Azure Firewall Standard features

• 
  

Azure Firewall Standard is a managed, cloud-based network security service that protects your Azure Virtual Network resources.

Azure Firewall includes the following features:

• Built-in high availability
• Availability Zones
• Unrestricted cloud scalability
• Application FQDN filtering rules
• Network traffic filtering rules
• FQDN tags
• Service tags
• Threat intelligence
• DNS proxy
• Custom DNS
• FQDN in network rules
• Deployment without public IP address in Forced Tunnel Mode
• Outbound SNAT support
• Inbound DNAT support
• Multiple public IP addresses
• Azure Monitor logging
• Forced tunneling
• Web categories
• Certifications

To compare Azure Firewall features for all Firewall SKUs, see Choose the right Azure Firewall SKU to meet your needs.

Built-in high availability

High availability is built in, so no extra load balancers are required and there's nothing you need to configure.

Availability Zones

Azure Firewall can be configured during deployment to span multiple Availability Zones for increased availability. With Availability Zones, your availability increases to 99.99% uptime. For more information, see the Azure Firewall Service Level Agreement (SLA). The 99.99% uptime SLA is offered when two or more Availability Zones are selected.

You can also associate Azure Firewall to a specific zone just for proximity reasons, using the service standard 99.95% SLA.

There's no extra cost for a firewall deployed in more than one Availability Zone. However, there are added costs for inbound and outbound data transfers associated with Availability Zones. For more information, see Bandwidth pricing details.

As the firewall scales, it creates instances in the zones it's in. So, if the firewall is in Zone 1 only, new instances are created in Zone 1. If the firewall is in all three zones, then it creates instances across the three zones as it scales.

Azure Firewall Availability Zones are available in regions that support Availability Zones. For more information, see Regions that support Availability Zones in Azure.

 Note

Availability Zones can only be configured during deployment. You can't configure an existing firewall to include Availability Zones.

For more information about Availability Zones, see Regions and Availability Zones in Azure.

Unrestricted cloud scalability

Azure Firewall can scale out as much as you need to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.

Application FQDN filtering rules

You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature doesn't require TLS termination.

The following video shows how to create an application rule:

Network traffic filtering rules

You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.

Azure Firewall supports stateful filtering of Layer 3 and Layer 4 network protocols. Layer 3 IP protocols can be filtered by selecting Any protocol in the Network rule and select the wild-card * for the port.