What is Azure Firewall?

• 
  

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection. To learn what's east-west and north-south traffic, see East-west and north-south traffic.

Azure Firewall is offered in three SKUs: Standard, Premium, and Basic.

Azure Firewall Standard

Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains that are updated in real time to protect against new and emerging attacks.

To learn about Firewall Standard features, see Azure Firewall Standard features.

Azure Firewall Premium

Azure Firewall Premium provides advanced capabilities include signature based IDPS to allow rapid detection of attacks by looking for specific patterns. These patterns can include byte sequences in network traffic or known malicious instruction sequences used by malware. There are more than 67,000 signatures in over 50 categories that are updated in real time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks.

To learn about Firewall Premium features, see Azure Firewall Premium features.

Azure Firewall Basic

Azure Firewall Basic is intended for small and medium size (SMB) customers to secure their Azure cloud environments. It provides the essential protection SMB customers need at an affordable price point.

 

What are security partner providers?

• 
  

Security partner providers in Azure Firewall Manager allow you to use your familiar, best-in-breed, third-party security as a service (SECaaS) offerings to protect Internet access for your users.

With a quick configuration, you can secure a hub with a supported security partner, and route and filter Internet traffic from your Virtual Networks (VNets) or branch locations within a region. You can do this with automated route management, without setting up and managing User Defined Routes (UDRs).

You can deploy secured hubs configured with the security partner of your choice in multiple Azure regions to get connectivity and security for your users anywhere across the globe in those regions. With the ability to use the security partner’s offering for Internet/SaaS application traffic, and Azure Firewall for private traffic in the secured hubs, you can now start building your security edge on Azure that is close to your globally distributed users and applications.

The supported security partners are Zscaler, Check Point, and iboss.

See the following video by Jack Tracey for a Zscaler overview:

Key scenarios

You can use the security partners to filter Internet traffic in following scenarios:

• Virtual Network (VNet)-to-Internet

  Use advanced user-aware Internet protection for your cloud workloads running on Azure.

• Branch-to-Internet

  Use your Azure connectivity and global distribution to easily add third-party NSaaS filtering for branch to Internet scenarios. You can build your global transit network and security edge using Azure Virtual WAN.

The following scenarios are supported:

• Two security providers in the hub

  VNet/Branch-to-Internet via a security partner provider and the other traffic (spoke-to-spoke, spoke-to-branch, branch-to-spoke) via Azure Firewall.

• Single provider in the hub

  • All traffic (spoke-to-spoke, spoke-to-branch, branch-to-spoke, VNet/Branch-to-Internet) secured by Azure Firewall
    or
  • VNet/Branch-to-Internet via security partner provider

Best practices for Internet traffic filtering in secured virtual hubs

Internet traffic typically includes web traffic. But it also includes traffic destined to SaaS applications like Microsoft 365 and Azure public PaaS services like Azure Storage, Azure Sql, and so on. The following are best practice recommendations for handling traffic to these services:

Handling Azure PaaS traffic

• Use Azure Firewall for protection if your traffic consists mostly of Azure PaaS, and the resource access for your applications can be filtered using IP addresses, FQDNs, Service tags, or FQDN tags.

• Use a third-party partner solution in your hubs if your traffic consists of SaaS application access, or you need user-aware filtering (for example, for your virtual desktop infrastructure (VDI) workloads) or you need advanced Internet filtering capabilities.

 

Configure WAF policies using Azure Firewall Manager

• 
  

Azure Firewall Manager is a platform to manage and protect your network security resources at scale. You can associate your WAF policies to an Application Gateway or Azure Front Door within Azure Firewall Manager, all in a single place.

View and manage WAF policies

In Azure Firewall Manager, you can create and view all WAF policies in one central place across subscriptions and regions.

To navigate to WAF policies, select the Web Application Firewall Policies tab on the left, under Security.

Associate or dissociate WAF policies

In Azure Firewall Manager, you can create and view all WAF policies in your subscriptions. These policies can be associated or dissociated with an application delivery platform. Select the service and then select Manage Security.

Upgrade Application Gateway WAF configuration to WAF policy

For Application Gateway with WAF configuration, you can upgrade the WAF configuration to a WAF policy associated with Application Gateway.

The WAF policy can be shared to multiple application gateways. Also, a WAF policy allows you to take advantage of advanced and new features like bot protection, newer rule sets, and reduced false positives. New features are only released on WAF policies.

To upgrade a WAF configuration to a WAF policy, select Upgrade from WAF configuration from the desired application gateway.

 

Secure your virtual hub using Azure Firewall Manager

• 
  

Using Azure Firewall Manager, you can create secured virtual hubs to secure your cloud network traffic destined to private IP addresses, Azure PaaS, and the Internet. Traffic routing to the firewall is automated, so there's no need to create user-defined routes (UDRs).

