Azure Firewall Overview

Azure Firewall is a managed, cloud-based network security service that protects Azure Virtual Network resources. It is a fully stateful firewall as a service, with:

• Built-in high availability

• Unlimited cloud scalability

• Centralized creation, enforcement, and logging of application and network connectivity policies

• Uses a static public IP for your virtual network resources

• Fully integrated with Azure Monitor for logging and analytics

Key Features

1. High Availability

   • No extra load balancers required

   • Built-in redundancy

2. Availability Zones

   • Can span multiple Availability Zones for resilience

3. Scalability

   • Can scale dynamically to accommodate traffic

4. Application FQDN Filtering

   • Limit outbound HTTP/S or Azure SQL traffic to specific FQDNs, including wildcards

5. Network Traffic Filtering

   • Create allow/deny rules by source/destination IP, port, and protocol

   • Fully stateful with logging across multiple subscriptions/VNETs

6. Threat Intelligence

   • Alerts and blocks traffic from known malicious IPs/domains

7. Multiple Public IP Addresses

   • Up to 100 public IPs can be associated

Implementing Azure Firewall

Example setup:

1. Create network infrastructure:

   • Virtual network with three subnets

2. Deploy the firewall:

   • In its own subnet with public and private IPs

   • Private IP used in a routing table

3. Create a default route:

   • Direct workload subnet traffic to the firewall

4. Configure application rules

Production recommendation: Use a Hub and Spoke model, with the firewall in its own VNET and workload servers in peered VNETs.

Firewall Rule Types

By default, all traffic is blocked. Rules must be configured to allow traffic.

1. NAT Rules (DNAT)

Translate inbound traffic to internal subnets. Useful for exposing services like SSH, RDP, or custom ports.

Configuration settings:

• Name

• Protocol (TCP/UDP)

• Source Address (* / specific IP / CIDR)

• Destination Address (firewall public IP)

• Destination Ports

• Translated Address (internal service)

• Translated Port

NAT rules must have a matching network rule to allow traffic.

2. Network Rules

Allow non-HTTP/S traffic between subnets or external networks.

Configuration settings:

• Name

• Protocol (TCP, UDP, ICMP, Any)

• Source Address / CIDR

• Destination Address(es) / CIDR

• Destination Port

3. Application Rules

Control HTTP/S access by FQDN.

Configuration settings:

• Name

• Source Addresses

• Protocol/Port (HTTP/HTTPS)

• Target FQDNs (supports wildcards)

FQDN tags exist for Microsoft services like Windows Update or Azure Backup.

Rule Processing Order

1. Network Rules

2. Application Rules

Rules are terminating. Once a match allows traffic, no further rules are checked.

If you want, I can also make a simplified visual diagram showing the Hub & Spoke network with firewall,