Azure Firewall Fundamentals and Best Practices

Azure Firewall is a cloud-based network security service that helps protect your Azure virtual network from unauthorized access. It provides a robust security solution for your cloud resources.

Azure Firewall is built on a scalable architecture that can handle large volumes of traffic. With its high-performance capabilities, you can expect fast and reliable security services.

To ensure the best possible security, it's essential to understand the fundamentals of Azure Firewall. This includes knowing how to configure and manage your firewall, as well as how to troubleshoot common issues.

By following best practices and staying up-to-date with the latest features and updates, you can maximize the security and performance of your Azure Firewall.

Azure Firewall is a controlled security utility that defends your Azure Virtual Network resources with high availability and unlimited cloud scalability. It blocks all traffic by default, so you need to configure rules to allow specific traffic.

You can deploy a Firewall on each virtual network, but it's common to use it on a central virtual network and compare it to other virtual networks on the hub and speaker models. This model allows for centralized management of multiple spoke VNETs across different subscriptions, resulting in cost savings.

Azure Firewall supports rules and rule collections, with rule collections executed in order of their priority. Here's a breakdown of the types of rules:

Azure Firewall is a controlled security utility that defends your Azure Virtual Network resources. It comes with high availability and unlimited cloud scalability, eliminating the need for additional infrastructure for high availability.

You can deploy a Firewall on each virtual network, but usually, users will use it on a central virtual network and compare it to other virtual networks on the hub and speaker models. Global VNet peering is supported, but it's not suggested due to potential performance and latency problems across regions.

The central virtual network model's advantage is that it allows for centrally managed multiple spoke VNETs across different subscriptions. This also provides price savings, as you don't have to deploy a firewall in every VNet separately.

Azure Firewall blocks all traffic by default, so you'll need to configure rules to allow specific traffic. This can be done using application rules, network rules, or NAT rules.

Here's a brief overview of the different types of rules:

Azure Firewall supports rules and rule collections, which are executed in order of their priority. DNAT rule collections are higher priority than network rule collections, and all rules are terminating.

Azure Firewall is a cloud-based network security service that shields your Azure Virtual Network resources.

It requires zero maintenance and is highly available with unlimited cloud scalability, making it a great option for businesses that need a reliable security solution.

Setting up a Firewall is easy, and you'll be billed with a fixed and variable fee.

Azure Firewall provides fully stateful necessary firewall capabilities for Virtual Network resources, with built-in high availability and the ability to scale automatically.

When deployed inside a single Availability Zone, Microsoft assures you that Azure Firewall will be available at least 99.95% of the time, and when spread within two or more Availability Zones, it will be available at least 99.99% of the time.

Azure Firewall Basics: What Is the Difference Between?

Azure Firewall is a managed firewall service that provides advanced security features, including threat intelligence and SNAT/DNAT capabilities. It's a fully stateful, centralized network firewall as-a-service.

Azure Firewall Basic, on the other hand, has some important limitations compared to Firewall Standard. It's similar to Firewall Standard but with fewer features.

The main difference between Azure Firewall and Network Security Groups (NSGs) is that Azure Firewall provides advanced security features, including L7 inspection and threat intelligence, while NSGs provide basic stateful firewalling.

Here's a comparison of the two:

Azure Firewall also differs from Application Gateway WAF in terms of its focus. WAF provides centralized inbound protection for web applications, while Azure Firewall provides inbound protection for non-HTTP/S protocols and outbound network-level protection for all ports and protocols.

In terms of network rules, Azure Firewall has two types: application rules and network rule collections. Application rules define fully qualified domain names (FQDNs) that can be accessed from a subnet, while network rule collections take precedence over application rules and focus on source addresses, protocols, destination ports, and destination addresses.

Azure Firewall Security is a top-notch feature that provides advanced protection for your virtual network traffic. It's a cloud-based, intelligent firewall that automatically detects workloads and protects them from threats.

Azure Firewall inspects traffic at Layers 3, 4, and 7 of the OSI model, providing granular control over network traffic. This means you can have fine-grained control over what traffic is allowed in and out of your network.

One of the key features of Azure Firewall is its threat intelligence capabilities. It leverages Microsoft's threat intelligence to identify and block malicious traffic in real-time, keeping your network safe from known threats.

Azure Firewall also provides application security through Layer 7 inspection, allowing you to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.

Here are some of the key security features of Azure Firewall:

By using Azure Firewall, you can rest assured that your network traffic is protected from threats and malicious activity. It's a powerful tool that can help you maintain a secure and reliable network infrastructure.