Firewall Manager also supports a hub virtual network architecture. For a comparison of the secured virtual hub and hub virtual network architecture types, see What are the Azure Firewall Manager architecture options?

In this tutorial, you learn how to:

• Create the spoke virtual network
• Create a secured virtual hub
• Connect the hub and spoke virtual networks
• Route traffic to your hub
• Deploy the servers
• Create a firewall policy and secure your hub
• Test the firewall

 Important

The procedure in this tutorial uses Azure Firewall Manager to create a new Azure Virtual WAN secured hub. You can use Firewall Manager to upgrade an existing hub, but you can't configure Azure Availability Zones for Azure Firewall. It is also possible to convert an existing hub to a secured hub using the Azure portal, as described in Configure Azure Firewall in a Virtual WAN hub. But like Azure Firewall Manager, you can't configure Availability Zones. To upgrade an existing hub and specify Availability Zones for Azure Firewall (recommended) you must follow the upgrade procedure in Tutorial: Secure your virtual hub using Azure PowerShell.

Prerequisites

If you don't have an Azure subscription, create a free account before you begin.

Create a hub and spoke architecture

First, create spoke virtual networks where you can place your servers.

Create two spoke virtual networks and subnets

The two virtual networks each have a workload server in them and are protected by the firewall.

1. From the Azure portal home page, select Create a resource.
2. Search for Virtual network, select it, and select Create.
3. For Subscription, select your subscription.
4. For Resource group, select Create new, and type fw-manager-rg for the name and select OK.
5. For Virtual network name, type Spoke-01.
6. For Region, select East US.
7. Select Next.
8. On the Security page, select Next.
9. Under Add IPv4 address space, accept the default 10.0.0.0/16.
10. Under Subnets, select default.
11. For Name, type Workload-01-SN.
12. For Starting address, type 10.0.1.0/24.
13. Select Save.
14. Select Review + create.
15. Select Create.

Repeat this procedure to create another similar virtual network in the fw-manager-rg resource group:

Name: Spoke-02
Address space: 10.1.0.0/16
Subnet name: Workload-02-SN
Starting address: 10.1.1.0/24

Create the secured virtual hub

Create your secured virtual hub using Firewall Manager.

1. From the Azure portal home page, select All services.

2. In the search box, type Firewall Manager and select Firewall Manager.

3. On the Firewall Manager page under Deployments, select Virtual hubs.

4. On the Firewall Manager | Virtual hubs page, select Create new secured virtual hub.

   

5. Select your Subscription.

6. For Resource group, select fw-manager-rg.

7. For Region, select East US.

8. For the Secured virtual hub name, type Hub-01.

9. For Hub address space, type 10.2.0.0/16.

10. Select New vWAN.

11. For the new virtual WAN name, type Vwan-01.

12. For Type Select Standard.

13. Leave the Include VPN gateway to enable Trusted Security Partners check box cleared.

    

14. Select Next: Azure Firewall.

15. Accept the default Azure Firewall Enabled setting.

16. For Azure Firewall tier, select Standard.

17. Select the desired combination of Availability Zones.

 Important

A Virtual WAN is a collection of hubs and services made available inside the hub. You can deploy as many Virtual WANs that you need. In a Virtual WAN hub, there are multiple services like VPN, ExpressRoute, and so on. Each of these services is automatically deployed across Availability Zones except Azure Firewall, if the region supports Availability Zones. To align with Azure Virtual WAN resiliency, you should select all available Availability Zones.

16. Type 1 in the Specify number of Public IP addressees text box.

17. Under Firewall Policy ensure the Default Deny Policy is selected. You refine your settings later in this article.

18. Select Next: Security Partner Provider.

    

19. Accept the default Trusted Security Partner Disabled setting, and select Next: Review + create.

20. Select Create.

    

Connect the hub and spoke virtual networks

Now you can peer the hub and spoke virtual networks.

