Azure Firewall is a managed, cloud-based network security service that protects your Azure virtual network resources.
You can centrally create, enforce the network connectivity policies across subscriptions and virtual networks.
Firewall features
Built-in high availability: No additional load balancers are required because High availability is built-in so, you don’t need to configure anything.
Availability Zone: Azure firewall can be configured during deployment to span multiple Availability Zones to increase the availability, availability Zones increases the availability up to 99.99% uptime.
There is no additional cost for a firewall deployed in the availability Zone, However, there are additional costs for inbound and outbound data transfer associated with availability Zones.
Unrestricted Cloud Scalability: Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.
Application FQDN filtering rules: you can limit outbound HTTP and HTTPS traffic or Azure SQL traffic to a specified list of fully qualified Domain names (FQDN) including wild cards. This feature doesn’t require TLS terminations
Network traffic filtering rules: you can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. The Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
FQDN tags: make it easy for you to allow well–known Azure Service network traffic through your firewall. For example, say you want to allow windows to update the network through your firewall. You create an application rule and include the windows update tag. Now network traffic from windows update can flow through your firewall.
Service tags: A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You can’t create your own service tag, nor specify which IP address is included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.
Threat intelligence: Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/known malicious IP addresses and domains. The IP Addresses and Domains are sourced from the Microsoft Threats intelligence feed.
Outbound SNAT support: All outbound virtual network traffic IP addresses are translated to the azure Firewall public IP (Source Network address translation). You can identify and allow traffic originating from your virtual network to remote internet destinations. Azure Firewalls doesn’t SNAT when the destination IP is a private IP range per IANA-RFC-1918. If your organization uses a public IP address range of private network, Azure Firewall will SNAT the traffic to one of the firewall private IP addresses in AzureFirewallSubnet. You can configure Azure Firewall to not SNAT your public IP address range.
Inbound DNAT Support: Inbound internet network traffic to your firewall public IP address is translated (Destination Network address translation) and filtered to the private IP addresses on your virtual networks.
Multiple Public IP addresses: You can associate multiple public Ip addresses (up to 250) with your firewall.
This enables the following scenarios:
DNAT – you can translate multiple standard port instances to your backend servers. For example, if you have two public IP addresses, you can translate TCP Port 3389 (RDP) for both IP Addresses
SNAT- Additional Ports are Available for outbound SNAT connections, reducing the potentials for SNAT port exhaustion. At this time, Azure Firewall randomly selects the source Public IP address associated with your firewall. Consider using a public IP address prefix.
Azure Monitor logging: All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream, events to your event hub, or send them to Azure Monitor logs.
Forced Tunnelling: you can Configure Azure Firewall to route all internet–bound traffic to a designated next hop instead of going directly to the internet.
For more details, contact us!