Azure Firewall Configuration is a crucial step in setting up a secure and efficient network. You can enable service endpoints in the Azure Firewall subnet and disable them on connected spoke virtual networks to benefit from both features: service endpoint security and central logging for all traffic.

To configure Azure Firewall, you'll need to create rule collections, which belong to a rule collection group and contain one or multiple rules. Rule collections must have a defined action (allow or deny) and a priority value.

Here are the three types of rule collections you can use: DNAT rule collectionApplication rule collectionNetwork rule collection

Each type of rule collection has its own specific use case: DNAT for network address translation, application for filtering traffic based on FQDNs, URLs, and HTTP/HTTPS protocols, and network for filtering traffic based on IP addresses, any ports, and any protocols.

Setting up service endpoints is a key part of Azure Firewall Configuration.

You can enable service endpoints in the Azure Firewall subnet and disable them on the connected spoke virtual networks for secure access to PaaS services.

Service endpoints are recommended for secure access to PaaS services.

They provide central logging for all traffic and service endpoint security.

To benefit from both features, you can choose to enable service endpoints in the Azure Firewall subnet.

This allows you to centralize logging and gain an added layer of security.

You can't create your own service tag, nor specify which IP addresses are inserted within a tag.

Microsoft manages the address prefixes embraced by the service tag and automatically updates the service tag as addresses change.

FQDN filtering rules and FQDN tags are two powerful features of Azure Firewall that allow you to control and filter traffic based on fully qualified domain names.

You can filter outbound traffic such as HTTP/S or Azure SQL traffic to a defined list of fully qualified domain names (FQDN), including wild cards, without needing any TLS termination.

FQDN tags, on the other hand, permit well-known Azure service network traffic within your firewall, making it easy to allow network traffic from services like Windows Update.

To create an application rule and allow Windows Update network traffic, simply enter the Windows Update tag, which will allow network traffic from Windows Update to flow within your firewall.

Application rules allow or deny outbound and east-west traffic based on the application layer (L7), giving you granular control over your network traffic.

You can use an application rule to filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.

Here are some key things to keep in mind when working with FQDN filtering rules and FQDN tags:

By using FQDN filtering rules and FQDN tags, you can create a more secure and controlled network environment within Azure Firewall.

Configuring availability zones after deployment can be a bit tricky, but it's doable. You'll need to ensure that your firewall is deployed in a VNet, as it isn't supported in a secured virtual hub.

One important thing to note is that all attached public IP addresses must be deployed with availability zones. To confirm, check the properties page of each public IP address to ensure the availability zones field exists and is configured with the same zones as your firewall.

You can only reconfigure availability zones when you restart the firewall. To do this, use Azure PowerShell to modify the firewall's Zones property right before starting the firewall with Set-AzFirewall.

It's worth noting that there is no extra cost for deploying in multiple availability zones, but you will still incur costs for outbound and inbound traffic data transfer associated with availability zones.

Application rules in Azure Firewall allow or deny outbound and east-west traffic based on the application layer (L7). This means you can filter traffic based on fully qualified domain names (FQDNs), URLs, and HTTP/HTTPS protocols.

You can use an application rule when you want to filter traffic based on FQDNs, URLs, or HTTP/HTTPS protocols. For example, you can create a rule to allow traffic to a specific FQDN, such as contoso.com.

Wildcards can be used in target URLs and target FQDNs in application rules. Asterisks work when placed on the right-most or left-most side. For example, *.contoso.com matches any subdomain of contoso.com.

Here are some examples of how wildcards work in target URLs and target FQDNs:

Note that not all combinations of wildcards are supported. For example, www.contoso.*/test/* is not supported.

Azure Firewall's TCP Idle Timeout is set to four minutes, which means connections are closed if there's no activity. This setting isn't user configurable, but you can contact Azure Support to increase the Idle Timeout for inbound and outbound connections up to 15 minutes.

If a period of inactivity is longer than the timeout value, there's no guarantee that the TCP or HTTP session is maintained. A common practice is to use a TCP keep-alive to keep the connection active for a longer period.

The TCP Idle Timeout applies to both inbound and outbound connections, but it can't be changed for east-west traffic. This means you'll need to consider this limitation when designing your network architecture.

Azure Firewall doesn't need a subnet bigger than /26. This is a crucial consideration for your configuration.

A /26 address space is required to accommodate the scaling of Azure Firewall, which must provision more virtual machine instances as it grows. This ensures that the firewall has enough IP addresses available.

Azure Firewall's scaling requirements are a key factor in determining the necessary subnet size.