Map requirements to Azure Firewall features

5.4 Azure Firewall and Firewall Manager

📘Microsoft Azure Networking Solutions (AZ-700)

When you’re studying for the AZ-700 exam, one important skill is being able to look at a set of requirements and identify which Azure Firewall features meet them. This is a common scenario in real exams.

Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Networks (VNets). Azure Firewall Manager is used to centrally manage multiple firewalls across your network.

Here’s what you need to know:

Step 1: Understand Azure Firewall Basics

Azure Firewall has several key features:

  1. Network rules – control traffic based on:
    • Source IP / Destination IP
    • Protocol (TCP, UDP, ICMP)
    • Port numbers
    Example: Allow traffic from a specific VNet subnet to a database server on port 1433 (SQL).
  2. Application rules – control traffic to FQDNs (Fully Qualified Domain Names):
    • These rules filter HTTP/HTTPS traffic based on the domain.
    • You can allow or deny access to specific websites or services.
    Example: Allow traffic from your VMs to *.microsoft.com but block *.socialmedia.com.
  3. Threat intelligence – integrates with Microsoft Threat Intelligence:
    • Alerts or blocks traffic from malicious IP addresses and domains.
  4. Logging and monitoring – integrates with:
    • Azure Monitor
    • Log Analytics
    • Event Hub for SIEM integration
  5. FQDN tags – simplify rules for common Azure services:
    • Example: Storage, SQL, KeyVault tags allow traffic to all those services without specifying every URL.
  6. Fully stateful firewall – keeps track of active connections, meaning you don’t need to open return traffic manually.
  7. High availability and scalability – automatically scales to handle large traffic loads.

Step 2: Understand Azure Firewall Manager

Azure Firewall Manager helps you manage multiple firewalls across subscriptions and VNets. Key features:

  1. Hub-and-spoke management – deploy firewalls in a hub and route traffic from spoke VNets.
  2. Policy management – define centralized rules (network and application rules) for all firewalls.
  3. Threat intelligence integration – enable security alerts across all firewalls.
  4. Route management – integrates with Azure Virtual WAN for traffic routing.

Step 3: Mapping Requirements to Features

In the exam, Microsoft might give you requirements like these:

RequirementAzure Firewall Feature to UseExplanation
Block traffic to social media websitesApplication rulesApplication rules can block FQDNs like facebook.com
Allow SQL traffic from a subnet to a databaseNetwork rulesNetwork rules control TCP/UDP ports and IPs
Automatically block traffic from known malicious sourcesThreat intelligence-based filteringAzure Firewall uses Microsoft Threat Intelligence
Log all network and application traffic for auditingDiagnostic logs / Azure Monitor integrationEnables tracking, monitoring, and alerting
Simplify rules for Azure services like StorageFQDN tagsInstead of listing every storage URL, use Storage tag
Centrally manage firewall rules across multiple VNetsAzure Firewall Manager policiesCentral policy management simplifies rule deployment

Tip for exam: Always match the type of traffic control requirement to the feature type:

  • Network control → Network rules
  • Domain/URL control → Application rules
  • Malicious traffic alert → Threat intelligence
  • Centralized management → Firewall Manager

Step 4: Practical Exam Pointers

  1. You may see diagrams or scenarios with multiple VNets. Ask yourself:
    • Do I need centralized control? → Firewall Manager
    • Do I need domain-level blocking? → Application rules
    • Do I need port/protocol control? → Network rules
  2. Remember stateful vs stateless:
    • Azure Firewall is stateful, so inbound/outbound return traffic is automatically allowed for existing connections.
  3. Policy assignment hierarchy:
    • You can have global policies (applied to multiple firewalls) or local policies (specific firewall).
  4. Integration:
    • Works with Azure Monitor, Log Analytics, and Virtual WAN.
    • These integrations often show up in scenario-based exam questions.

Step 5: Summary Table for Exam Memory

Requirement TypeAzure Firewall Feature
IP, port, protocol controlNetwork rules
URL/Domain access controlApplication rules
Central managementAzure Firewall Manager
Detect/block malicious trafficThreat intelligence
Simplify rules for Azure servicesFQDN tags
Monitor, log, or alertDiagnostic logs + Azure Monitor

This table is great to memorize for the exam, because almost every scenario will fit into one of these categories.

Key Takeaways for Students

  • Always identify the type of requirement first.
  • Map the requirement to the correct Azure Firewall feature.
  • Know Firewall Manager is for centralized control and policy management.
  • Remember stateful firewall behavior: return traffic does not need a separate rule.
  • FQDN tags and application rules make rule management easier.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by