Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It’s a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.
In this blog post, we will provide an in-depth examination of Azure Firewall, covering its features, benefits, and detailed practical implementation for securing traffic between Azure Virtual Networks and the internet.
Features of Azure Firewall
Azure Firewall is offered in three SKUs: Standard, Premium, and Basic. Each SKU has different levels of threat intelligence, IDPS, and scalability. Here are some of the key features of each SKU:
- Azure Firewall Standard: This SKU provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains that are updated in real time to protect against new and emerging attacks.
- Azure Firewall Premium: This SKU provides advanced capabilities include signature based IDPS to allow rapid detection of attacks by looking for specific patterns. These patterns can include byte sequences in network traffic or known malicious instruction sequences used by malware. There are more than 67,000 signatures in over 50 categories that are updated in real time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks.
- Azure Firewall Basic: This SKU is intended for small and medium size (SMB) customers to secure their Azure cloud environments. It provides the essential protection SMB customers need at an affordable price point. Azure Firewall Basic is like Firewall Standard, but has the following main limitations: Supports Threat Intel alert mode only Fixed scale unit to run the service on two virtual machine backend instances Recommended for environments with an estimated throughput of 250 Mbps
To compare the all Firewall SKU features, see Choose the right Azure Firewall SKU to meet your needs.
Benefits of Azure Firewall
Azure Firewall has many benefits over traditional network firewalls. Some of the benefits are:
- Cloud-native: Azure Firewall is a fully managed service that runs on Azure infrastructure. You don’t need to worry about hardware maintenance, software updates, or capacity planning. Azure Firewall automatically scales up or down based on your traffic load and supports up to 30 Gbps of throughput.
- Centralised management: You can use Azure Firewall Manager to centrally manage Azure Firewalls across multiple subscriptions. Firewall Manager uses firewall policy to apply a common set of network/application rules and configuration to the firewalls in your tenant. Firewall Manager supports firewalls in both VNet and Virtual WANs (Secure Virtual Hub) environments.
- DevOps friendly: You can use Azure CLI, PowerShell, REST API, or ARM templates to automate the deployment and configuration of Azure Firewall. You can also integrate Azure Firewall with Azure DevOps or GitHub to enable continuous integration and delivery (CI/CD) pipelines for your firewall rules.
- High availability: Azure Firewall has built-in high availability and fault tolerance. It runs on multiple availability zones within a region and has automatic failover mechanisms. You don’t need to configure any load balancers or health probes for Azure Firewall.
- Network security integration: Azure Firewall integrates with other Azure network security services such as Azure DDoS Protection, Azure Application Gateway, Azure Sentinel, and Azure Security Center. You can leverage these services to enhance your network visibility and threat detection capabilities.
Implementation of Azure Firewall
To implement Azure Firewall for securing traffic between your Azure Virtual Networks and the internet, you need to follow these steps:
- Create an Azure Virtual Network with at least two subnets: one for your workloads and one for your firewall.
- Create an Azure Firewall resource in the firewall subnet. Choose the appropriate SKU based on your requirements.
- Configure the firewall rules to allow or deny traffic based on source IP address, destination IP address, port number, protocol type, application FQDNs, or IDPS signatures.
- Configure the routing tables for your workload subnet and firewall subnet to route traffic through the firewall.
- Test your firewall rules by sending traffic from your workloads to the internet or vice versa.
For a detailed tutorial on how to deploy an Azure Firewall using the Azure portal, see Deploy an Azure Firewall.
Conclusion
Azure Firewall is a powerful network security service that can help you protect your cloud workloads from malicious attacks. It offers three SKUs with different levels of threat intelligence, IDPS, and scalability. It also has many benefits such as cloud-native architecture, centralised management, DevOps compatibility, high availability, and network security integration