Design an Azure Firewall deployment

5.4 Azure Firewall and Firewall Manager

📘Microsoft Azure Networking Solutions (AZ-700)

Azure Firewall is a cloud-based, fully managed network security service that protects your Azure Virtual Network (VNet) resources. When designing a deployment, you need to plan where, how, and what features of Azure Firewall you’ll use.

1. Decide the Deployment Architecture

There are two main types of deployment architectures:

a. Hub-and-Spoke Network Architecture

  • Hub VNet: Central network where Azure Firewall resides. This VNet acts as the main point for traffic inspection.
  • Spoke VNets: Other VNets connected to the hub for isolation, hosting applications, or workloads.
  • Traffic flow: All traffic between spokes or to/from the internet goes through the hub and passes through Azure Firewall.
  • Use case: Best for large organizations with multiple VNets and centralized security management.

b. Virtual Network Peering

  • VNets are connected using VNet peering.
  • You can deploy Azure Firewall in one VNet and route traffic from other VNets through it.
  • Important: Peered VNets cannot have overlapping IP address spaces.

Key exam point: Microsoft may ask which architecture centralizes security and monitoring – the hub-and-spoke model is the recommended approach.

2. Choose the Azure Firewall SKU

Azure Firewall has two SKUs:

FeatureAzure Firewall StandardAzure Firewall Premium
Basic network & application rules
Threat intelligence
TLS inspection & IDPS
URL filtering & FQDN tags
High throughput & scalability

Exam tip: Use Premium if you need advanced security features like TLS decryption, intrusion detection/prevention (IDPS), and FQDN filtering for encrypted traffic.

3. Plan Firewall Placement

  • Azure Firewall must be deployed in its own subnet called AzureFirewallSubnet.
  • This subnet cannot contain any other resources.
  • Firewall IP addresses:
    • Public IP: Needed if you want internet-facing access (e.g., for NAT or DNAT rules).
    • Private IP: Used for internal communication between VNets or workloads.

Example:
You have a web application in a spoke VNet. The firewall in the hub VNet can inspect outbound traffic to the internet and inbound traffic from clients.

4. Configure Routing

Azure Firewall works with Azure Route Tables (UDRs):

  1. Outbound traffic:
    • Direct traffic from VNets to the internet through Azure Firewall.
    • Example: Spoke VNet route table has a default route (0.0.0.0/0) pointing to Azure Firewall’s private IP.
  2. Inbound traffic (DNAT):
    • Use firewall to allow internet users to access internal services (e.g., web servers).
    • Configure DNAT rules to translate public IP to internal private IP.
  3. Forced tunneling:
    • Optional. Send traffic to on-premises network or security appliances.

Exam tip: Questions may ask how to ensure all traffic is inspected — answer: use UDRs to route traffic through Azure Firewall.

5. Define Firewall Rules

There are three types of rules:

  1. Network rules
    • Control traffic based on IP addresses, ports, and protocols.
    • Example: Allow outbound HTTPS (port 443) to a specific IP range.
  2. Application rules
    • Control traffic based on FQDN (domain names) or URLs.
    • Example: Block access to social media websites from corporate network.
  3. NAT rules (DNAT)
    • Translate external IP/port to internal private IP/port.
    • Example: Internet users access your internal web server using firewall’s public IP.

Exam tip: Know the purpose of each rule type — network, application, and NAT.

6. Plan for High Availability and Scalability

  • Built-in HA: Azure Firewall automatically provides zone-redundant deployment within a region.
  • Scaling:
    • Firewall can auto-scale based on traffic load.
    • No manual configuration is needed for standard auto-scaling.
  • Global deployment: If workloads span multiple regions, deploy a firewall per region or use Azure Firewall Manager for centralized management.

7. Integrate with Firewall Manager (Optional but Exam-Relevant)

Azure Firewall Manager allows centralized management of multiple Azure Firewalls:

  • Configure policies once and apply to multiple firewalls.
  • Monitor security alerts and compliance centrally.
  • Supports Secure Virtual Hubs in the hub-and-spoke architecture.

Exam tip: Questions may ask how to manage multiple firewalls efficiently — answer: use Firewall Manager with security policies.

8. Monitor and Log Traffic

  • Enable diagnostic logs: Collect data for auditing and troubleshooting.
    • Use Azure Monitor or Log Analytics to analyze traffic patterns.
  • Threat intelligence alerts: Identify and block traffic from known malicious IPs.

Important: Azure Firewall’s logging is critical for exam scenarios about security monitoring.

Summary – Steps for Designing a Deployment

  1. Choose the architecture: Hub-and-spoke or peered VNets.
  2. Select the SKU: Standard or Premium based on required features.
  3. Place the firewall in AzureFirewallSubnet.
  4. Configure routing: Use UDRs to route traffic through the firewall.
  5. Define firewall rules: Network, application, and NAT rules.
  6. Ensure high availability and scaling.
  7. Use Firewall Manager for centralized management.
  8. Enable monitoring and logging for security and audit compliance.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by