Azure Firewall

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best-of-breed threat protection for your cloud workloads running in Azure. It's a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.

You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources, allowing outside firewalls to identify traffic from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

Azure Firewall Benefits

• Centralize connectivity policy

• Deploy a stateful firewall in minutes

• Get real-time protection based on threat intelligence

• Prevent malware and viruses from spreading

Inspect traffic in real-time for malicious activities

Azure Firewall SKUs

Azure Firewall is offered in two SKUs: Standard and Premium.

Azure Firewall Standard

Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains, updated in real time to protect against new and emerging attacks.

Built-in high availability

High availability is built in, so no additional load balancers are required, and there is nothing you need to configure.

Unrestricted cloud scalability

Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.

Application FQDN filtering rules

You can limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDN), including wild cards. This feature does not require SSL termination.

Network traffic filtering rules

You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, distinguishing legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.

FQDN tags

FQDN tags allow you to easily allow well-known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now, network traffic from Windows Update can flow through your firewall.

Outbound SNAT support

All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations.

Inbound DNAT support

Inbound network traffic to your firewall's public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.

Azure Monitor logging

All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics.

Azure Firewall Premium

Azure Firewall Premium offers advanced features such as signature-based IDPS, allowing for the quick detection of attacks by identifying specific patterns. Byte sequences in network traffic or known malicious instruction sequences used by malware can form these patterns. With over 67,000 signatures across more than 50 categories, the system is continuously updated in real-time to defend against new and emerging exploits. Exploit categories include malware, phishing, coin mining, and Trojan attacks.

TLS inspection 

The TLS (Transport Layer Security) protocol is mainly used for providing privacy, integrity, and authenticity through certificates between two or more communicating applications. It operates at the application layer and is commonly utilized to encrypt the HTTP protocol.

Encrypted traffic poses a potential security risk as it can conceal illegal user activity and malicious traffic. If Azure Firewall does not perform TLS inspection (as depicted in the subsequent diagram), it will not have visibility into the data flowing within the encrypted TLS tunnel, thereby not being able to offer comprehensive protection coverage.

The second diagram illustrates how Azure Firewall Premium terminates and examines TLS connections to identify, notify, and mitigate malicious activity in HTTPS. The firewall establishes two separate TLS connections: one with the Web Server (contoso.com) and another with the client. By using the customer-provided CA certificate, the firewall generates an on-the-fly certificate, which replaces the Web Server certificate and shares it with the client to establish the TLS connection between the firewall and the client.

The Azure Firewall supports the following use cases:

- Outbound TLS Inspection

   To safeguard against malicious traffic originating from an internal client hosted in Azure and destined for the Internet.

- East-West TLS Inspection (includes traffic to/from an on-premises network)

   To protect Azure workloads from potential malicious traffic originating from within Azure.

The Azure Web Application Firewall on Azure Application Gateway supports the following use case:

- Inbound TLS Inspection

•    To protect internal servers or applications hosted in Azure from malicious requests originating from the Internet or an external network. Application Gateway provides end-to-end encryption.

Intrusion Detection and Prevention System (IDPS) 

An Intrusion Detection and Prevention System (IDPS) for networks enables monitoring of network activity for malicious behaviour, logging of relevant information, reporting, and optionally blocking such activity.

Azure Firewall Premium offers signature-based IDPS for quick detection of attacks by identifying specific patterns in network traffic, like byte sequences, and known malicious instruction sequences used by malware. These signatures apply to both application and network-level traffic (Layers 3-7) and are continuously updated and managed. IDPS can be used for inbound, spoke-to-spoke (East-West), and outbound traffic, including traffic to and from on-premises networks. You can set up your IDPS private IP address ranges using the Private IP ranges feature.

The Azure Firewall signatures/rulesets focus on identifying actual malware, Command and Control, exploit kits, and malicious activity that traditional prevention methods might miss. There are over 67,000 rules in more than 50 categories, including malware command and control, phishing, trojans, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, exploit kit activity, and more. Additionally, 20 to 40+ new rules are released daily. The system maintains a low false positive rating by utilizing advanced malware detection techniques, such as the global sensor network feedback loop.

IDPS allows the detection of attacks across all ports and protocols for non-encrypted traffic. When HTTPS traffic needs to be inspected, Azure Firewall employs TLS inspection to decrypt the traffic and enhance the detection of malicious activities.

The IDPS Bypass List is a configuration that enables excluding specified IP addresses, ranges, and subnets from traffic filtering. It is not intended to improve performance throughput, as the firewall's performance remains subject to the associated use case.

IDPS Private IP ranges

Azure Firewall Premium IDPS uses private IP address ranges to determine whether traffic is inbound, outbound, or internal (East-West). Each signature is applied to specific traffic directions, as shown in the signature rules table. By default, only ranges specified by IANA RFC 1918 are recognized as private IP addresses. Therefore, traffic sent from one private IP address range to another is considered internal. You can easily modify your private IP addresses by editing, removing, or adding ranges as needed.

IDPS signature rules

IDPS signature rules enable you to:

Modify one or more signatures and switch their status to Disabled, Alert, or Alert and Deny. The total number of customized IDPS rules should not go beyond 10,000.

