Microsoft’s Firewall as a Service offering, Azure Firewall, was released in 2018. A bit late in the day in my opinion as early adopters of Azure would have already procured Network Virtual Appliances such as Checkpoint or Palo Alto but if you haven’t adopted Azure yet or are re-evaluating your perimeter security then Azure Firewall might be the solution for you.
Azure Firewall is a Firewall as a Service which means you get built-in high availability, scalability and no requirement to maintain or upgrade appliances which is a real business benefit. What does it give you over a Network Security Group (NSG)? Well quite a lot, you get a dedicated public IP address so you appear as a consistent address on the Internet, you can also create inbound rules if you desire. The key benefits though are automation, FQDN based rules and Azure tags, which provides simplified management and scalability over an NSG’s 5 tuple approach.
Microsoft have baked in a raft of Azure tags so you don’t need to define rules/FQDNs for Azure AD, Azure Backup, Windows Updates, Azure Key Vault and other Azure services which makes deploying and securing Internet connectivity for Windows VMs very quick and easy. This also makes management overhead of your rulebase very low, even when compared to a Network Virtual Appliance (NVA).
If you haven’t already invested in an NVA or are re-evaluating your Azure perimeter security then Azure Firewall is a viable option, however there are some drawbacks.
- There is no SSL inspection which means the rules are based on the FQDN for HTTP sites or the Certificate CN for SSL based sites. This can make creating rules for SSL sites a bit tricky if SAN or wildcard certificates are used so be prepared to use Wireshark.
- Logging. You will need to use a Log Analytics workspace to view logs which is ok and the workspace stats are quite snazzy for reporting. Bear in mind unless you use a free workspace which has limitations this will incur additional costs either per host or per GB. For live troubleshooting using log analytics just isn’t an NVA log viewer like Checkpoint Smart tracker or similar. This blog written by Thuan Soldier has some good info and log query samples https://thuansoldier.net/7805/
- NGFW Capabilities. Limited layer 7 protection features commonly referred to as Next Generation Firewall protection such as IPS, Application Awareness, Anti-Virus etc. Currently the only NGFW feature is threat intelligence which dynamically blocks known malicious IPs/Domains (in preview). This means limited visibility of your traffic, considering 70% of websites are now SSL you want to ensure your environment is protected from advanced threats or malware where possible.
- Cost. Its not cheap, over a year, an Azure Firewall will cost over £7k. which is equal to or more than most NVA’s (depending on your discount). So you are paying a lot for the ‘as a Service’ benefits (HA, scalability and minimal management overhead). Coming soon you will be able to de-allocate/allocate the Azure Firewall to pause the cost so for dev/test environments you could automate this to lower the cost for environments which are not 24/7.
We have deployed Azure Firewall for clients and it is very easy to deploy. The only prerequisites are that you need a dedicated subnet to deploy the Azure Firewall called AzureFirewallSubnet; and the subnet must have a /26 mask. Its also easy to script to repeat the process for multiple release process environments.
From a network design perspective, deploy the Azure Firewall in your hub or transit VNET so you can leverage it for all your VNETs. You can deploy the Azure Firewall without impact existing traffic flows as you need to create User Defined Routes to force traffic through the Azure Firewall so it is easy to integrate into an existing environment subnet-by-subnet to limit the impact and also provide rollback if your rules aren’t quite right.
No doubt Microsoft will continue to develop Azure Firewall and introduce more NGFW features so I am sure some of the technical limitations above will be addressed. Azure Firewall is a solid alternative to secure your Azure environment, especially if you have a small IT support team, but consider your current and future requirements as an NVA may be a better fit. One cloud benefit is that you don’t have to sweat assets, as there is no hardware or capital purchase involved, so you could always migrate to an NVA if your requirements change, environment scales or requires Next Generation Firewall capabilities.
Microsoft’s documentation is excellent for Azure components, for documentation on Azure Firewall see here.