...
Built-in high availability. High availability is built in, so no additional load balancers are required and there's nothing you need to configure.
Availability Zones. Azure Firewall can be configured during deployment to span multiple Availability Zones for increased availability.
Unrestricted cloud scalability. Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.
Application FQDN filtering rules. You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards.
Network traffic filtering rules. You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
Threat intelligence. Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
Multiple public IP addresses. You can associate multiple public IP addresses (up to 100) with your firewall
...
Design and implement Azure Firewall
It uses a static, public IP address for your virtual network resources.
This allows outside firewalls to identify traffic originating from your virtual network.
Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections.
Rules are enforced and logged across multiple subscriptions and virtual networks.
FQDN tags - These tags make it easy for you to allow well-known Azure service network traffic through your firewall.
For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag.
Outbound SNAT support - All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation (SNAT)).
You can identify and allow traffic originating from your virtual network to remote Internet destinations.
Inbound DNAT support - Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
Forced tunneling - You can configure Azure Firewall to route all Internet-bound traffic to a designated next hop instead of going directly to the Internet
In the Azure Firewall, you can configure NAT rules, network rules, and applications rules, and this can be done either by using classic rules or Firewall Policy.
With Firewall Policy, rules are organized inside Rule Collections which are contained in Rule Collection Groups. Rule Collections can be of the following types:
DNAT (Destination Network Address Translation)
Network
Application
Application rules are always processed after network rules, which are themselves always processed after DNAT rules
Outbound connectivity using network rules and application rules
If you configure both network rules and application rules, then network rules are applied in priority order before application rules.
Additionally, all rules are terminating, therefore, if a match is found in a network rule, no other rules are processed thereafter.
Inbound connectivity using DNAT rules and network rules
Inbound Internet connectivity can be enabled by configuring DNAT.
DNAT rules are applied in priority before network rules.
Application rules aren't applied for inbound connections. So, if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF).
When deploying Azure Firewall, you can configure it to span multiple Availability Zones for increased availability.
When you configure Azure Firewall in this way your availability increases to 99.99% uptime. The 99.99% uptime SLA is offered when two or more Availability Zones are selected.