Azure Firewall: Elevating Security with Managed Network Protection

In this article, we delve into Azure Firewall, Microsoft’s managed, cloud-based firewall service. Firewalls play an essential role in network security by monitoring and filtering incoming and outgoing traffic based on predefined security rules. Azure Firewall offers advanced security features like filtering traffic by Fully Qualified Domain Names (FQDN), integration with Azure Monitor for logging and analytics, and high availability for robust performance. Let’s explore how Azure Firewall works, its core features, and how you can use it to safeguard your Azure-based infrastructure.

What is a Firewall?

A firewall is a security system that controls and monitors traffic to and from a network. It can filter traffic based on various parameters such as IP addresses, protocols, and, in more advanced setups, by the domain name or even the content of data packets. There are several types of firewalls:

1. Basic Firewalls: Filter based on IP addresses and protocols, much like network security groups (NSGs) in Azure.
2. Advanced Firewalls: Offer filtering based on FQDNs, allowing specific websites or services to be accessed, and can inspect data packets to prevent malicious activity.

Azure Firewall: A Managed Service for Network Security

Azure Firewall is a managed firewall-as-a-service solution that simplifies firewall setup by handling the infrastructure and management. It enables organizations to focus on configuring network rules without needing to manage the underlying virtual machine infrastructure, making it easier to scale security across different Azure services. The service integrates with Azure’s monitoring tools and supports high availability and scalability, making it suitable for enterprise-grade deployments.

Scenario: Using Azure Firewall to Control Network Traffic

In a previous setup, we used a Network Virtual Appliance (NVA) to route and filter traffic between subnets. While this approach works, it requires managing the NVA and configuring it for each network segment, which can be time-consuming and complex. Azure Firewall, as a managed service, simplifies this by centralizing network configurations in a single resource.

For this scenario, we’ll set up Azure Firewall to:

1. Control traffic flowing from a virtual machine to a specific website.
2. Block traffic from this virtual machine to unauthorized websites by default.
3. Allow access to only approved sites by configuring application rules in Azure Firewall.

Read More- Routing in Azure: Mastering Traffic Control with User-Defined Routes

Setting Up Azure Firewall in Azure Portal

Here’s a step-by-step guide to setting up Azure Firewall and configuring application rules for specific traffic.

Step 1: Create Azure Firewall

1. In the Azure Portal, create a new Azure Firewall resource.
2. Assign the firewall to an existing virtual network (VNet) that contains your server and any other resources you want to protect.
3. Create two subnets: one for your server and one for the firewall itself, allowing you to route traffic from the server subnet to the firewall subnet.

Step 2: Configure the Route Table

1. In your VNet, create a route table to direct traffic from the server subnet to the firewall subnet.
2. Configure the route table to redirect traffic from your server’s subnet to Azure Firewall by specifying the firewall subnet as the next hop.
3. Associate the route table with the server subnet to enforce firewall rules on all outgoing traffic.

Step 3: Add Firewall Rules to Control Traffic

1. Go to your Azure Firewall resource and navigate to Rules.
2. In the Application Rule Collection, create a new rule collection named “AllowInternetAccess.”
3. Set the priority (e.g., 200) and action to “Allow” to permit internet traffic.
4. Within this rule collection, add a rule named “AllowBlogAccess,” specifying:

• Source Type: Use IP Address to define the IP range for your VM subnet.
• Protocol: Allow HTTP (port 80) and HTTPS (port 443) for secure and standard web traffic.
• FQDN: Specify the FQDN (e.g., smarttrak.io) to allow traffic only to this domain.

After saving, this rule allows the specified VM subnet to access only the specified FQDN (e.g., smarttrak.io) and blocks access to other domains by default.

Step 4: Test and Validate the Firewall Configuration

1. Log into your VM and try accessing the allowed domain.
2. You should now be able to access smarttrak.io while other domains will be blocked, as per the configured rules.

