Cloud Security with Azure Firewall

Cloud Security with Azure Firewall - Doing it Right!

In today’s digital landscape, where businesses increasingly rely on cloud services to drive innovation and efficiency, ensuring robust cybersecurity measures is paramount. As organisations embrace the transformative potential of the cloud, they must also address the evolving challenges of securing their digital assets and sensitive data from malicious threats. At the forefront of cloud security strategies stands the firewall—a cornerstone of network defence that acts as a barrier between trusted internal networks and untrusted external networks, such as the internet.

One of the challenges with cloud network security is that many organisations carry forward assumptions from on-premise designs. In the cloud, network boundaries are more fluid, traffic patterns are less predictable, and identity frequently becomes a stronger control than IP-based trust. Azure Firewall is most effective when it is treated not as a perimeter replacement, but as a policy enforcement and inspection point within a broader, identity-aware architecture.

Even in the Zero Trust world we find ourselves in today where the perimeter cannot be trusted, or on occasions may not be present at all, in the context of the Azure cloud environment, Azure Firewall remains a powerful solution designed to fortify network security and safeguard cloud workloads against a myriad of cyber threats.

At a high level, we cover the following ground in this article:

IntroductionThis Section - the purpose of a firewall, alternatives to Azure Firewall, and why maybe you don't an Azure Firewall.
Firewalls, Firewalls and more FirewallsA detailed introduction to Azure Firewall and its three different variants.
Firewall Deployment Best PracticesNetwork topology considerations, best practices for rulesbase configuration and some Azure specific advice.
Additional ResourcesA collection of focused articles on specific aspects of Azure Firewall - they dive deep here!

Purpose of a Firewall

Fundamentally, the purpose of a firewall is to regulate and monitor the flow of network traffic, enforcing predetermined security policies to mitigate risks and protect against unauthorized access, malware, and other malicious activities. By analysing incoming and outgoing traffic based on predefined rules, firewalls serve as a gatekeeper, allowing legitimate data to pass through while blocking or filtering potentially harmful content.

Deploying a firewall, such as Azure Firewall, within the Azure cloud environment offers a multitude of benefits for businesses seeking to bolster their security posture:

Defence-in-Depth StrategyAzure Firewall complements existing security measures within the Azure ecosystem, forming an integral part of a defence-in-depth strategy. By adding an additional layer of protection at the network perimeter, organisations can adopt a multi-faceted approach to security, reducing the likelihood of successful cyber attacks.
Granular Access ControlWith Azure Firewall, businesses gain granular control over network traffic, allowing them to define and enforce precise security policies based on application, protocol, port, and other parameters. This level of granularity enables organisations to tailor their security posture to meet specific compliance requirements and business needs.
Scalability and FlexibilityAs a cloud-native solution, Azure Firewall offers unparalleled scalability and flexibility, seamlessly adapting to evolving network demands and workload requirements. Whether expanding operations or undergoing digital transformation initiatives, businesses can rely on Azure Firewall to scale effortlessly, ensuring consistent security across dynamic cloud environments.
Integrated Threat IntelligenceAzure Firewall integrates threat intelligence feeds from Microsoft Cyber Security, providing organisations with real-time insights into emerging threats and malicious activities. By leveraging threat intelligence-based filtering, businesses can proactively identify and block traffic from known malicious IP addresses and domains, enhancing their resilience against cyber threats.

By leveraging Azure Firewall within the Azure cloud environment, businesses can fortify their network defences, mitigate cybersecurity risks, and uphold the integrity and confidentiality of their digital assets. With its robust features, scalability, and integration capabilities, Azure Firewall empowers organisations to embrace the transformative potential of the cloud while maintaining rigorous security standards.

Comparing Azure Firewall, Web Application Firewall, and Network Security Groups

When it comes to securing digital assets within your Azure environment, you are presented with a variety of tools and services to fortify their defences against cyber threats. Among these are Azure Firewall, Web Application Firewall (WAF), and Network Security Groups (NSGs), each offering distinct capabilities tailored to address specific security requirements. Let’s delve into a comparative analysis of these three Azure security solutions:

Azure Firewall

Azure Firewall serves as a cloud-native, fully stateful firewall as a service, designed to protect Azure virtual network resources by regulating inbound and outbound traffic based on user-defined rules. Azure Firewall has a comprehensive list of features and capabilities:

Layer 3-Layer 7 FilteringAzure Firewall provides comprehensive filtering capabilities, allowing organisations to create network rules based on IP addresses, ports, protocols, and fully qualified domain names (FQDNs).
Centralised ManagementWith Azure Firewall Manager, businesses can centrally manage firewall policies across multiple Azure subscriptions, ensuring consistent security posture.
Integration with Azure ServicesAzure Firewall seamlessly integrates with other Azure services, enabling organisations to enforce security policies across diverse cloud environments.

