Azure Firewall
Azure Firewall is a cloud-based and Microsoft-managed network security service; it allows centralized (L3-L7) connectivity policies and control of network and application traffic across all VNets, across multiple regions and subscriptions. Being an Azure managed service, it has built-in high availability (HA).
It provides control of traffic through user-defined routing (UDR) and can create segmentation of networks when required for regulatory compliance and when adopting a DiD strategy, as well as implementing a Zero Trust framework. The following diagram provides a typical reference architecture for an Azure firewall to protect resources from attack and control traffic flow:
Figure 7.9 – Azure Firewall
The Azure Firewall service is applied at the VNet level and not the VM network interface or subnet level, as in the case of an NSG. It can filter and control all incoming traffic and connections to resources across all VNets that the Azure Firewall service is securing, as well as outgoing traffic to other VNets, services, internet, third-party service providers (SPs), and on-prem sites.
Azure Firewall provides inbound destination network address translation (DNAT) and outbound source NAT (SNAT); it can have multiple Public Internet Protocol (IP) addresses.
Azure Firewall also has a premium stock-keeping unit (SKU) that includes next-generation capabilities such as Transport Layer Security (TLS) inspection, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Uniform Resource Locator (URL) filtering, web categories; these are requirements of regulated and highly sensitive environments.
In contrast, an NSG can only be applied at the subnet or VM interface level; the NSG traffic control method can only be associated with a resource in the same region and subscription, so this becomes decentralized and hard to manage and troubleshoot.
It is also important to consider that the Azure Firewall service is not the only method of controlling and securing network and application traffic in Azure; you should also consider network virtual appliances (NVAs) from third-party vendors that are available through the Azure Marketplace, such as Barracuda, Fortinet, Palo Alto, WatchGuard, Cisco, SonicWall, and so on.
NVAs are VMs that you create in Azure and are run a vendor’s software image of their network appliance to perform a network function such as a firewall, IDS/IPS, virtual private network (VPN), software-defined wide-area network (SD-WAN), and so on.
Further information and best practices can be found at the following links:
- https://azure.microsoft.com/solutions/network-appliances
- https://azure.microsoft.com/blog/best-practices-to-consider-before-deploying-a-network-virtual-appliance
This section looked at the Azure Firewall service for securing and controlling network traffic. The following section looks at the Azure DDoS protection service.