbound HTTP/S protection, use a web application firewall.

FQDN tags allow well-known Azure service network traffic through your firewall easily. For example, say you want to enable Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.     

  • Azure Monitor

Azure Firewall is integrated with Azure Monitor for viewing and analyzing firewall logs. Logs can be sent to Log Analytics, Azure Storage, or Event Hubs. They can be interpreted in Log Analytics or by different tools such as Excel and Power BI.

  • Stateful network rules

A service tag represents a group of IP address prefixes to help minimize the complexity of security rule creation. You can’t create your service tag nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change.

  • NAT Support

Azure Firewall Destination Network Address Translation (DNAT) to translate and filter inbound Internet traffic to your subnets. Each rule in the NAT rule collection can then translate your firewall’s public IP address and port to a private IP address and port. DNAT rules implicitly add a corresponding network rule to allow the translated traffic. When configuring DNAT, the NAT rule collection action is set to Dnat.

  • Threat Intel

Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments, such as the financial services and healthcare industries. A signature-based IDPS looks for specific patterns to detect attacks rapidly. These patterns can include byte sequences in network traffic or known malicious instruction sequences used by malware. More than 58,000 signatures in more than 50 categories are updated in real-time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks.

  • Scale and High Availability

High availability is built in, so no additional load balancers are required, and there’s nothing you need to configure. Azure Firewall can be configured during deployment to span multiple Availability Zones for increased availability. With Availability Zones, your availability rises to 99.99% uptime. See the Azure Firewall Service Level Agreement (SLA) for more information. The 99.99% uptime SLA is offered when two or more Availability Zones are selected.

You can also associate Azure Firewall to a specific zone just for proximity reasons, using the service standard 99.95% SLA.

Azure Firewall Standard SKU:

Azure Firewall Standard provides L3-L7 filtering, and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains updated in real-time to protect against new and emerging attacks.

You can deploy Azure Firewall on any virtual network. Still, customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model. You can then set the default route from the peered virtual networks to point to this central firewall virtual network. Global VNet peering is supported but not recommended because of potential regional performance and latency issues. For best performance, deploy one firewall per region. The below picture provides standard SKU features:

Azure Firewall Premium SKU:

Azure Firewall Premium is utilizing Firewall Policy, a global resource that can centrally manage your firewalls using Azure Firewall Manager. Starting this release, all new features will only be configurable via Firewall Policy. This includes TLS Inspection, IDPS, URL Filtering, and Web categories. Firewall Rules (Classic) continue to be supported and can be used for configuring existing features of Standard Firewall.  Firewall Policy can be managed independently or using Azure Firewall manager. A firewall policy associated with a single firewall has no charge.

Azure Firewall Premium includes all the capabilities of the standard SKU and is fully compatible with Azure Firewall Manager. Azure Firewall Premium provides next-generation firewall capabilities for highly sensitive and regulated environments.

With this Azure Firewall Premium release, you can now use the following new capabilities:

  1. TLS Inspection: Azure Firewall Premium decrypts outbound traffic, performs the required value-added security functions, and re-encrypts the traffic sent to the original destination. Inbound TLS termination is available on Application Gateway. A firewall can be deployed behind Application Gateway and inspect decrypted traffic. When Application Gateway is configured with end-to-end encryption, Firewall can decrypt traffic received from Application Gateway for further inspection and re-encrypt before forwarding it to the target web server.
  2. IDPS: Azure Firewall Premium provides signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic or known malicious instruction sequences used by malware.
  3. Web Categories: Allows administrators to filter outbound user access to the Internet based on categories (e.g., social networking, search engines, gambling), reducing the time spent managing individual FQDNs and URLs. This capability is also available for Azure Firewall Standard based on FQDNs only.
  4. URL Filtering: Allow administrators to filter outbound access to specific URLs, not just FQDNs. This capability works for plain text and encrypted traffic if TLS inspection is enabled.

The below picture provides premium SKU features:

Azure Firewall Basic SKU:

Azure Firewall Basic is intended for small and medium size (SMB) customers to secure their Azure cloud environments. It provides the essential protection SMB customers need at an affordable price point.

Azure Firewall supports rules and rules collections. A rule collection is a set of rules that share the same order and priority. Rule collections are executed in order of their priority. Network rule collections are a higher priority than application rule collections, and all rules are terminated. Azure Firewall Basic includes all standard firewall capabilities with limitations:

Supports threat intel alert mode only

Fixed scale unit to run on two virtual machine instances at the backend