Azure Firewall - Features (Brief)


Azure Firewall
Azure market place has so many images for NVA i.e network virtual appliance by which people usually control or filter or manages there network traffic but if you see these are 3rd party and firewall on a VM means IAAS so you need to worry about a lot of things that we do in IAAS infrastructure right. But now we have something called Azure firewall which is recently become GA nd offers a lot of benefits along with native solution of Firewall offcourse.
So
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources.

It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability.

With Az Firewall – you can centrally create , enforce and log application and network connectivity policies across subscription and virtual networks.

Az Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network.

The service is fully integrated with Azure Monitor for logging and analytics.


Quick View




Lets check about all the features that Az firewall offers :-


#1 Built in HA , so no additional LB or instances required & there is nothing you need to configure. Az Firewall can be configured in multiple Az-Zones for increased availability & with Az-Zone you have 99.99% uptime SLA when 2 or more Av-Zone selected.

You can also associate Azure Firewall to a specific zone just for proximity reasons, using the service standard 99.95% SLA.

There's no additional cost for a firewall deployed in an Availability Zone. However, there are additional costs for inbound and outbound data transfers associated with Availability Zones.


#2 Unristricted Cloud Scalability  Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don't need to budget for your peak traffic.

#3 Application FQDN Filtering Rules You can limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature doesn't require SSL termination. For.e.g allow outbount access to www.Google.com





#4 Network Traffic Filtering Rules         You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.
E.g allow DNS for spoke Vnet resources which is in Hub vnet along with all the shared services. Or allowing web traffic on port 80

#5 FQDN TAGS   FQDN tags make it easy for you to allow well-known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.

#6 Service Tags  A service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules.
service tags can be used in the network rules destination field.

#7 Threat Intelligence  Threat intelligence-based filtering can be enabled for your firewall to alert and deny traffic from/to known malicious IP addresses and domains. The IP addresses and domains are sourced from the Microsoft Threat Intelligence feed.

#8 Outbound SNAT Support   All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations. Azure Firewall doesn't SNAT when the destination IP is a private IP range or if vnet uses public Ip address range then Az-Firewall SNAT the traffic.

#9 Inbound DNAT Support   Inbound Internet network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks


Multiple public IP addresses

You can associate multiple public IP addresses (up to 100) with your firewall.
This enables the following scenarios:
·        DNAT - You can translate multiple standard port instances to your backend servers. For example, if you have two public IP addresses, you can translate TCP port 3389 (RDP) for both IP addresses.
·        SNAT - Additional ports are available for outbound SNAT connections, reducing the potential for SNAT port exhaustion. At this time, Azure Firewall randomly selects the source public IP address to use for a connection. If you have any downstream filtering on your network, you need to allow all public IP addresses associated with your firewall.


Azure Monitor logging
All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Azure Monitor logs.

-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

MS Defenders

 Microsoft Defender offers a wide range of security solutions, similar to the ones we've discussed (Defender for Containers, Defender fo...

  • Define Budget & Configure Cost center quotas - Azure
    There are several types of quotas that are applicable to subscriptions, including resource quotas and spending quotas. We can easily see al...
  • Azure VM Disk Caching
    Azure VM Disk types : there are 3 types of disk used with Azure VM's OS Disk - azure automatically attaches a vhd for the OS when...
  • Terraform - random_id
    This is a great resource type which you can utilize for the resources names which require unique name or strings for .e.g Storage account o...