Azure Firewall

About Alif: Alif empowers Microsoft MSP-CSP partners to provide exceptional IT services to their clients to ensure that the partners reduce their costs and focus on their business. We provide white-labelled managed services for technologies like Microsoft Azure, Microsoft 365, Microsoft Dynamics 365, Microsoft Security, Sharepoint, Power Platform, SQL, Azure Devops and a lot more. Our headquarter is in Pune, India whereas we work with over 50 partners across the globe that trust us with their client delivery.

Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It's a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.

You can centrally create, enforce, and log application and network connectivity policies across subscriptions and virtual networks. Azure Firewall uses a static public IP address for your virtual network resources allowing outside firewalls to identify traffic originating from your virtual network. The service is fully integrated with Azure Monitor for logging and analytics.

Azure Firewall Benefits –

• Centralize connectivity policy

• Deploy a stateful firewall in minutes

• Get real-time protection based on threat intelligence

• Prevent malware and viruses from spreading

• Inspect traffic in real time for malicious activities Azure Firewall SKUs – Azure Firewall is offered in two SKUs: Standard and Premium. Azure Firewall Standard - Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains which are updated in real time to protect against new and emerging attacks.

• Built-in high availability - High availability is built in, so no additional load balancers are required and there is nothing you need to configure.

• Unrestricted cloud scalability - Azure Firewall can scale up as much as you need to accommodate changing network traffic flows, so you don’t need to budget for your peak traffic.

• Application FQDN filtering rules - You can limit outbound HTTP/S traffic to a specified list of fully qualified domain names (FQDN) including wild cards. This feature does not require SSL termination.

• Network traffic filtering rules - You can centrally create allow or deny network filtering rules by source and destination IP address, port, and protocol. Azure Firewall is fully stateful, so it can distinguish legitimate packets for different types of connections. Rules are enforced and logged across multiple subscriptions and virtual networks.

• FQDN tags - FQDN tags make it easy for you to allow well known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.

• Outbound SNAT support - All outbound virtual network traffic IP addresses are translated to the Azure Firewall public IP (Source Network Address Translation). You can identify and allow traffic originating from your virtual network to remote Internet destinations.

• Inbound DNAT support - Inbound network traffic to your firewall public IP address is translated (Destination Network Address Translation) and filtered to the private IP addresses on your virtual networks.

• Azure Monitor logging - All events are integrated with Azure Monitor, allowing you to archive logs to a storage account, stream events to your Event Hub, or send them to Log Analytics.

Azure Firewall Premium – Azure Firewall Premium provides advanced threat protection that meets the needs of highly sensitive and regulated environments, such as the payment and healthcare industries. Organizations can leverage Premium stock-keeping unit (SKU) features like IDPS and TLS inspection to prevent malware and viruses from spreading across networks in both lateral and horizontal directions

Azure Firewall Premium includes the following features:

• TLS inspection - decrypts outbound traffic, processes the data, then encrypts the data and sends it to the destination.

• IDPS - A network intrusion detection and prevention system (IDPS) allows you to monitor network activities for malicious activity, log information about this activity, report it, and optionally attempt to block it.

• URL filtering - extends Azure Firewall’s FQDN filtering capability to consider an entire URL. For example, www.contoso.com/a/c instead of www.contoso.com.

Web categories - administrators can allow or deny user access to website categories such as gambling websites, social media websites, and others.

Concepts of Azure Firewall Controlling outbound network access is an essential part of the overall network security plan. For example, you may want to limit access to a website, or you may wish to restrict outbound IP addresses or ports. With a firewall, you can configure applications rules that define fully qualified Domain names that can be accessed from a subnet. Also, you can configure network rules so that you can define source address, protocol destination, and destination addresses.

In Azure Firewall  Network rule collections are a higher preference than application rule collections.

There are three types of rule collections:

• Application rules: Configure Fully qualified domain names (FQDNs) that can be reached from a subnet.

• Network rules: Configure rules that include source addresses, protocols, destination ports, and destination addresses.

• NAT rules:  To allow incoming Internet connections by Configuring DNAT rules.

Note: FDQN Tags: Represents a group of fully qualified domain names associated with well-known Microsoft services.

Pricing and SLA of Azure Firewall –

Azure Firewall is a controlled cloud-established network security service that shields your Azure Virtual Network resources.  It can be seamlessly expanded, requires zero maintenance, and is highly available with unlimited cloud scalability. Setting up a Firewall is easy with billing involved of a fixed and variable fee.

Azure Firewall provides fully stateful necessary firewall capabilities for Virtual Network resources, with built-in high availability and the ability to scale automatically. Microsoft assures you that it will be available at least 99.95% of that time when deployed inside a single Availability Zone and the Firewall will be available at least  99.99% of the time when spread within two or more Availability Zones in the corresponding Azure region.