Are you currently experiencing an attack?

Are you currently experiencing an attack?

Exploring Azure Firewall

A firewall is one of the basic components of a security infrastructure, which prevents unauthorized access to a private network. In smaller companies firewalls may be operated by IT or DevOps teams, and in a larger enterprise they are the responsibility of a Security Operations Center.

What is Azure Firewall?

Azure Firewall is a stateful firewall service for protecting Azure Virtual Network resources, and is an important component of security for Microsoft Azure. It is hosted in the cloud, providing unlimited scalability and built-in high availability. For logging and analysis, Azure Firewall provides native integration with Azure Monitor.

Azure Web Application Firewall (WAF) lets you centrally create, run, and record network connectivity policies and applications in Virtual Networks across Azure subscriptions. Because Virtual Network resources are provided with static public IP addresses, external firewalls can identify traffic coming from the virtual network.

This article gives a brief overview of Azure Firewall, then shows how to quickly launch a test deployment for those who want to explore its capabilities.

Azure Firewall Features

Built-in High Availability

Azure Firewall has high availability built in. To improve availability and get guaranteed 99.99% uptime SLA, configure it to run on multiple Azure availability zones (AZ). High availability for a firewall and other security tools is a key part of an IT disaster recovery strategy, and is easy to achieve in a cloud environment.

There is no additional charge for running firewalls in an availability area. However, inbound/outbound data transfers to or from an availability zone incur additional costs.

Threat Intelligence

Azure Firewall also comes with built-in threat intelligence, based on Microsoft security research. You can use threat-intelligence based filtering to reject communication with known malicious domains or IP addresses.

Multiple Public IP Addresses

You can connect multiple public IP addresses (up to 250) to one Azure Firewall. Azure Firewall supports both Destination Network Address Translation (DNAT) and Source Network Address Translation (SNAT).

Quick Tutorial: Deploying Azure Firewall

This tutorial is based on the Azure Documentation. Follow it to create a test resource group on Azure with a test server, and deploy a firewall, Virtual Network, and subnets.

Create a Resource Group

The pre-configured resource group below contains all resources needed to follow this tutorial.

  1. Log into Azure portal
  2. Select resource groups
  3. Choose Add
  4. Type the following info:
    • Resource group name: Test-FW-RG
    • Subscription: the Azure subscription you have set up
    • Resource group location: select a location on Azure, taking into account that all other resources used in the tutorial must remain in the same location
  5. Choose Create

Create a VNet with 3 Subnets

  1. In the menu of the Azure portal, choose Create a resource > Networking > Virtual network, and type the following info to create a VNet:
    • Subscription: your Azure subscription.
    • Resource group: the same group you created earlier, Test-FW-RG
    • Name: Test-FW-VN
    • Region: same location you selected for the resource group
  2. Click IP addresses, and type the following info:
    • IPv4 Address space: 10.0.0.0/16
    • Subnet: select default
    • Subnet name: AzureFirewallSubnet
    • Address range: 10.0.1.0/26
  3. Click Save.
  4. To create a subnet for your test server, click Add subnet, and fill in the following info:
    • Subnet name: Workload-SN
    • Subnet address range: 10.0.2.0/24
  5. Click Add, then Review + create, then Create.

Create a Virtual Machine with a Test Server

  1. In the menu of the Azure portal, choose Create a resource > Compute > Virtual machine.
  2. Select Windows Server 2019 Datacenter, and fill in this info for the VM:
    • Resource group: the same resource group you created earlier, Test-FW-RG
    • Virtual machine name: Srv-Work
    • Region: Same location you selected previously
    • Image: select Windows Server 2019 Datacenter
    • Admin user name/password: select credentials and keep a record of them
    • Inbound port rules/Public inbound ports: select None.
    • Accept all defaults for Disks
    • Under Networking, select the VNet and Subnet you created earlier: Test-FW-VN and Workload-SN
    • Under Public IP select None and accept other networking defaults.
    • Under Management, for Boot Diagnostics, select Off. Accept other defaults.
  3. Select Review + create, then Create.

Deploy the Firewall

  1. In the menu of the Azure portal, choose Create a resource > Firewall and click Create.
  2. In the Create a Firewall dialog, fill in this info:
    • Subscription: select your Azure subscription
    • Resource group: the same group you defined earlier, Test-FW-RG
    • Name: Test-FW01
    • Location: same location you selected earlier
    • Virtual network: Test-FW-VN
    • Public IP address: Add new with name fw-pip
  3. Click Review + create, then Create. Wait a few minutes for the firewall to run.
  4. Go to the resource group Test-FW-RG
  5. Choose Test-FW01 as your firewall.

You have just set up a VNet with a test server and three subnets, and deployed a firewall to safeguard traffic to your test server.

Monitoring the Azure Firewall

It’s important to monitor a firewall, in order to identify malicious activity and respond to it, and also to identify legitimate traffic that may be incorrectly blocked by your firewall rules. You can enable diagnostic logging either through the Azure portal, or via PowerShell commands.

Azure Firewall provides the following four log files:

  • AzureFirewallApplicationRule
  • AzureFirewallNetworkRule
  • AzureFirewallThreatIntelLog
  • AzureFirewallDnsProxy

You can analyze these logs using the following methods:

  • Retrieve logs directly using Azure PowerShell, Azure CLI, or Azure portal
  • Send logs to Power BI
  • Send the logs to Azure Monitor
  • Connect logs to Azure Sentinel, which lets you create custom security alerts
  • Use other Azure monitoring options such as Azure Security Center, or third party tools .

What Azure Firewall Cannot Do

Azure Firewall makes it straightforward to control access to network resources, and to restrict inbound/outbound communication with hostile IP addresses. Nevertheless, for public-facing resources such as web applications, it cannot filter incoming traffic or block hostile requests.

For this purpose, Microsoft offers Azure Web Application Firewall, which is commonly deployed on Application Gateway. Note though that this service also does not offer complete protection against web threats. It includes geolocation-based filtering, and some basic capabilities such as protection from SQL injection. However, its core rule sets are not comprehensive, nor are they meant to be.

Even if Azure users manually construct and maintain an extensive and complicated set of security policies, there are still many important necessities (such as detection of sophisticated malicious bots which can masquerade as human users) which are beyond its capabilities.

Reblaze provides full web security for Azure, and runs natively in Microsoft’s cloud environment. Reblaze augments and automates Azure’s native security capabilities, and adds many more.

For more information, feel free to contact us. Or see our white paper on Securely Using Azure.

Get your price quote

Fill out your email below, and we will send you a price quote tailored to your needs

This website uses cookies to ensure you get the best experience on our website.