Azure firewall basic in public preview

Posted by Harri Jaakkonen Posted on 05/10/2022 0 Comments on Azure firewall basic in public preview
Posted in Azure, Azure Firewall, ESLZ, Security

Microsoft has released a new SKU for Azure Firewalls called Basic, it’s still in Preview, so keep that in mind.

It is cheaper than Standard but has enough capabilities for most customers.

See the full announcement here.

Azure Firewall Basic now in preview
Azure Firewall Basic is a new SKU of Azure Firewall designed to meet the needs of SMBs by providing enterprise-grade protection of their cloud environment at an affordable price point. It is a cloud-native, highly available, stateful firewall-as-a-service offering that enables customers to cen…

And more information on my AZ-500 study guide on what Azure Firewall is about and how to set it up.

Section 5 – Implement platform protection – Implement advanced network security – Azure Firewall
Time for the next part in the AZ-500 study preparation guide. This time were looking at: Create and configure Azure Firewall Create and configure Azure Firewall Manager What is Azure Firewall? Azure Firewall is a cloud-native and intelligent network firewall security service that provides the best of breed threat protection for your cloud workloads running […]

Features

I made a table from the picture inside the announcement for easier reading. So credits go to Microsoft.

From here you can see the differences with them all with one glimpse.

Feature CategoryFeatureFirewall BasicStandardFirewall Premium
L3-L7 FilteringApplication level FQON filtering (SNI based) for HTTPS and SQLXXX
Network level FQDN filtering — all ports and protocolsXX
Stateful firewall (S tuple rules)XXX
Network Address Translation (SNAT/DNAT)XXX
Reliability & PerformanceAvailability zonesXXX
Built-in HAXXX
Cloud scalability (auto-scale as traffic grows)up to 250MbpsUp to 30 GbpsUp to 1M Gbps
Fat Flow supportN/A1 Gbps10 Gbps
Ease Of ManagementCentral management via Firewall ManagerXXX
Policy Analytics (Rule Management over time)XXX
Enterprise IntegrationFull logging including SIEM integrationXXX
Service Tags and FQDN Tags for easy policy managementXXX
Easy DevOps integration using REST/pS/CLl/Templbtes/ TerraformXXX
Web content filtering (web categories)XX
DNS Proxy and custom DNSXX
Advanced Threat ProtectionThreat intelligence-based filtering (known malicious IP address/ domains)AlertXX
Inbound TLS termination (TLS reverse proxy)using App GW
Outbound TLS termination (TLS forward proxy)X
Fully managed IDPSX
URL filtering (full path – incl. SSI termination)X

Availability zones

Availability zones are still supported in Basic.

You can place your Azure Firewall in an availability zone in some areas (or multiple, for zone redundancy). You might have selected an Azure region that doesn’t yet support availability zones if you are unable to select a zone.

Azure regions with availability zones

Azure provides the most extensive global footprint of any cloud provider and is rapidly opening new regions and availability zones.

AmericasEuropeMiddle EastAfricaAsia Pacific
Brazil SouthFrance CentralQatar CentralSouth Africa NorthAustralia East
Canada CentralGermany West CentralUAE NorthCentral India
Central USNorth EuropeJapan East
East USNorway EastKorea Central
East US 2UK SouthSoutheast Asia
South Central USWest EuropeEast Asia
US Gov VirginiaSweden CentralChina North 3
West US 2Switzerland North
West US 3

Performance

The performance will be gapped to 250mb/s, which is enough from remote locations and SMB sector clients.

Threat protection

Protection gets the biggest hit but you get alerts and can act based on them but all other features isn’t there with Basic.

Pricing

But the pricing is a lot lower for deployment but higher for data processing.

Basic (Preview)StandardPremium
Deployment€0.411 per deployment hour€1.298 per deployment hour€1.818 per deployment hour
Data Processing€0.068 per GB processed€0.017 per GB processed€0.017 per GB processed

Deployment

And remember the Hub and Spoke for all the firewall deployments inside Azure, it just makes sense.

CIDR cheat sheet

And if you are like me, you need this also. I never ever remember them, , so if You are like me, here You go.

CIDRSUBNET MASKWILDCARD MASK# OF IP ADDRESSES# OF USABLE IP ADDRESSES
/32255.255.255.2550.0.0.011
/31255.255.255.2540.0.0.122*
/30255.255.255.2520.0.0.342
/29255.255.255.2480.0.0.786
/28255.255.255.2400.0.0.151614
/27255.255.255.2240.0.0.313230
/26255.255.255.1920.0.0.636462
/25255.255.255.1280.0.0.127128126
/24255.255.255.00.0.0.255256254
/23255.255.254.00.0.1.255512510
/22255.255.252.00.0.3.2551,0241,022
/21255.255.248.00.0.7.2552,0482,046
/20255.255.240.00.0.15.2554,0964,094
/19255.255.224.00.0.31.2558,1928,190
/18255.255.192.00.0.63.25516,38416,382
/17255.255.128.00.0.127.25532,76832,766
/16255.255.0.00.0.255.25565,53665,534
/15255.254.0.00.1.255.255131,072131,070
/14255.252.0.00.3.255.255262,144262,142
/13255.248.0.00.7.255.255524,288524,286
/12255.240.0.00.15.255.2551,048,5761,048,574
/11255.224.0.00.31.255.2552,097,1522,097,150
/10255.192.0.00.63.255.2554,194,3044,194,302
/9255.128.0.00.127.255.2558,388,6088,388,606
/8255.0.0.00.255.255.25516,777,21616,777,214
/7254.0.0.01.255.255.25533,554,43233,554,430
/6252.0.0.03.255.255.25567,108,86467,108,862
/5248.0.0.07.255.255.255134,217,728134,217,726
/4240.0.0.015.255.255.255268,435,456268,435,454
/3224.0.0.031.255.255.255536,870,912536,870,910
/2192.0.0.063.255.255.2551,073,741,8241,073,741,822
/1128.0.0.0127.255.255.2552,147,483,6482,147,483,646
/00.0.0.0255.255.255.2554,294,967,2964,294,967,294
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *