top of page
  • Writer's pictureALIF Consulting

Azure Firewall

Updated: Dec 21, 2023

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.

You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

Azure firewall

Azure Firewall Benefits

  • Centralize connectivity policy

  • Deploy a stateful firewall in minutes

  • Get real-time protection based on threat intelligence

  • Prevent malware and viruses from spreading

Inspect traffic in real time for malicious activities

Azure Firewall SKUs

Azure Firewall is offered in two SKUs: Standard and Premium.

Azure Firewall Standard

Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains which are updated in real time to protect against new and emerging attacks.

Azure Firewall Standard

Built-in high availability

High availability is built in, so no additional load balancers are required and there is nothing you need to configure.

Unrestricted cloud scalability

Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.

Application FQDN filtering rules

You can limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature does not require SSL termination.

Network traffic filtering rules

You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.

FQDN tags

FQDN tags make it easy for you to allow well known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.

Outbound SNAT support

All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations.

Inbound DNAT support

Inbound network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.

Azure Monitor logging

All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics.

Azure Firewall Premium

Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments, such as the payment and healthcare industries. Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions.

Azure Firewall Premium includes the following features:

TLS inspection 

decrypts outbound traffic, processes the data, then encrypts the data and sends it to the destination.


A network intrusion detection and prevention system (IDPS) allows you to monitor network activities for malicious activity, log information about this activity, report it, and optionally attempt to block it.

URL filtering 

Extends Azure Firewall’s FQDN filtering capability to consider an entire URL. For example, instead of

Web categories

administrators can allow or deny user access to website categories such as gambling websites, social media websites, and others.

Concepts of Azure Firewall

Controlling outbound network access is an essential part of the overall network security plan. For example, you may want to limit access to a website, or you may wish to restrict outbound IP addresses or ports. With a firewall, you can configure applications rules that define fully qualified Domain names that can be accessed from a subnet. Also, you can configure network rules so that you can define source address, protocol destination, and destination addresses.

In Azure Firewall  Network rule collections are a higher preference than application rule collections.

There are three types of rule collections

Application rules

Configure Fully qualified domain names (FQDNs) that can be reached from a subnet.

Network rules

Configure rules that include source addresses, protocols, destination ports, and destination addresses.

NAT rules

To allow incoming Internet connections by Configuring DNAT rules.

Note: FDQN Tags: Represents a group of fully qualified domain names associated with well-known Microsoft services.

Pricing and SLA of Azure Firewall

Azure Firewall is a controlled cloud-established network security service that shields your Azure Virtual Network resources.  It can be seamlessly expanded, requires zero maintenance, and is highly available with unlimited cloud scalability. Setting up a Firewall is easy with billing involved of a fixed and variable fee.

Azure Firewall provides fully stateful necessary firewall capabilities for Virtual Network resources, with built-in high availability and the ability to scale automatically. Microsoft assures you that it will be available at least 99.95% of that time when deployed inside a single Availability Zone and the Firewall will be available at least  99.99% of the time when spread within two or more Availability Zones in the corresponding Azure region.

68 views0 comments

Recent Posts

See All


bottom of page