Skip to main content

Introducing Azure Firewall


Azure firewall is the latest addition to Azure security features portfolio. It was announced in preview last week along with Azure virtual WAN. Along with other features such as NSG and WAF , Azure Firewall enables additional protection for your applications hosted in Azure. We know that NSG offers network level protection(L3) and helps in implementing restrictions on incoming and outgoing traffic at network layer. WAF enables inbound security for web applications at Layer 7.Azure Network firewall provides outbound network layer(L3-L4) and application level (L7) protection for Http and Https traffic.

There are two types of rules that can be created in Azure Firewall. Application rule and Network rule. As name indicates Network rule can be used to allow/deny traffic at network layer by defining the source IP & protocol + Destination IP& protocol. Application rules can be created to allow or restrict outbound traffic to specific FQDNs.

If you want to play around with Azure Firewall, Refer this document for a step by step approach.  It outlines the process of accessing a VM in a network protected using Azure firewall.


 

Image courtesy:Microsoft

Few pointers here that will help you understand the configuration:

  • Workload VM(Srv-Work) is created in the subnet Workload-SN
  • The workload VM is accessed using a JumpBox server(Srv-Jump) as the workload VM does not have a public IP associated with it
  • Workload-SN had a default rule applied that redirects all outbound traffic to the Firewall. If you review the effective rules of Workload VM NIC card, the default route will be listed that routes the outbound traffic to Azure Firewall.


 


  • In the firewall, Network and application rules are created allowing only required traffic from the Workload VM. In the example, DNS resolution is allowed using network rules and access to GitHub is allowed using application rule.
  • DNS resolution is restricted to specific DNS servers and the DNS server IPs are hard coded in the workload VM NIC as custom DNS

 

PS: The document has instructions for creating a network rule in Firewall to allow DNS using protocol TCP. However, I couldn’t get it working without adding UDP. I have provided feedback in the document to check on this.

Other than that, the instructions work like a charm and I could get the set up working without any other glitches. Since internet access is restricted to specific FQDN, access to any other website will be denied. If you try accessing a website whose FQDN is not defined in the rule, you will get the following message

 

S e http://w•wwgoogle.com/ p The world's leading softwared— e google.com 
request blocked by Azure NO rule matched. proceeding With default action

 

Viola.. that’s your Azure firewall in Action!! You can also create and connect Azure Firewall to existing VNets from VNet -> Settings. However, do keep in mind that this service is currently in preview.

Comments

  1. Gps tracker For more information
    but information is very best

    ReplyDelete
  2. Thanks for sharing this useful info. In22labs (unwind learning labs) is one of the leading E-governance solutions providers in India. We have worked on 100+ portals for Egovernance using the latest technologies. Know more Government apps development providers

    ReplyDelete
  3. Cloud computing

    CLOUD LEARN MORE What is CLOUD Computing? Cloud computing Cloud computing is a general term for anything that involves delivering hosted services over the internet.

    These services are divided into three main categories: infrastructure as a service (IaaS), platform as a service (PaaS) and software as a service (SaaS).A cloud…

    Visit to- sunoltech.com for more details

    ReplyDelete
  4. Thanks for sharing this was very helpful. Please check our product akku
    Identity & Access Management Solution

    ReplyDelete
  5. Thank You for Sharing this wonderful and much required information in this post. oracle cloud application tool in UK

    ReplyDelete
  6. This information really helped me a lot. It was very informative.
    Cloud Managed Services

    ReplyDelete
  7. This information really helped me a lot. It was very informative.
    Cloud Migration Services

    ReplyDelete
  8. Excellent blog...Thanks for sharing valuable information.. At TechBrein, we boast a team of proficient digital consultants who have successfully helped businesses take the next level in this digital age. With a clear cut understanding of the industry, market conditions and audience, we provide expert advice and a result-oriented strategy for businesses to help them thrive and transform digitally. Please visit our website below…
    https://www.techbrein.com

    ReplyDelete
  9. I really appreciate your post, and you explain each and every point very well. Thanks for sharing this information.
    Master data management companies
    Cloud computing Solution

    ReplyDelete

Post a Comment

Popular posts from this blog

Windows server 2012: where is my start button??

If you have been using Windows Server OS for a while, the one thing that will strike you most when you login to a Windows server 2012 is that there is no start button!!.. What??..How am I going to manage it?? Microsoft feels that you really dont need a start button, since you can do almost everything from your server  manager or even remotely from your desktop. After all the initial configurations are done, you could also do away with the GUI and go back to server core option.(In server 2012, there is an option to add and remove GUI). So does that mean, you need to learn to live without a start button. Actually no, the start button is very much there .Lets start looking for it. Option 1: There is "charms" bar on the side of your deskop, where you will find a "start" option. You can use the "Windows +C" shortcut to pop out the charms bar Option 2: There is a hidden "start area"in  the bottom left corner of your desktop

The Cloud Migration Gotchas..

All leading cloud providers have a well defined Cloud Adoption Framework that will help you shape up your cloud migration strategy. Customers would eventually end up with one of the 5 'R's of rationalization - Rehost(Lift&shift) , Refactor, Rearchitect, Rebuild or Replace.  Once you have identified the approach , next steps would be planning and execution. However the best  plans laid out by  a professional services team can be driven off the track by  customer specific environment challenges. If you are helping customers with cloud migration, here are few things that you might want to think through again and prepare for before you go all in . 1.Start with stakeholder buy in The first step called out in Azure Cloud Adoption Framework is Strategy  or rather the motivation of the organization to move to cloud. Though this would usually be done in the presales phase and might have the buy in of the C-Suite, it is very important that this acceptance trickles down to stakeholde

Cloud Security - Risk factors

Cloud security is a major consideration for enterprise wide cloud adoption, especially public cloud. This is part 1 of a serious of blog posts , where I am planning to pen down the different dimensions of Cloud security, starting with the risk factors of cloud adoption. The various attributes of security risks  involved in the process can be summed up as follows: ENISA* recommends the following  risk areas to be taken into account, while embarking on a cloud adoption journey