Create and implement an Azure Firewall

5.4 Azure Firewall and Firewall Manager

📘Microsoft Azure Networking Solutions (AZ-700)

What is Azure Firewall?

Azure Firewall is a cloud-native, fully managed network security service that protects your Azure Virtual Networks (VNets). It acts as a barrier controlling both inbound and outbound traffic, ensuring only allowed traffic flows through.

Key points for exams:

  • Fully stateful – keeps track of connections and understands whether traffic is part of an existing session.
  • Highly available – built for cloud-scale redundancy.
  • Centralized management – you can manage rules for multiple VNets centrally via Azure Firewall Manager.

Azure Firewall Deployment Types

When you implement Azure Firewall, you need to choose how it will connect to your network:

  1. Hub-and-Spoke (Recommended)
    • Place the firewall in a hub VNet.
    • Connect multiple spoke VNets to the hub via VNet peering.
    • Exam tip: This design is common for centralizing security across many VNets.
  2. Single VNet
    • Firewall is deployed directly in one VNet.
    • Good for smaller environments.
  3. Virtual WAN Integration
    • For large-scale, global Azure environments using Azure Virtual WAN.

Azure Firewall SKUs

There are two main SKUs:

  1. Standard – basic layer 3 and layer 4 network filtering.
  2. Premium – adds:
    • TLS/SSL inspection
    • URL filtering
    • IDPS (Intrusion Detection & Prevention System)

Exam Tip: Always match the requirements to the SKU.

  • If you need URL filtering, you need Premium.
  • For simple allow/deny traffic rules, Standard is enough.

Step 1: Planning the Deployment

Before creating the firewall, plan:

  1. Network architecture – hub-and-spoke, single VNet, or virtual WAN.
  2. IP addresses – Azure Firewall needs a public IP for outbound/inbound traffic.
  3. Subnets – create a dedicated subnet called AzureFirewallSubnet. This subnet must be named exactly.
  4. Routing – configure User Defined Routes (UDRs) to send traffic from VNets through the firewall.
  5. Firewall rules – plan:
    • Network rules (layer 3/4, e.g., TCP 443 to a server)
    • Application rules (layer 7, e.g., HTTP/HTTPS to specific domains)
    • NAT rules (translate incoming traffic to internal resources)

Step 2: Creating an Azure Firewall

Using Azure Portal:

  1. Go to Azure Portal → Create a resource → Firewall.
  2. Select Resource Group and Region.
  3. Choose Firewall name and SKU (Standard/Premium).
  4. Configure Virtual Network and ensure the AzureFirewallSubnet exists.
  5. Assign a Public IP for external access (optional: only for inbound rules).
  6. Review and Create.

Using Azure CLI:

# Create a firewall
az network firewall create \
  --name MyFirewall \
  --resource-group MyResourceGroup \
  --location eastus# Create a public IP
az network public-ip create \
  --name MyFirewallPublicIP \
  --resource-group MyResourceGroup \
  --sku Standard \
  --allocation-method Static# Attach the IP to firewall
az network firewall ip-config create \
  --firewall-name MyFirewall \
  --name MyFirewallConfig \
  --public-ip-address MyFirewallPublicIP \
  --vnet-name MyVNet

Exam Tip: Know both portal and CLI steps for firewall creation.

Step 3: Implement Firewall Rules

1. Network Rules

  • Used for IP-based traffic (TCP/UDP).
  • Example: Allow outbound traffic from subnet WebServers to 10.1.1.0/24 on port 443.

2. Application Rules

  • Used for domain/URL traffic (HTTP/S).
  • Example: Allow webserver1 to access *.microsoft.com.

3. NAT Rules

  • Used to map public IP ports to internal resources.
  • Example: Allow public TCP 443 to internal VM on 10.0.0.4:443.

Step 4: Routing Traffic Through Firewall

  1. Create a route table and associate with subnets.
  2. Add UDR to route traffic:
    • 0.0.0.0/0 → Azure Firewall private IP (for all outbound traffic).
  3. Enable forced tunneling for centralized inspection.

Step 5: Monitoring and Logging

Azure Firewall provides logging for auditing and troubleshooting:

  • Diagnostic logs → Sent to Log Analytics, Storage Account, or Event Hub.
  • Metrics → Monitor throughput, SNAT connections, rule hits.
  • Threat Intelligence → Optional: block known malicious IPs automatically.

Exam Tip: Know how to enable logging via portal or CLI and send logs to Log Analytics.

Step 6: Centralized Management with Azure Firewall Manager

  • Use Firewall Manager for central policy management.
  • Define hub-and-spoke policies once, then apply to multiple firewalls.
  • Supports:
    • Threat intelligence
    • Network/application rules
    • Forced tunneling

Exam Tip: Firewall Manager simplifies managing many firewalls at scale.

Step 7: Key Exam Notes

  1. AzureFirewallSubnet must exist, and only one firewall per subnet.
  2. Firewall SKUs impact features: Standard vs Premium.
  3. Always plan routing and UDRs before implementing firewall.
  4. Rules are stateful: no need to create return rules.
  5. Use diagnostic logging for auditing.

Summary Table: Azure Firewall Implementation Steps

StepAction
1Plan network, IP, subnet, SKU, and rules
2Create firewall (Portal/CLI)
3Configure rules (Network, Application, NAT)
4Route traffic through firewall using UDRs
5Enable logging and monitoring
6Use Firewall Manager for centralized policy

This gives students all they need to know for AZ-700: creation, rules, routing, monitoring, SKUs, and firewall manager.

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by