1. Select the fw-manager-rg resource group, then select the Vwan-01 virtual WAN.

2. Under Connectivity, select Virtual network connections.

   

3. Select Add connection.

4. For Connection name, type hub-spoke-01.

5. For Hubs, select Hub-01.

6. For Resource group, select fw-manager-rg.

7. For Virtual network, select Spoke-01.

8. Select Create.

9. Repeat to connect the Spoke-02 virtual network: connection name - hub-spoke-02.

Deploy the servers

1. On the Azure portal, select Create a resource.

2. Select Windows Server 2019 Datacenter in the Popular list.

3. Enter these values for the virtual machine:

   Setting	Value
   Resource group	fw-manager-rg
   Virtual machine name	Srv-workload-01
   Region	(US) East US)
   Administrator user name	type a user name
   Password	type a password

4. Under Inbound port rules, for Public inbound ports, select None.

5. Accept the other defaults and select Next: Disks.

6. Accept the disk defaults and select Next: Networking.

7. Select Spoke-01 for the virtual network and select Workload-01-SN for the subnet.

8. For Public IP, select None.

9. Accept the other defaults and select Next: Management.

10. Select Next:Monitoring.

11. Select Disable to disable boot diagnostics. Accept the other defaults and select Review + create.

12. Review the settings on the summary page, and then select Create.

Use the information in the following table to configure another virtual machine named Srv-Workload-02. The rest of the configuration is the same as the Srv-workload-01 virtual machine.

Setting	Value
Virtual network	Spoke-02
Subnet	Workload-02-SN

After the servers are deployed, select a server resource, and in Networking note the private IP address for each server.

Create a firewall policy and secure your hub

A firewall policy defines collections of rules to direct traffic on one or more Secured virtual hubs. You create your firewall policy and then secure your hub.

1. From Firewall Manager, select Azure Firewall policies.

   

2. Select Create Azure Firewall Policy.

   

3. For Resource group, select fw-manager-rg.

4. Under Policy details, for the Name type Policy-01 and for Region select East US.

5. For Policy tier, select Standard.

6. Select Next: DNS Settings.

   

7. Select Next: TLS Inspection.

   

8. Select Next : Rules.

9. On the Rules tab, select Add a rule collection.

   

10. On the Add a rule collection page, type App-RC-01 for the Name.

11. For Rule collection type, select Application.

12. For Priority, type 100.

13. Ensure Rule collection action is Allow.

14. For the rule Name, type Allow-msft.

15. For the Source type, select IP address.

16. For Source, type *.

17. For Protocol, type http,https.

18. Ensure Destination type is FQDN.

19. For Destination, type *.microsoft.com.

20. Select Add.

21. Add a DNAT rule so you can connect a remote desktop to the Srv-Workload-01 virtual machine.

    1. Select Add a rule collection.
    2. For Name, type dnat-rdp.
    3. For Rule collection type, select DNAT.
    4. For Priority, type 100.
    5. For the rule Name, type Allow-rdp.
    6. For the Source type, select IP address.
    7. For Source, type *.
    8. For Protocol, select TCP.
    9. For Destination Ports, type 3389.
    10. For Destination, type the firewall public IP address that you noted previously.
    11. For Translated type, select IP Address.
    12. For Translated address, type the private IP address for Srv-Workload-01 that you noted previously.
    13. For Translated port, type 3389.
    14. Select Add.

22. Add a Network rule so you can connect a remote desktop from Srv-Workload-01 to Srv-Workload-02.

    1. Select Add a rule collection.
    2. For Name, type vnet-rdp.
    3. For Rule collection type, select Network.
    4. For Priority, type 100.
    5. For Rule collection action, select Allow.
    6. For the rule Name type Allow-vnet.
    7. For the Source type, select IP address.
    8. For Source, type *.
    9. For Protocol, select TCP.
    10. For Destination Ports, type 3389.
    11. For Destination Type, select IP Address.
    12. For Destination, type the Srv-Workload-02 private IP address that you noted previously.
    13. Select Add.

23. Select Next: IDPS.

24. On the IDPS page, select Next: Threat Intelligence

    

25. In the Threat Intelligence page, accept defaults and select Review and Create:

    

26. Review to confirm your selection and then select Create.

Associate policy

Associate the firewall policy with the hub.

1. From Firewall Manager, select Azure Firewall Policies.

2. Select the check box for Policy-01.

3. Select Manage associations, Associate hubs.

   

4. Select hub-01.

5. Select Add.

   

Route traffic to your hub

Now you must ensure that network traffic gets routed through your firewall.

1. From Firewall Manager, select Virtual hubs.

2. Select Hub-01.

3. Under Settings, select Security configuration.

4. Under Internet traffic, select Azure Firewall.

5. Under Private traffic, select Send via Azure Firewall.

   
   

6. Under Inter-hub, select Enabled to enable the Virtual WAN routing intent feature. Routing intent is the mechanism through which you can configure Virtual WAN to route branch-to-branch (on-premises to on-premises) traffic via Azure Firewall deployed in the Virtual WAN Hub. For more information regarding prerequisites and considerations associated with the routing intent feature, see Routing Intent documentation.

7. Select Save.

8. Select OK on the Warning dialog.

   

9. Select OK on the Migrate to use inter-hub dialog.

   
   

10. Verify that the two connections show Azure Firewall secures both Internet and private traffic.