I’m a proponent of zero trust for enhancing network-level security and access control for your Azure resources. The idea is that of demarcating your high-security deployments from the internet, using a perimeter network, aka DMZ. What this enables you to do is focus your network access control, logging, monitoring, alert/event management workflow integration on your edge devices, not necessarily as a stand-alone solution, but as a part of an overarching solution for access control, and oversight at the network layer. Think NSGs/ASGs (in the Microsoft cloud) as fitting somewhere into this picture, and let’s not overlook Identity and the role it plays as a pillar of security, but that’s a topic for another day.
Now with that said, most enterprises use software defined networking with third-party offerings for familiar security offerings and enhanced capabilities, similar to what they are familiar with on-premises, and these are great in whatever model you want to deploy them whether you want to deploy them at the perimeter between the internet and your workloads in a flat virtual network with subnets logically defined, in a shared services hub network through which you route traffic to to your trusted workloads, in a hub-spoke design, or in any of various other designs. The question I’m often asked is how does Azure Firewall features in all of this, and does it have comparable capabilities to other network virtual appliances? This is the subject I will seek to address in this article without getting too deep into the weeds.
Azure Firewall is a cloud-native, managed security service offering that protects your resources in your Azure virtual networks. It is a fully stateful firewall service and as a PaaS offering, has built-in resiliency and cloud scalability, and is a great option for the many features and capabilities that it provides, such as:
- Application and network traffic filtering rules
- FQDN and Service tags
- Inbound destination, and outbound source NAT
- Full event management and SIEM integration with logging (native Azure monitor integration)
- DevOps integration using ARM, or 3rd party tools like Terraform.
From a deployment standpoint you effectively treat Azure Firewall as a virtual appliance even though it’s a managed service, and you can override default system routes, or route traffic as desired using User-defined routes (UDRs). As with all virtual appliances, logging security events is a core requirement, and Azure Firewall delivers in spades, with options to archive diagnostic logs to a storage account for further consumption, stream to an event hub for consumption in a third-party SIEM for instance, or send directly to a Log Analytics workspace.
As seen above, you will be able to configure select logs relating to application rules, network rules, or metrics. Once diagnostic settings are enabled, diagnostic logging requires you to write your firewall logs to a storage account in same region as your AZ firewall resource, and once done you can glean insights with Kusto queries and even integrate with Azure Sentinel, the cloud native SIEM from Microsoft.
That said, note that Azure Firewall should is not a replacement for third-party offerings with advanced next-generation firewall capabilities, and won’t give you NGFW features like sandboxing, etc. It is a nice alternative firewall for the price, and if it meets your business requirements. Also consider other cloud-native solutions like the web application firewall in Application Gateway during your design. I will cover these services in another article.
Latest posts by Chiyo Odika (see all)
- Zero Trust and the Azure Firewall service - July 9, 2019
- Making the move to Azure Security Center and Azure Sentinel - July 9, 2019
- Azure Monitor Management solution for RDS, Windows VDI and Citrix - February 28, 2019