Time for the next part in the AZ-500 study preparation guide.
This time were looking at:
- Create and configure Azure Firewall
- Create and configure Azure Firewall Manager
Table of Contents
What is Azure Firewall?
Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running in Azure. It’s a fully stateful, firewall as a service with built-in high availability and unrestricted cloud scalability. It provides both east-west and north-south traffic inspection.
Azure Firewall is offered in two SKUs: Standard and Premium.
Azure Firewall Standard
Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security. Threat intelligence-based filtering can alert and deny traffic from/to known malicious IP addresses and domains which are updated in real time to protect against new and emerging attacks.
Azure Firewall Premium
Azure Firewall Premium provides advanced capabilities include signature-based IDPS to allow rapid detection of attacks by looking for specific patterns. These patterns can includes byte sequences in network traffic, or known malicious instruction sequences used by malware. There are more than 58,000 signatures in over 50 categories which are updated in real time to protect against new and emerging exploits. The exploit categories include malware, phishing, coin mining, and Trojan attacks.
Pricing
Not available | Standard | Premium |
---|---|---|
Deployment | €1.122 per deployment hour | €1.570 per deployment hour |
Data Processing | €0.015 per GB processed | €0.015 per GB processed |
What is Azure Firewall Manager?
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
Firewall Manager can provide security management for two network architecture types:
- Secured virtual hub An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.
- Hub virtual network This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.
Pricing
Azure Firewall Manager
Service Type | Price |
---|---|
Azure Firewall Manager Policies1 | €89.70 per policy per region |
Azure Firewall Manager Integrations
Service Type | Price |
---|---|
Secured Virtual Hubs with 3rd Party Integrations | €0.359 per deployment hour |
Azure Firewall with Secured Virtual Hub
Service Type | Price |
---|---|
Secured Virtual Hubs Deployments | €1.122 per deployment hour |
Secured Virtual Hubs Data Processed | €0.015 per GB processed |
Azure Firewall with Hub Virtual Network
Service Type | Price |
---|---|
Azure Firewall Deployments | €1.122 per deployment hour |
Azure Firewall Data Processed | €0.015 per GB processed |
Policy pricing logic
No Azure Firewall Manager policy charges will be done for policies that are associated to a single firewall.
How to setup Azure Firewall Standard?
Search for Azure Firewall.
When You choose standard You can choose between Policy or Classic rules.
At the end it should look like this.
Once deployed You can edit the policies from the main page.
and You the following settings for edit.
From Rule collection You add the following.
Rule collections are sets of rules of the same type, DNAT, network, or application rules. Rule collection groups can include rule collections of various types.
When You add a rule, You have to select a collection group for the rule. My example rule below will allow from ANY public address a connection with TCP port 80 to IP address 10.0.0.1 and set the priority to 100.
Why 100 You ask, because the scope is from 100 to 65000
DNAT
You can translate and IP address and a port to a different address and port. Let’s say You have Skype Frontend behind this one, the public port is 443 but the internal port is 4443, so the following rule would work.
Destination types
The are 4 destination types to choose from.
IP Address
Just the of the destination address resource You will allow access to.
IP Group
An IP Group can have a single IP address, multiple IP addresses, or one or more IP address ranges.
IP Groups can be reused in Azure Firewall DNAT, network, and application rules for multiple firewalls across regions and subscriptions in Azure. Group names must be unique. You can configure an IP Group in the Azure portal, Azure CLI, or REST API.
FQDN tags
Make it easy for you to allow well-known Azure service network traffic through your firewall. For example, say you want to allow Windows Update network traffic through your firewall. You create an application rule and include the Windows Update tag. Now network traffic from Windows Update can flow through your firewall.
Service tags
A service tag represents a group of IP address prefixes to help minimize complexity for security rule creation. You can’t create your own service tag, nor specify which IP addresses are included within a tag. Microsoft manages the address prefixes encompassed by the service tag, and automatically updates the service tag as addresses change.
DNS and DNS Proxy
A DNS server maintains and resolves domain names to IP addresses. By default, Azure Firewall uses Azure DNS for name resolution. The DNS server setting lets you configure your own DNS servers for Azure Firewall name resolution. You can configure a single server or multiple servers. If you configure multiple DNS servers, the server used is chosen randomly. You can configure a maximum of 15 DNS servers in Custom DNS.
You can configure Azure Firewall to act as a DNS proxy. A DNS proxy is an intermediary for DNS requests from client virtual machines to a DNS server.
