Monday, 17 June 2024

Introduction to Azure Firewall

 

Introduction to Azure Firewall

Microsoft recently announced the availability of a long-awaited service required by the users of systems in the Azure environment , it is the’Azure Firewall. The Azure Firewall is a new managed service and fully integrated into the Microsoft public cloud, that allows you to secure the resources present on the Virtual Networks of Azure. This article will look at the main features of this new service, currently in preview, and it will indicate the procedure to be followed for its activation and configuration.

Figure 1 – Positioning of Azure Firewall in network architecture

The Azure Firewall is a type of firewall stateful, which makes it possible to centrally control, through policy enforcement, network communication streams, all cross subscriptions and cross virtual networks. This service, in the presence of type of network architectures hub-and-spoke, lends itself to be placed in the Hub network, in order to obtain a complete control of the traffic.

The Azure Firewall features, currently available in this phase of public preview, are the following:

  • High availability (HA) Built-in: high availability is integrated into the service and are not required specific configurations or add-ons to make it effective. This is definitely an element that distinguishes it compared to third-party solutions that, for the configuration of Network Virtual Appliance (NVA) in HA, typically require the configuration of additional load balancers.
  • Unrestricted cloud scalability: Azure Firewall allows you to scale easily to adapt to any change of network streams.
  • FQDN filtering: you have the option to restrict outbound HTTP/S traffic towards a specific list of fully qualified domain names (FQDN), with the ability to use wild card characters in the creation of rules.
  • Network traffic filtering rules: You can create rules to allow or of deny to filter the network traffic based on the following elements: source IP address, destination IP address, ports and protocols.
  • Outbound SNAT support: to the Azure Firewall is assigned a public static IP address, which will be used by outbound traffic (Source Network Address Translation), generated by the resources of the Azure virtual network, allowing easy identification from remote Internet destinations.
  • Azure Monitor logging: all events of Azure Firewall can be integrated into Azure Monitor. In the settings of the diagnostic logs you are allowed to enable archiving of logs in a storage account, stream to an Event Hub, or set the sending to a workspace of OMS Log Analytics.

Azure Firewall is currently in a managed public preview, which means that to implement it is necessary to explicitly perform the enable via the PowerShell command Register-AzureRmProviderFeature.

Figure 02 – PowerShell commands for enabling the public preview of Azure Firewall

Feature registration can take up to 30 minutes and you can monitor the status of registration with the following PowerShell commands:

Figure 03 – PowerShell commands to verify the status of enabling Azure Firewall

After registration, you must run the following PowerShell command:

Figure 04 – Registration command of Network Provider

To deploy the Azure Firewall on a specific Virtual Network requires the presence of a subnet called AzureFirewallSubnet, that must be configured with a sunbnet mask at least /25.

Figure 05 – Creation of the subnet AzureFirewallSubnet

To deploy Azure Firewall from the Azure portal, you must select Create a resource, Networking and later See all:

Figure 06 - Search Azure Firewall in Azure resources

Filtering for Firewall will also appear the new resource Azure Firewall:

Figure 07 – Microsoft Firewall resource selection

By starting the creation process you will see the following screen that prompts you to enter the necessary parameters for the deployment:

Figure 08 – Parameters required for the deployment of the Firewall

Figure 09 – Review of selected parameters and confirmation of creation

In order to bring outbound traffic of a given subnet to the firewall you must create a route table that contains a route with the following characteristics:

Figure 10 - Creation of the Rule of traffic forwarding to the Firewall Service

Although Azure Firewall is a managed service, you must specify Virtual appliance as next hop. The address of the next hop will be the private IP of Azure Firewall.

The route table must be associated with the virtual network that you want to control with Azure Firewall.

Figure 11 - Association of the route table to the subnet

At this point, for systems on the subnet that forwards the traffic to the Firewall, is not allowed outgoing traffic, as long as it is not explicitly enabled:

Figure 12 – Try to access blocked website from Azure Firewall

Azure Firewall provides the following types of rules to control outbound traffic.

Figure 13 – The available rule Types

  • Application rules: to configure access to specific fully qualified domain names (FQDNs) from a given subnet.

Figure 14 - Creating Application rule to allow access to a specific website

  • Network rules: enable the configuration of rules that contain the source address, the protocol, the address and port of destination.

Azure Firewall Standard features

 

Azure Firewall Standard features

Azure Firewall Standard is a managed, cloud-based network security service that protects your Azure Virtual Network resources.

Azure Firewall Standard features

Azure Firewall includes the following features:

  • Built-in high availability
  • Availability Zones
  • Unrestricted cloud scalability
  • Application FQDN filtering rules
  • Network traffic filtering rules
  • FQDN tags
  • Service tags
  • Threat intelligence
  • DNS proxy
  • Custom DNS
  • FQDN in network rules
  • Deployment without public IP address in Forced Tunnel Mode
  • Outbound SNAT support
  • Inbound DNAT support
  • Multiple public IP addresses
  • Azure Monitor logging
  • Forced tunneling
  • Web categories
  • Certifications

To compare Azure Firewall features for all Firewall SKUs, see Choose the right Azure Firewall SKU to meet your needs.

Built-in high availability

High availability is built in, so no extra load balancers are required and there's nothing you need to configure.

Availability Zones

Azure Firewall can be configured during deployment to span multiple Availability Zones for increased availability. With Availability Zones, your availability increases to 99.99% uptime. For more information, see the Azure Firewall Service Level Agreement (SLA). The 99.99% uptime SLA is offered when two or more Availability Zones are selected.

