5.4 Azure Firewall and Firewall Manager
📘Microsoft Azure Networking Solutions (AZ-700)
Overview
Azure Firewall comes in two SKUs (Stock Keeping Units):
- Azure Firewall Standard
- Azure Firewall Premium
These SKUs differ in features, throughput, and cost. Choosing the right SKU depends on your security requirements, network scale, and specific features needed in your Azure environment.
1. Azure Firewall Standard
Purpose: Basic, fully managed network and application-level firewall for Azure VNets.
Key Features:
- Stateful firewall: Tracks active connections and allows return traffic automatically.
- Network and application rules: Can filter traffic based on IP addresses, ports, protocols, and fully qualified domain names (FQDNs).
- Threat intelligence: Option to alert or block traffic from known malicious IPs/domains.
- High availability: Built-in, zone-redundant HA without additional configuration.
- Scaling: Auto-scaling based on traffic load.
Use Cases in IT environments:
- Protects VNets from unauthorized access.
- Filters traffic to SaaS apps and internet destinations.
- Monitors malicious IPs and domains for small to medium workloads.
Limitations:
- No TLS/SSL inspection (cannot inspect encrypted traffic).
- No support for IDPS (Intrusion Detection and Prevention System).
- Does not support advanced certificate-based authentication.
Exam Tip: Remember Standard is ideal for basic network protection and workloads that don’t require deep packet inspection.
2. Azure Firewall Premium
Purpose: Advanced, enterprise-grade firewall with additional security features, especially for sensitive or regulated workloads.
Key Features:
- Includes all Standard features.
- TLS/SSL inspection: Can decrypt and inspect encrypted traffic to detect hidden threats.
- IDPS: Detects and blocks intrusion attempts in network traffic.
- URL filtering: Granular control over web traffic.
- Enhanced certificate management: For application rules requiring certificates.
- Advanced threat protection: Better logging and analysis for compliance.
Use Cases in IT environments:
- Protects critical workloads handling sensitive data.
- Ensures compliance with security standards like ISO, HIPAA, or PCI-DSS.
- Detects sophisticated attacks hidden inside encrypted traffic.
- Controls access to web applications at a very granular level.
Limitations:
- More expensive than Standard.
- Slightly higher management complexity due to advanced features.
Exam Tip: Premium is needed when your organization has strict security requirements, needs inspection of encrypted traffic, or must meet compliance standards.
3. Choosing the Right SKU
When deciding which SKU to use, consider:
| Factor | Standard | Premium |
|---|---|---|
| Network protection | Basic | Advanced |
| Encrypted traffic inspection | ❌ Not supported | ✅ Supported |
| IDPS | ❌ No | ✅ Yes |
| URL/Domain filtering | Basic | Advanced |
| Cost | Lower | Higher |
| Compliance needs | Low to medium | High |
| Recommended for | Small-medium workloads, general VNet protection | Enterprise workloads, regulated industries |
IT Scenario Examples:
- A company hosting a development environment with no sensitive data → Standard SKU is enough.
- A company handling financial or healthcare data that must comply with regulations → Premium SKU is required.
- If traffic includes HTTPS traffic to multiple external APIs → Premium SKU is better for TLS inspection.
4. Exam Points to Remember
- Standard vs Premium is primarily about security features and encrypted traffic inspection.
- Premium includes all Standard features — you don’t lose anything by upgrading.
- Choose SKU based on workload needs, compliance, and traffic types.
- Cost matters: Standard is cheaper; Premium adds extra cost for advanced security.
- TLS inspection & IDPS are Premium only — often a direct exam question.
✅ Summary for Exam:
- Standard SKU: Basic protection, network & application rules, threat intelligence. Good for general use.
- Premium SKU: Advanced protection, TLS inspection, IDPS, URL filtering, compliance-ready. Good for sensitive workloads.
- Decision: Match the SKU to your network security needs, compliance, and whether encrypted traffic inspection is required.
