Azure provides a lot of in-built security features however
organizations tend to use a lot of 3rd party virtual appliance to
have more authority in hands to control traffic and secure environment.
Recently Azure also presented Azure Firewall which would
provide a lot of security features and help you secure your network. Azure
firewall deployed or work in combination with NSG’s and provide features like –
·
Threat intelligence-based filtering & fully
integrated with Azure Monitor for logging and analytics.
·
A stateful firewall as a service that provides outbound control
over traffic based on port, protocol and/or by manually whitelisting the fully
qualified domain name, or FQDN
·
Built-in high availability with unrestricted
cloud scalability.
·
Source and destination Network Address
Translation (SNAT and DNAT) support.
·
price based on each Azure Firewall instance
deployed plus bandwidth consumed.
·
Ability to centrally create, enforce and log
application and network connectivity policies
So, what is Azure Firewall?
Azure Firewall is a managed, cloud-based network security
service that protects your Azure Virtual Network resources. It's a fully
stateful firewall as a service with built-in high availability and unrestricted
cloud scalability.
(Burrowed from MS Docs)
You can centrally create, enforce, and log application and
network connectivity policies across subscriptions and virtual networks.
Azure Firewall uses a static public IP address for your
virtual network resources allowing outside firewalls to identify traffic
originating from your virtual network. The service is fully integrated with
Azure Monitor for logging and analytics.
Few Important concepts to understand which are provided by
Azure Firewall –
Outbound SNAT support (Source Network Address
Translation) -
All the outbound virtual network traffic would
translate into the Azure Firewall public IP that means if virtual network is
the source destination wouldn’t know the actual source as traffic translated to
Firewall IP & if destination is private IP then Azure Firewall wouldn’t SNAT.
** If destination private network uses public IP then
Az Firewall will SNAT to one of the firewall private IP address in Azure
Firewall Subnet **
Inbound DNAT support (Destination Network Address
Translation)-
Inbound network traffic to your Azure Firewall public
IP address translated and filtered to the private IP addresses on your virtual
networks.
Azure firewall has the following Known
issues
In next post will be deploying and configure Azure firewall.
It is very helpfull for everyone.. thanks foe sharing this information Kalyx transcanding connections
ReplyDelete