...
It uses a static, public IP address for your virtual network resources.
This allows outside firewalls to identify traffic originating from your virtual network.
Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections.
Rules are enforced and logged across multiple subscriptions and virtual networks.
FQDN tags - These tags make it easy for you to allow well-known Azure service network traffic through your firewall.
For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag.
Outbound SNAT support - All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation (SNAT)).
You can identify and allow traffic originating from your virtual network to remote Internet destinations.
Inbound DNAT support - Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
Forced tunneling - You can configure Azure Firewall to route all Internet-bound traffic to a designated next hop instead of going directly to the Internet
In the Azure Firewall, you can configure NAT rules, network rules, and applications rules, and this can be done either by using classic rules or Firewall Policy.
With Firewall Policy, rules are organized inside Rule Collections which are contained in Rule Collection Groups. Rule Collections can be of the following types:
DNAT (Destination Network Address Translation)
Network
Application
Application rules are always processed after network rules, which are themselves always processed after DNAT rules
Outbound connectivity using network rules and application rules
If you configure both network rules and application rules, then network rules are applied in priority order before application rules.
Additionally, all rules are terminating, therefore, if a match is found in a network rule, no other rules are processed thereafter.
Inbound connectivity using DNAT rules and network rules
Inbound Internet connectivity can be enabled by configuring DNAT.
DNAT rules are applied in priority before network rules.
Application rules aren't applied for inbound connections. So, if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF).
When deploying Azure Firewall, you can configure it to span multiple Availability Zones for increased availability.
When you configure Azure Firewall in this way your availability increases to 99.99% uptime. The 99.99% uptime SLA is offered when two or more Availability Zones are selected.
...
Forced tunneling configuration
When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet.
For example, you may have a default route advertised via BGP or using User Defined Route (UDR) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet.
To support this configuration, you must create Azure Firewall with Forced Tunnel configuration enabled.
You can configure Forced Tunneling during Firewall creation by enabling Forced Tunnel mode as shown below.
To support forced tunneling, Service Management traffic is separated from customer traffic.
An additional dedicated subnet named AzureFirewallManagementSubnet (minimum subnet size /26) is required with its own associated public IP address.
This public IP address is for management traffic. It is used exclusively by the Azure platform and can't be used for any other purpose.
...
...
Firewall Considerations – Windows Virtual Desktop (WVD)
Firewall Considerations – Windows Virtual Desktop (WVD)
It has information on how to allow Windows activation to work with Azure KMS servers.