Azure Firewall

We all know the benefits of the Cloud. But we also know that working in the public cloud comes with a level of risk. Securing your cloud is critical to your company’s ability to survive and thrive.

Azure Firewall is a cloud-based security service that protects your Azure Virtual Network from incoming and outgoing threats by helping you control and monitor external and internal access to that network.

Microsoft Azure Firewall provides:

• Threat intelligence–based filtering. Enable real-time alerts and deny traffic from and to known malicious IP addresses and domains.
• Quick deployment and scaling. Simplify deployment and management of your network security with a scalable and highly available cloud-native firewall.
• Full visibility and protection. Prevent malware from being transmitted through encrypted connections using Transport Layer Security (TLS) inspection.
• Unified management. Centrally manage security across all virtual networks with a common set of network and application rules.

Read on, for an understanding of:

• What Microsoft Azure Firewall is
• How it works
• The cost of using Azure Firewall
• How your organization can benefit from using Azure Firewall

What is Microsoft Azure Firewall?

Azure Firewall is a cloud-native, intelligent network firewall security service that delivers solid threat protection for your cloud operations running in Azure. It’s a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability.

With its “deny by default” configuration, all traffic not matching a specific rule is denied, allowing you to protect your virtual network by controlling the traffic that’s allowed in and out of your network.

How Azure Firewall Works

Azure Firewall decrypts outbound traffic, performs required security checks, and then encrypts the traffic to the destination. It works in conjunction with URL filtering and web categories by letting administrators allow or deny user access to website categories such as gambling or social media.

Azure Firewall provides east-west and north-south traffic inspection and offers two levels of protection:

• Standard
• Premium

Azure Firewall Standard

Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from and to known malicious IP addresses and domains and is updated in real time to protect against new and emerging attacks.

Azure Firewall Standard Features

Azure Firewall Standard includes the following features:

• Built-in high availability. With high availability built in, you don’t need extra load balancers. In addition, there’s nothing you need to configure.
• Availability Zones. For increased availability, you can configure Azure Firewall during deployment to span multiple Availability Zones.
• Unrestricted cloud scalability. Azure Firewall can scale out as much as you need to accommodate changing network traffic flows. Forget worrying about budgeting for your peak traffic.
• Application FQDN filtering rules. You can limit outbound HTTP/S traffic or Azure SQL traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature doesn’t require TLS termination.
• Network traffic filtering rules. You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Being fully stateful, it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
• FQDN tags. Fully Qualified Domain Names (FQDN) tags make it easy to allow well-known Azure service network traffic through your firewall.
• FQDN in network rules. You can use FQDNs in network rules based on DNS resolution in Azure Firewall and Firewall Policy. The specified FQDNs in your rule collections are translated to IP addresses based on your firewall DNS settings, which allows you to filter outbound traffic using FQDNs with any TCP/UDP protocol (including NTP, SSH, RDP, and more).
• Service tags. Service tags represent a group of IP address prefixes that help minimize complexity for security rule creation. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as these addresses change.
• Threat intelligence. Enable threat intelligence-based filtering for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.
• DNS proxy. With DNS proxy enabled, Azure Firewall can process and forward DNS queries from virtual networks to your desired DNS server; this is crucial for reliable FQDN filtering in network rules. You can enable DNS proxy in Azure Firewall and Firewall Policy settings.
• Custom DNS. Custom DNS allows you to configure Azure Firewall to use your own DNS server, while ensuring the firewall outbound dependencies are still resolved with Azure DNS. You may configure a single DNS server or multiple servers in Azure Firewall and Firewall Policy DNS settings. Azure Firewall can also resolve names using Azure Private DNS.
• Deploy Azure Firewall without public IP address. Azure Firewall requires a public IP address. For added security, you can deploy Azure Firewall in Forced Tunnel mode. This configuration creates a management NIC used by Azure Firewall. The Tenant Datapath network can be configured without a public IP address, and Internet traffic can be forced tunneled to another firewall or completely blocked.
• Outbound SNAT support. All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation), and you can identify and allow traffic originating from your virtual network to remote Internet destinations.
• Inbound DNAT support. Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.
• Multiple public IP addresses. You can associate up to 250 public IP addresses with your firewall.
• Azure Monitor logging. All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Azure Monitor logs.
• Forced tunneling. Configure Azure Firewall to route all Internet-bound traffic to a designated next hop instead of going directly to the Internet.
• Web categories. Allow or deny user access to web site categories such as gambling websites, social media websites, and others. The categories are organized based on severity under Liability, High-Bandwidth, Business Use, Productivity Loss, General Surfing, and Uncategorized. You can also create exceptions to your web category rules.
• Certifications. Azure Firewall is Payment Card Industry (PCI), Service Organization Controls (SOC), International Organization for Standardization (ISO), and ICSA Labs compliant.

Azure Firewall Premium

Azure Firewall Premium provides advanced capabilities that include a signature-based intrusion detection and prevention system (IDPS) to allow rapid detection of attacks by looking for specific patterns. These patterns can include byte sequences in network traffic or known malicious instruction sequences used by malware.

Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments, like the payment and healthcare industries.

More than 58,000 signatures in over 50 categories are updated in real time to protect against new and emerging exploits. The exploit categories include:

• Malware
• Phishing
• Coin mining
• Trojan attacks.

Organizations can use Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks laterally and horizontally. To meet the increased performance demands of IDPS and Transport Layer Security (TLS) inspection, Azure Firewall Premium uses a more powerful virtual machine SKU. Like the Standard SKU, the Premium SKU can seamlessly scale up to 30 Gbps and integrate with availability zones to support the service level agreement (SLA) of 99.99 percent. The Premium SKU complies with Payment Card Industry Data Security Standard (PCI DSS) environment needs.

Azure Firewall Premium Features

Azure Firewall Premium includes the all the features of Azure Firewall Standards, as well as:

TLS inspection. Decrypts outbound traffic, processes the data, and then encrypts the data and sends it to the destination. The TLS protocol primarily provides cryptography for privacy, integrity, and authenticity using certificates between two or more communicating applications. It runs in the application layer and is widely used to encrypt the HTTP protocol.

Encrypted traffic has a possible security risk and can hide illegal user activity and malicious traffic. Azure Firewall Premium includes TLS inspection to provide visibility into the data that flows in the encrypted TLS tunnel; as a result, it provides full protection coverage.

IDPS. A network intrusion detection and prevention system (IDPS) allows you to monitor network activities for malicious activity, log information about this activity, report it, and optionally attempt to block it. Using IDPS also allows you to monitor your network for malicious activity, log information about this activity, report it, and optionally attempt to block it.

Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The IDPS signatures are applicable for both application and network level traffic (Layers 3-7), they’re fully managed, and continuously updated. IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic. Spoke-to-spoke (East-West) includes traffic that goes from/to an on-premises network. You can configure your IDPS private IP address ranges using the Private IP ranges preview feature.

The Azure Firewall signatures/rulesets include:

• An emphasis on fingerprinting actual malware, Command and Control, exploit kits, and in the wild malicious activity missed by traditional prevention methods.
• Over 58,000 rules in over 50 categories.
  • The categories include malware command and control, phishing, trojans, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and more.
• Releasing 20 to 40+ new rules each day.
• Low false positive rating by using state-of-the-art malware sandbox and global sensor network feedback loop.

IDPS allows you to detect attacks in all ports and protocols for non-encrypted traffic. However, when HTTPS traffic needs to be inspected, Azure Firewall can use its TLS inspection capability to decrypt the traffic and better detect malicious activities.

The IDPS Bypass List allows you to not filter traffic to any of the IP addresses, ranges, and subnets specified in the bypass list.

URL filtering – URL filtering extends Azure Firewall’s FQDN filtering capability to consider an entire URL. URL Filtering can be applied both on HTTP and HTTPS traffic. When HTTPS traffic is inspected, Azure Firewall Premium can use its TLS inspection capability to decrypt the traffic and extract the target URL to validate whether access is permitted. TLS inspection requires opt-in at the application rule level. Once enabled, you can use URLs for filtering with HTTPS.

Web categories. Web categories is also included in Azure Firewall Standard, but in Azure Firewall Premium it is more fine-tuned in. The Premium SKU matches the category according to the entire URL for HTTP and HTTPS traffic, instead of the Web category’s capability in the Standard SKU matching the category based on an FQDN.

Web category logging and exceptions. You can view traffic that has been filtered by Web categories in the Application logs. The web categories field is only displayed if it has been explicitly configured in your firewall policy application rules. You can create exceptions to your web category rules by creating a separate allow or deny rule collection with a higher priority within the rule collection group.

Web category search. You can identify what category a given FQDN or URL is using the Web Category Check feature, which is useful when defining your application rules for destination traffic.

Category change. You can request a categorization change if you think an FQDN or URL should be under a different category or have a suggested category for an uncategorized FQDN or URL.

Azure Firewall Manager

You can use Azure Firewall Manager to centrally manage Azure Firewalls across multiple subscriptions. Firewall Manager leverages firewall policy to apply a common set of network/application rules and configuration to your firewalls.

Firewall Manager supports firewalls in both VNet and Virtual WANs (Secure Virtual Hub) environments. Secure Virtual Hubs use the Virtual WAN route automation solution to simplify routing traffic to the firewall with a few clicks.

Azure Firewall Pricing

There are no upfront costs or termination fees—you only pay for what you use. Billing is based on a fixed per-hour consumption rate and variable fees based on traffic. For additional information, visit the Microsoft Azure Firewall Pricing page, for a better sense of cost by applying filters to customize pricing options to your needs.

SLA for Azure Firewall

Azure Firewall offers fully stateful native firewall capabilities for Virtual Network resources, with built-in high availability and the ability to scale automatically.

Microsoft guarantees that Azure Firewall will be available at least 99.95% of the time, when deployed within a single Availability Zone, and at least 99.99% of the time when deployed within two or more Availability Zones in the same Azure region.

Neovera is your Microsoft Azure Firewall Solution

Are you ready to secure your digital assets using cloud-native firewall capabilities with built-in high availability, auto-scalability, and zero maintenance? The Neovera Azure experts are ready to help you adopt, develop, and deploy your Azure Firewall.

As a Microsoft Gold partner, our experienced engineers will collaborate with you to understand your needs and your strategic business goals and develop the right implementation plan, whether you choose Azure Firewall Standard or Azure Firewall Premium.

You need a partner with the expertise and confidence to make everything happen smoothly. With our decades of networking expertise and multi-disciplined experience and our reputation for superior customer service, we can make your move to Azure Firewall a seamless, smooth transition. Plus, we’ll keep you up and running while we make it all happen behind the scenes.

More businesses are moving to Azure Firewall to ensure secure connectivity for their organizational cloud. For more information about using Azure Firewall to keep your organization protected and to see how working with the Neovera networking experts can make it all happen, contact us.

Frequently Asked Azure Firewall Questions