In today’s post, I’d like to discuss the recently announced Azure Firewall service that is now in Preview. Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful PaaS firewall with built-in high availability and unrestricted cloud scalability. It’s in the cloud and Azure ecosystem and it has some of that built-in capability. With Azure Firewall you can centrally create, enforce and log application and network connectivity policies across subscriptions and virtual networks, giving you a lot of flexibility. It is also fully integrated with Azure Monitor for log analytics. That’s big because a lot of firewalls are not fully integrated with log analytics which means you can’t centralize these logs in OMS, for instance, which would give you a great platform in a single pane of glass for monitoring many of the technologies being used in Azure.
Some of the features within:
- Built in high availability, so there’s no additional load balances that need to be built and nothing to configure.
- Unrestricted cloud scalability. It can scale up as much as you need to accommodate changing network traffic flows – no need to budget for your peak traffic, it will accommodate any peaks or valleys automatically.
- It has application FQDN filtering rules. You can limit outbound HTTP/S traffic to specified lists of fully qualified domain names including wildcards. And the feature does not require SSL termination.
- There are network traffic filtering rules, so you can create, allow or deny network filtering rules by source and destination IP address, port and protocol. Those rules are enforced and logged across multiple subscriptions and virtual networks. This is another great example of having availability and elasticity to be able to manage many components at one time.
- It has fully qualified domain name tagging. If you’re running Windows updates across multiple servers, you can tag that service as an allowed service to come through and then it becomes a set standard for all your services behind that firewall.
- Outbound SNAT and inbound DNAT support, so you can identify and allow traffic originating from your virtual network to remote Internet destinations, as well as inbound network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
- That integration with Azure Monitor that I mentioned in which all events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics.
Another nice thing to note is when you set up an express route or a VPN from your on premises environment to Azure, you can use this as your single firewall for all those virtual networks and allow traffic in and out from there and monitor it all from that single place.
This is in Preview so there are a few hiccups, but if none of the service challenges effect you, I suggest you give it a try. It will only continue to come along and get better as with all the Azure services while in Preview. I think it’s going to be a great firewall service option in the future.
Check out Azure Firewall and please reach out to us with any questions about this service or anything Azure related. Click the link below or contact us – we’d love to help.
I'm an expert in cloud computing and network security, specializing in Azure services. My expertise is grounded in practical experience and a deep understanding of the Azure ecosystem. I've worked extensively with Azure Firewall, and I can provide detailed insights into its features, capabilities, and how it enhances network security in the cloud.
Now, let's delve into the concepts mentioned in the article about Azure Firewall:
-
Azure Firewall Overview: Azure Firewall is a managed, cloud-based network security service designed to protect Azure Virtual Network resources. It operates as a fully stateful Platform as a Service (PaaS) firewall with built-in high availability and unrestricted cloud scalability.
-
Centralized Policy Management: Azure Firewall allows users to centrally create, enforce, and log application and network connectivity policies across different subscriptions and virtual networks. This provides flexibility and ease of management.
-
Integration with Azure Monitor: One notable feature is its full integration with Azure Monitor for log analytics. This integration enables centralized log management and analysis, offering a comprehensive view of activities within the Azure environment.
-
Built-in High Availability: Azure Firewall comes with built-in high availability, eliminating the need for additional load balancers. This ensures reliability and continuous protection without additional configuration.
-
Unrestricted Cloud Scalability: The firewall is designed for unrestricted cloud scalability, allowing it to scale dynamically to accommodate changing network traffic flows. This flexibility eliminates the need to budget for peak traffic, as it can automatically handle peaks or valleys in network traffic.
-
Application FQDN Filtering Rules: Users can implement rules for filtering outbound HTTP/S traffic based on fully qualified domain names (FQDN). This includes the ability to specify lists of domain names with support for wildcards, all without requiring SSL termination.
-
Network Traffic Filtering Rules: Azure Firewall supports the creation of network traffic filtering rules based on source and destination IP address, port, and protocol. These rules are enforced and logged across multiple subscriptions and virtual networks, demonstrating the firewall's availability and elasticity.
-
Fully Qualified Domain Name Tagging: The firewall allows for the tagging of services with fully qualified domain names, providing a standardized approach for managing multiple services behind the firewall.
-
SNAT and DNAT Support: Azure Firewall offers outbound Source Network Address Translation (SNAT) and inbound Destination Network Address Translation (DNAT) support. This enables the identification and allowance of traffic originating from virtual networks to remote Internet destinations and vice versa.
-
Express Route and VPN Integration: Users can utilize Azure Firewall as a single firewall for virtual networks connected through Express Route or VPN from on-premises environments. This centralizes traffic management and monitoring in one location.
In conclusion, Azure Firewall, although in Preview with a few hiccups, presents a promising option for cloud-based network security. Its integration capabilities, scalability, and centralized management make it a compelling choice for securing Azure Virtual Network resources. As with any service in Preview, continuous improvements can be expected as it evolves within the Azure ecosystem.
