Azure Firewall
- Roger Cruz
Intro
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.
Â
Documentation
Â
Â
Tips and Tidbits
Â
Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.
With Azure Firewall, you can configure:
Application rules that define fully qualified domain names (FQDNs) that can be accessed from a subnet.
Network rules that define source address, protocol, destination port, and destination address.
Â
For production deployments, a hub and spoke model is recommended
Â
Azure Firewall features
Built-in high availability. High availability is built in, so no additional load balancers are required and there's nothing you need to configure.
Availability Zones. Azure Firewall can be configured during deployment to span multiple Availability Zones for increased availability.
Unrestricted cloud scalability. Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.
Application FQDN filtering rules. You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards.
Network traffic filtering rules. You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
Threat intelligence. Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
Multiple public IP addresses. You can associate multiple public IP addresses (up to 100) with your firewall
Â
Design and implement Azure Firewall
It uses a static, public IP address for your virtual network resources.
This allows outside firewalls to identify traffic originating from your virtual network.
Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections.
Rules are enforced and logged across multiple subscriptions and virtual networks.
FQDN tags - These tags make it easy for you to allow well-known Azure service network traffic through your firewall.
For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag.
Outbound SNAT support - All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation (SNAT)).
You can identify and allow traffic originating from your virtual network to remote Internet destinations.
Inbound DNAT support - Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
Forced tunneling - You can configure Azure Firewall to route all Internet-bound traffic to a designated next hop instead of going directly to the Internet
In the Azure Firewall, you can configure NAT rules, network rules, and applications rules, and this can be done either by using classic rules or Firewall Policy.
With Firewall Policy, rules are organized inside Rule Collections which are contained in Rule Collection Groups. Rule Collections can be of the following types:
DNAT (Destination Network Address Translation)
Network
Application
Application rules are always processed after network rules, which are themselves always processed after DNAT rules
Outbound connectivity using network rules and application rules
If you configure both network rules and application rules, then network rules are applied in priority order before application rules.
Additionally, all rules are terminating, therefore, if a match is found in a network rule, no other rules are processed thereafter.
Inbound connectivity using DNAT rules and network rules
Inbound Internet connectivity can be enabled by configuring DNAT.
DNAT rules are applied in priority before network rules.
Application rules aren't applied for inbound connections. So, if you want to filter inbound HTTP/S traffic, you should use Web Application Firewall (WAF).
When deploying Azure Firewall, you can configure it to span multiple Availability Zones for increased availability.
When you configure Azure Firewall in this way your availability increases to 99.99% uptime. The 99.99% uptime SLA is offered when two or more Availability Zones are selected.
Forced tunneling configuration
Â
When you configure a new Azure Firewall, you can route all Internet-bound traffic to a designated next hop instead of going directly to the Internet.
For example, you may have a default route advertised via BGP or using User Defined Route (UDR) to force traffic to an on-premises edge firewall or other network virtual appliance (NVA) to process network traffic before it's passed to the Internet.
To support this configuration, you must create Azure Firewall with Forced Tunnel configuration enabled.
You can configure Forced Tunneling during Firewall creation by enabling Forced Tunnel mode as shown below.
To support forced tunneling, Service Management traffic is separated from customer traffic.
An additional dedicated subnet named AzureFirewallManagementSubnet (minimum subnet size /26) is required with its own associated public IP address.
This public IP address is for management traffic. It is used exclusively by the Azure platform and can't be used for any other purpose.
Â
Firewall Considerations – Windows Virtual Desktop (WVD)
Â
Firewall Considerations – Windows Virtual Desktop (WVD)
It has information on how to allow Windows activation to work with Azure KMS servers.
Â