You can also associate Azure Firewall to a specific zone just for proximity reasons, using the service standard 99.95% SLA.

There's no extra cost for a firewall deployed in more than one Availability Zone. However, there are added costs for inbound and outbound data transfers associated with Availability Zones. For more information, see Bandwidth pricing details.

As the firewall scales, it creates instances in the zones it's in. So, if the firewall is in Zone 1 only, new instances are created in Zone 1. If the firewall is in all three zones, then it creates instances across the three zones as it scales.

Azure Firewall Availability Zones are available in regions that support Availability Zones. For more information, see Regions that support Availability Zones in Azure.

 Note

Availability Zones can only be configured during deployment. You can't configure an existing firewall to include Availability Zones.

For more information about Availability Zones, see Regions and Availability Zones in Azure.

Unrestricted cloud scalability

Azure Firewall can scale out as much as you need to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.

Application FQDN filtering rules

You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature doesn't require TLS termination.

The following video shows how to create an application rule:

Network traffic filtering rules

You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.

Azure Firewall supports stateful filtering of Layer 3 and Layer 4 network protocols. Layer 3 IP protocols can be filtered by selecting Any protocol in the Network rule and select the wild-card * for the port.

Difference Between NSG and Firewall

Difference Between NSG and Firewall

Azure Firewall

Managed Firewall Service: Azure Firewall is a cloud-based, intelligent firewall that secures your virtual network (VNet) traffic. It automatically detects workloads and protects them from threats.

  1. Deep Packet Inspection (DPI): Azure Firewall inspects traffic at Layers 3,4 & 7 of the OSI model, providing granular control over network traffic.
  2. Threat Intelligence: It leverages Microsoft’s threat intelligence to identify and block malicious traffic in real-time.
  3. Features:
    • Advanced features like SNAT (Source Network Address Translation) and DNAT (Destination Network Address Translation) for managing public IP addresses.
    • Service Tags and FQDN Tags for simplified security rule creation.

Checkout the detailed Blog on Azure Firewall

Azure Firewall Standard

Azure Firewall Standard provides L3-L7 filtering and threat intelligence directly from Microsoft Web Security.
Threat-based filtering can alert and deny traffic to and from known IP addresses and domains, and is updated in real time to prevent attacks.

Azure Firewall Premium

Azure Firewall Premium has advanced features such as signature-based IDPS, which provides rapid detection of attacks by searching for specific patterns. These patterns can include byte segments on network connections or known malicious instructions used by malware. More than 58,000 signatures across 50+ categories are updated in real time to prevent new and emerging vulnerabilities. Valid groups include malware, phishing, coin mining, and Trojan horse attacks.

Azure Firewall Basic

Azure Firewall Basic is similar to Firewall Standard with the following important limitations:

Threat only supports Intel Alert Mode
Fixed scaling units backend instance for running programs on two virtual machines
Recommended to estimate competition of about 250Mbps

How does Firewall Azure Work?

Azure firewall offers enough features to provide optimized control over the in and out network traffic. It eliminates the need for Load Balancer configuration because of its high availability. Microsoft Azure ensures 99.99% availability of its resources due to its availability zone feature. It does not charge anything extra for scalability. You pay only for what you use.

Azure Firewall working overview

Moreover, it also allows restriction on outbound traffic by specifying the FQDN service. You can create your own defined rules using Azure Firewall to filter networks based on source IP, destination IP, port, and protocol. These rules further show the status as Allow or Deny status. It also enables threat intelligence features that can identify malicious IP addresses and irrelevant traffic.

Read Microsoft Defender for Cloud [AZ-500]: Everything You Should Know

Azure Network Security Groups (NSG)

  • Basic Firewall for Traffic Filtering: NSG is a stateful firewall that filters traffic entering or leaving your VNet based on pre-defined rules.
  • Layer 3 & 4 Security: NSG operates at Layers 3 (network) and 4 (transport) of the OSI model, offering basic traffic filtering.
  • Granular Control: You can define rules to allow or deny traffic based on source/destination IP addresses, ports, and protocols.

Check out: Azure Networking

How does Azure Network Security Groups work?

Azure NSG Working

Azure Network Security Group (NSG) is a great solution offered by Microsoft to protect virtual networks. Using this, administrators can comfortably organize, filter, direct, and limit various network traffic flows. You can set different inbound and outbound rules to allow or deny a specific type of traffic to configure Azure Network Security Group. If you want to use Azure Network Security Groups, you need to create and configure individual rules.

You can define any rules required as per the situation, such as to define whether the traffic flowing through the network is safe and needs to be permitted or not.

Also Check: Top 10 Best Practices for Azure Security

Difference Between Azure Firewall and Network Security Group

FeatureAzure FirewallNetwork Security Groups (NSG)
Service TypeManaged Firewall ServiceStateful Firewall
Security LevelAdvanced (L3, L4, L7)Basic (L3, L4)
Threat IntelligenceYesNo
SNAT/DNATYesNo
Application SecurityYes (L7 inspection)No

Check out: AZ-500 Exam – Microsoft Azure Security Technologies Certification

Azure Firewall and NSG in Conjunction

Both Azure Firewall and NSG provide security, but combining them increases your defences. NSGs provide you granular control over your VNet, such as allowing RDP access to a certain subnet only from authorised internal machines. Azure Firewall serves as a centralised gateway, monitoring all incoming and outgoing traffic while providing enhanced threat prevention. Together, they provide multilayer security, including granular internal control and a strong exterior security barrier.