By default, Azure Firewall uses Azure DNS and DNS Proxy is disabled.
How to setup Azure Firewall Premium features?
When creating Azure Firewall Premium, You can see the Standard policy but can also create Premium policies.
Azure Firewall Premium includes the following features:
- TLS inspection – decrypts outbound traffic, processes the data, then encrypts the data and sends it to the destination.
- IDPS – A network intrusion detection and prevention system (IDPS) allows you to monitor network activities for malicious activity, log information about this activity, report it, and optionally attempt to block it.
- URL filtering – extends Azure Firewall’s FQDN filtering capability to consider an entire URL. For example,
www.contoso.com/a/c
instead ofwww.contoso.com
. - Web categories – administrators can allow or deny user access to website categories such as gambling websites, social media websites, and others.
TLS inspection
Enable TLS inspection from Firewall policy. You need Keyvault with Managed Identity access policy.
Access policy under Keyvault.
IDPS
You have the following Intrusion Detection and Prevention System modes available.
Azure Firewall Premium provides signature-based IDPS to allow rapid detection of attacks by looking for specific patterns, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. The IDPS signatures are applicable for both application and network level traffic (Layers 4-7), they are fully managed, and continuously updated. IDPS can be applied to inbound, spoke-to-spoke (East-West), and outbound traffic.
IDPS signature rules allow you to:
- Customize one or more signatures and change their mode to Disabled, Alert or Alert and Deny. For example, if you receive a false positive where a legitimate request is blocked by Azure Firewall due to a faulty signature, you can use the signature ID from the network rules logs, and set its IDPS mode to off. This causes the “faulty” signature to be ignored and resolves the false positive issue.
- You can apply the same fine-tuning procedure for signatures that are creating too many low-priority alerts, and therefore interfering with visibility for high-priority alerts.
- Get a holistic view of the entire 55,000 signatures
- Smart search Allows you to search through the entire signatures database by any type of attribute. For example, you can search for specific CVE-ID to discovered what signatures are taking care of this CVE by simply typing the ID in the search bar.
URL filtering
URL filtering can be enabled from Application rule collection.
URL Filtering can be applied both on HTTP and HTTPS traffic. When HTTPS traffic is inspected, Azure Firewall Premium can use its TLS inspection capability to decrypt the traffic and extract the target URL to validate whether access is permitted. TLS inspection requires opt-in at the application rule level. Once enabled, you can use URLs for filtering with HTTPS.
Web categories
You can do the same destination type filtering with Web categories.
Web categories lets administrators allow or deny user access to web site categories such as gambling websites, social media websites, and others. Web categories will also be included in Azure Firewall Standard, but it will be more fine-tuned in Azure Firewall Premium. As opposed to the Web categories capability in the Standard SKU that matches the category based on an FQDN, the Premium SKU matches the category according to the entire URL for both HTTP and HTTPS traffic.
For example, if Azure Firewall intercepts an HTTPS request for www.google.com/news
, the following categorization is expected:
- Firewall Standard – only the FQDN part will be examined, so
www.google.com
will be categorized as Search Engine. - Firewall Premium – the complete URL will be examined, so
www.google.com/news
will be categorized as News.
The categories are organized based on severity under Liability, High-Bandwidth, Business Use, Productivity Loss, General Surfing, and Uncategorized.
How to setup Azure Firewall manager?
Search for Azure Firewall Manager and in the main page choose Virtual Networks.
Create
Availability zones
Some regions support the ability to put your Azure Firewall in an availability zone (or multiple, for zone redundancy). If you’re not able to select a zone, you may have chosen an Azure region that doesn’t yet support availability zones.
Azure regions with availability zones
Azure provides the most extensive global footprint of any cloud provider and is rapidly opening new regions and availability zones.
Americas | Europe | Africa | Asia Pacific |
---|---|---|---|
Brazil South | France Central | South Africa North | Australia East |
Canada Central | Germany West Central | Central India | |
Central US | North Europe | Japan East | |
East US | Norway East | Korea Central | |
East US 2 | UK South | Southeast Asia | |
South Central US | West Europe | East Asia | |
US Gov Virginia | Sweden Central | ||
West US 2 | |||
West US 3 |
Public IP
You can add a new public IP or use existing. You cannot select SKU or Dynamic assignment.
Force tunneling
Enable force tunneling to create an additional subnet for firewall management traffic. This subnet will have direct access to the internet.
When You enable Firewall Manager it will have consumption for the get go when it create an Azure Firewall. You choose the tier You want to deploy and see the policies created earlier.