For instance, if a legitimate request is mistakenly blocked by Azure Firewall due to a faulty signature, you can disable the mode of the specific signature by using its ID from the network rules logs. This prevents the "faulty" signature from causing false positives.

You can use the same adjustment process for signatures generating excessive low-priority alerts, which might be hindering the visibility of high-priority alerts.

Gain a comprehensive overview of the over 67,000 signatures

Intelligent search

• This feature enables you to explore the entire signatures database using any attribute. For example, you can look up a specific CVE-ID to find out which signatures address this CVE by entering the ID into the search bar.

URL filtering

Azure Firewall's FQDN filtering capability is expanded by URL filtering to encompass an entire URL, such as www.contoso.com/a/c, rather than www.contoso.com.

URL Filtering applies to both HTTP and HTTPS traffic. Azure Firewall Premium can inspect HTTPS traffic, using its TLS inspection feature to decrypt the traffic and extract the target URL for validation. To enable TLS inspection, opt-in is required at the application rule level. Once enabled, HTTPS URLs can be utilized for filtering.

Web categories

Azure Firewall Premium allows administrators to permit or block user access to website categories such as gambling sites and social media platforms. While web categories are available in Azure Firewall Standard, they are more finely tuned in Azure Firewall Premium. In contrast to the Standard SKU, which matches categories based on fully qualified domain names (FQDNs), the Premium SKU matches categories based on the entire URL for both HTTP and HTTPS traffic.

Azure Firewall Premium's web categories can only be configured in firewall policies. It's important to ensure that your policy's SKU matches the SKU of your firewall instance. For instance, if you have a Firewall Premium instance, you must use a Firewall Premium policy.

For example, when Azure Firewall intercepts an HTTPS request for www.google.com/news, the expected categorization would be as follows:

With Firewall Standard, only the FQDN part is considered, so www.google.com is categorized as a Search Engine.

The entire URL is examined with Firewall Premium, so www.google.com/news is categorized as News.

The categories are classified based on severity under Liability, High-Bandwidth, Business Use, Productivity Loss, General Surfing, and Uncategorized.

Web category logging

Remember that you can observe traffic filtered by Web categories in the Application logs. The Web categories field is visible only if it has been specifically set up in the application rules of your firewall policy. For instance, if you lack a rule that explicitly prohibits Search Engines and a user tries to visit www.bing.com, you will only see a default deny message instead of a Web categories message. This occurs because the web category was not explicitly configured.

Category exceptions

You are able to make special cases for your web category regulations. Make a separate rule collection to either allow or deny with a higher priority within the group of rule collections. For instance, you could set up a rule collection that allows www.linkedin.com with a priority of 100 alongside a rule collection that denies access to Social networking with a priority of 200. This will create an exception for the predefined Social networking web category.

Web category search

The Web Category Check feature allows you to determine the category of a specific FQDN or URL. To utilize this feature, go to the Firewall Policy Settings and select the Web Categories tab. This can be valuable when establishing application rules for incoming traffic based on their destination.

Category change

In the Firewall Policy Settings, you can request a change in the category under the Web Categories tab if you believe that an FQDN or URL should be placed under a different category or if you have a suggested category for an uncategorized FQDN or URL.

After submitting a category change report, you will receive a token in the notifications to indicate that your request has been received for processing. You can verify the status of your request - whether it is in progress, denied, or approved - by entering the token in the search bar. Remember to save your token ID in order to do this.

Web categories that don't support TLS termination

For privacy and compliance purposes, it is not possible to decrypt certain encrypted web traffic using TLS termination. For instance, it is not advisable to use TLS termination for web traffic that contains employee health data transmitted over a corporate network due to privacy concerns.

As a result, TLS termination is not supported for the following Web Categories:

- Education

- Finance

- Government

- Health and medicine

As a solution, if you need a specific URL to support TLS termination, you can manually include one or more URLs with TLS termination in application rules. For example, you can include www.princeton.edu in the application rules to permit access to this website.

Concepts of Azure Firewall

Controlling outbound network access is essential to the overall network security plan. For example, you may want to limit access to a website, or you may wish to restrict outbound IP addresses or ports. With a firewall, you can configure application rules that define fully qualified Domain names that can be accessed from a subnet. Also, you can configure network rules so that you can define source addresses, protocol destinations, and destination addresses.

In Azure Firewall  Network rule collections are a higher preference than application rule collections.

There are three types of rule collections

Application rules

Configure Fully qualified domain names (FQDNs) that can be reached from a subnet.

Network rules

Configure rules that include source addresses, protocols, destination ports, and destination addresses.

NAT rules

To allow incoming Internet connections by Configuring DNAT rules.

Note: FDQN Tags Represent a group of fully qualified domain names associated with well-known Microsoft services.

Pricing and SLA of Azure Firewall

Azure Firewall is a controlled cloud-established network security service that shields your Azure Virtual Network resources.  It can be seamlessly expanded, requires zero maintenance, and is highly available with unlimited cloud scalability. Setting up a firewall is easy, with billing involved in fixed and variable fees.

Azure Firewall provides fully stateful necessary firewall capabilities for Virtual Network resources, with built-in high availability and the ability to scale automatically. Microsoft assures you that it will be available at least 99.95% of that time when deployed inside a single Availability Zone and the Firewall will be available at least  99.99% of the time when spread within two or more Availability Zones in the corresponding Azure region.