When it comes to network security, we use firewalls for perimeter defense. It helps to define security boundaries for infrastructure. There are many conversations about validity of perimeter defense against modern security threats as its more about identities now. However, firewall is still the most commonly used tool to control in & out communications in a network.
In Azure so far, we were using Azure Network Security Groups or host firewall to filter network traffic. But now Azure Firewall allow to filter traffic pass through Azure Virtual Networks. It works as fully stateful firewall. It is still in preview mode but it is not too early to test its capabilities.
• Built-in High Availability – Firewall manages ingress and egress traffic of the network. So high-availability of edge firewall of your network is really important. Azure firewall is a cloud-based service and comes with built-in high availability. Users do not have to pay or do additional configurations for HA.
• Domain Based Filtering – Traditional Firewall rules are based on IP addresses. We have to define the networks to allow or deny access. Azure firewall can block or allow access based on FQDN. It is also supported to use wild cards.
• Work as fully stateful firewall – Azure firewall allow to create inbound & outbound rules using networks, FQDN, protocols & ports. So, it can monitor nature of active connections and allow or deny relevant packets through firewall.
• Outbound Source Network Address Translation (SNAT) – All outgoing traffic from virtual networks are translated in to Azure Firewall Public IP Address. It allows to identify and control traffic leaving from your network to other destinations.
• Azure Monitor Integrations – All Firewall events are logged in to Azure monitor. If required we can send it to log analytics for further analysis.
• No need to worry about upgrades – If it is hardware firewall, it has its own capacity limitation. It can be based on port utilization, ram or packet processing power. Since azure firewall is cloud-based service, none of those limitations applies to it. it can scale up whenever it needed.
Current license model for this service is based on size of traffic (of ingress & egress) travel through virtual network.
As it is still on preview mode, it doesn’t come with any SLA. Therefore, do not use it in your production environment. Also, it has some know issues. You can read about those using https://docs.microsoft.com/en-gb/azure/firewall/overview .
In this demo I am going to setup azure firewall and test it using few rules.