If You have Premium Firewall enabled, You see these policies when changing tier.
You can create new rule that will flow to all Your firewalls.
The policy will inherit all settings from the previous policy and use to as template.
Go to Azure Firewall Policies and You can see that there is 0 Vnets associated. To associate open Manage associations.
And select Your Vnet.
And in couple of seconds You will see associated Vnet.
When You go back to Your firewall, You will see see SuperPolicy associated.
ARM templates
If You want to try out the ARM deployment of the firewalls after this visual extravaganza, You can do it with below.
The End and things to remember
Azure Firewall Standard provides L3-L7 filtering and threat intelligence feeds directly from Microsoft Cyber Security.
Azure Firewall Premium provides advanced capabilities include signature-based IDPS to allow rapid detection of attacks by looking for specific patterns.
Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.
Azure Firewall cost money when deployed and when used per GB.
Firewall Manager is billed per policy per region but no Azure Firewall Manager policy charges will be done for policies that are associated to a single firewall.
Differences between DNS and DNS Proxy.
How TLS inspection works with Key vault and managed identities.
CIDR cheat sheet
I have always found difficulties on visualizing the addresses, so if You are like me, here You go.
CIDR | SUBNET MASK | WILDCARD MASK | # OF IP ADDRESSES | # OF USABLE IP ADDRESSES |
---|---|---|---|---|
/32 | 255.255.255.255 | 0.0.0.0 | 1 | 1 |
/31 | 255.255.255.254 | 0.0.0.1 | 2 | 2* |
/30 | 255.255.255.252 | 0.0.0.3 | 4 | 2 |
/29 | 255.255.255.248 | 0.0.0.7 | 8 | 6 |
/28 | 255.255.255.240 | 0.0.0.15 | 16 | 14 |
/27 | 255.255.255.224 | 0.0.0.31 | 32 | 30 |
/26 | 255.255.255.192 | 0.0.0.63 | 64 | 62 |
/25 | 255.255.255.128 | 0.0.0.127 | 128 | 126 |
/24 | 255.255.255.0 | 0.0.0.255 | 256 | 254 |
/23 | 255.255.254.0 | 0.0.1.255 | 512 | 510 |
/22 | 255.255.252.0 | 0.0.3.255 | 1,024 | 1,022 |
/21 | 255.255.248.0 | 0.0.7.255 | 2,048 | 2,046 |
/20 | 255.255.240.0 | 0.0.15.255 | 4,096 | 4,094 |
/19 | 255.255.224.0 | 0.0.31.255 | 8,192 | 8,190 |
/18 | 255.255.192.0 | 0.0.63.255 | 16,384 | 16,382 |
/17 | 255.255.128.0 | 0.0.127.255 | 32,768 | 32,766 |
/16 | 255.255.0.0 | 0.0.255.255 | 65,536 | 65,534 |
/15 | 255.254.0.0 | 0.1.255.255 | 131,072 | 131,070 |
/14 | 255.252.0.0 | 0.3.255.255 | 262,144 | 262,142 |
/13 | 255.248.0.0 | 0.7.255.255 | 524,288 | 524,286 |
/12 | 255.240.0.0 | 0.15.255.255 | 1,048,576 | 1,048,574 |
/11 | 255.224.0.0 | 0.31.255.255 | 2,097,152 | 2,097,150 |
/10 | 255.192.0.0 | 0.63.255.255 | 4,194,304 | 4,194,302 |
/9 | 255.128.0.0 | 0.127.255.255 | 8,388,608 | 8,388,606 |
/8 | 255.0.0.0 | 0.255.255.255 | 16,777,216 | 16,777,214 |
/7 | 254.0.0.0 | 1.255.255.255 | 33,554,432 | 33,554,430 |
/6 | 252.0.0.0 | 3.255.255.255 | 67,108,864 | 67,108,862 |
/5 | 248.0.0.0 | 7.255.255.255 | 134,217,728 | 134,217,726 |
/4 | 240.0.0.0 | 15.255.255.255 | 268,435,456 | 268,435,454 |
/3 | 224.0.0.0 | 31.255.255.255 | 536,870,912 | 536,870,910 |
/2 | 192.0.0.0 | 63.255.255.255 | 1,073,741,824 | 1,073,741,822 |
/1 | 128.0.0.0 | 127.255.255.255 | 2,147,483,648 | 2,147,483,646 |
/0 | 0.0.0.0 | 255.255.255.255 | 4,294,967,296 | 4,294,967,294 |