Key Features of Azure Firewall

1. Centralized Rule Management: Azure Firewall allows administrators to create and manage firewall rules in one place, which can then be applied to multiple subnets and VMs.
2. High Availability and Scalability: Being a managed service, Azure Firewall scales automatically to meet the demands of the network, ensuring reliable protection.
3. Fully Qualified Domain Name (FQDN) Filtering: Allows traffic control based on domain names, providing granular control over web access.
4. Integrated Logging and Monitoring: Azure Firewall integrates with Azure Monitor, allowing you to log activity, monitor firewall performance, and analyze network security data in real-time.

Advantages of Azure Firewall over Traditional Solutions

1. Managed Service: No need to manage or patch virtual machines; Azure handles all infrastructure management.
2. Scalability: Azure Firewall scales with your network traffic, ensuring uninterrupted service without needing manual configuration.
3. Simplified Network Management: With centralized rule configuration, administrators can apply policies across the entire network without handling multiple appliances.
4. Seamless Integration with Azure Services: Azure Firewall is deeply integrated with other Azure security and monitoring tools, enhancing your cloud infrastructure’s security posture.

Common Use Cases for Azure Firewall

1. Regulating Outbound Web Traffic: Use application rules to limit internet access, allowing specific domain names for work purposes while blocking non-business-related sites.
2. Isolating Sensitive Resources: Filter inbound and outbound traffic for sensitive servers, databases, or applications, permitting only authorized traffic to interact with these resources.
3. Enforcing Compliance: Meet regulatory requirements by enforcing access policies, logging network activity, and blocking specific traffic types as required by security standards.
4. Enhanced Threat Detection: With Azure Monitor, you can detect unusual traffic patterns and potential security threats in real-time.

Important Considerations for Using Azure Firewall

• Cost: Azure Firewall is a premium service and may be costlier than a standalone firewall VM. Weigh the cost against the benefits of management and scalability.
• Latency: Traffic routed through Azure Firewall may experience slight latency, though this is typically negligible for most applications.
• Rule Prioritization: Rules in Azure Firewall follow priority order. Be cautious in setting rule priorities to ensure the right traffic is allowed or blocked as intended.
• Security Group Compatibility: While Azure Firewall provides layer-7 filtering, you can still use Network Security Groups (NSGs) for additional security at the subnet level.

FAQs about Azure Firewall

1. What is Azure Firewall?

• Azure Firewall is a managed, cloud-based network security service that enables traffic filtering and monitoring based on predefined rules.

1. How does Azure Firewall differ from Network Security Groups?

• While NSGs filter traffic at the IP and port level, Azure Firewall offers more advanced filtering capabilities, including FQDN filtering and deeper packet inspection.

1. Is Azure Firewall scalable?

• Yes, Azure Firewall is a fully scalable service that adjusts its capacity to handle increases in network traffic.

1. What is an Application Rule in Azure Firewall?

• An application rule defines how traffic to specific applications, websites, or services is handled by the firewall, allowing administrators to control access by domain name (FQDN).

1. Can I monitor traffic through Azure Firewall?

• Yes, Azure Firewall integrates with Azure Monitor, providing a centralized view of traffic logs and analytics for in-depth network monitoring.

1. Does Azure Firewall support high availability?

• Yes, Azure Firewall is built with high availability in mind, ensuring continuous operation and minimal downtime.

1. How can I add an exception for a specific website in Azure Firewall?

• To allow access to a specific website, create an application rule in the firewall configuration, specifying the FQDN of the website as the target.

Conclusion

Azure Firewall is an advanced, managed firewall solution designed to streamline and centralize network security in the cloud. By leveraging its scalable, high-availability features, application rule configurations, and seamless integration with Azure Monitor, Azure Firewall offers robust protection for your Azure environment. It enables organizations to enforce security policies, manage internet access, and monitor traffic effectively, making it an essential tool for Azure-based network security.

In the next episode, we’ll discuss how to protect Azure networks from Distributed Denial of Service (DDoS) attacks using Azure’s native tools and configurations. Stay tuned to enhance your Azure security knowledge further!