Web Application Firewall (WAF)

Web Application Firewall (WAF) is a security solution specifically designed to protect web applications from common web-based attacks, such as SQL injection, cross-site scripting (XSS), and cross-site request forgery (CSRF). WAFs have a more focused set of features and capabilities:

Application Layer ProtectionWAF operates at the application layer of the OSI model, inspecting HTTP and HTTPS traffic to detect and mitigate web-based attacks targeting web applications.
Signature-based and Behavioural AnalysisWAF employs signature-based detection and behavioural analysis techniques to identify and block malicious traffic, enhancing web application security.
Customisable RulesetsOrganisations can define custom rulesets tailored to their specific web application security requirements, allowing for fine-grained control over traffic filtering and protection.

Network Security Groups (NSGs)

Network Security Groups (NSGs) are a basic networking security feature in Azure, providing inbound and outbound security rules to control network traffic to and from Azure resources within a virtual network. Whilst more limited compared to the previous two technologies, the features remain very capable:

Layer 3 FilteringNSGs operate at the network layer of the OSI model, allowing organisations to create security rules based on source and destination IP addresses, ports, and protocols.
Granular Network SegmentationNSGs enable organisations to segment their virtual networks into distinct security zones, implementing different security policies based on resource requirements and risk profiles.
Integration with Azure Virtual NetworkNSGs seamlessly integrate with Azure Virtual Network, allowing organisations to enforce network security policies at the subnet and network interface level.

How do These Technologies Compare?

Layer of OperationAzure Firewall operates at both the network and application layers, providing holistic security coverage for Azure virtual networks. WAF, on the other hand, operates exclusively at the application layer, while NSGs operate at the network layer.
Customisation and ControlWhile Azure Firewall and WAF offer customisable rule sets and advanced security features, NSGs provide basic network security rules with limited customisation options. Organisations requiring more granular control over network traffic may opt for Azure Firewall or WAF, whereas NSGs are suitable for simpler network security requirements.
Integration with Azure ServicesAzure Firewall and WAF seamlessly integrate with other Azure services, facilitating centralised management and enforcement of security policies across Azure environments. NSGs also integrate with the Azure Virtual Network but offer more limited integration capabilities compared to Azure Firewall and WAF.
Scope of ProtectionAzure Firewall offers comprehensive network security capabilities, including both inbound and outbound traffic filtering, making it suitable for securing entire virtual networks. In contrast, WAF focuses specifically on protecting web applications from web-based attacks, while NSGs primarily provide basic network traffic filtering at the subnet and network interface level.

In summary, Azure Firewall, Web Application Firewall, and Network Security Groups each serve distinct security purposes within the Azure environment, offering varying levels of protection and customisation options. By understanding the unique features and capabilities of each solution, organisations can design and implement robust security architectures tailored to their specific security requirements and compliance standards.

When Deploying a Firewall Within Azure Might Not Be Appropriate

Firewalls are commonly regarded as a foundational security control, providing essential protection for network infrastructure by regulating inbound and outbound traffic based on predetermined rules. However, there are scenarios in which deploying a firewall within the Azure environment might not be the most suitable approach. Let’s explore some of these:

Serverless Computing ArchitecturesIn serverless computing architectures, such as Azure Functions or Azure Logic Apps, where applications are built using event-driven, stateless compute services, traditional firewall-based network security controls may not be applicable. Since serverless applications often rely on managed services and ephemeral compute instances, implementing firewall rules at the network level may not align with the architecture's inherent design principles.
Microservices ArchitectureIn microservices architectures, applications are decomposed into loosely coupled, independently deployable services, each with its own specific functionality. Deploying a traditional firewall may introduce unnecessary complexity and overhead, as microservices often communicate over internal APIs within a virtual network or through service meshes. Instead of relying on network-level controls, security in microservices architectures is typically implemented at the application layer, using techniques such as authentication, authorization, and encryption.
Fully Managed Platform-as-a-Service (PaaS) OfferingsAzure offers a wide range of fully managed PaaS offerings, such as Azure SQL Database, Azure App Service, and Azure Cosmos DB, which abstract away the underlying infrastructure and operating system from the user. Since these services are managed by Azure and have built-in security features, including network isolation and encryption at rest and in transit, deploying a separate firewall may introduce unnecessary complexity without providing significant additional security benefits.
Containerized Workloads in KubernetesIn containerized environments managed by Azure Kubernetes Service (AKS), security is often enforced at the container level using tools such as Kubernetes Network Policies or container security solutions like Azure Container Instances. While network segmentation and traffic filtering are still important considerations in containerized environments, traditional firewalls may not be the most effective means of enforcing security policies due to the dynamic and ephemeral nature of container workloads.
Low-Interactivity WorkloadsIn certain scenarios where workloads have minimal interaction with external networks or are deployed in isolated environments, the overhead of deploying and managing a firewall may outweigh the security benefits. For example, batch processing jobs or data analytics workloads that process large datasets within a closed environment may not require outbound internet access or external network connectivity, making traditional firewall controls redundant.
No On-Premise InterconnectivityWithout integration into an on-premise environment or hybrid cloud architecture, the scope of network security requirements is limited to protecting the Azure-based web servers from external threats originating from the internet. In the absence of inbound connections from on-premise networks or the need for secure communication channels between Azure and on-premise resources, the deployment of a traditional firewall may introduce unnecessary complexity and overhead.
Cost and Complexity ConsiderationsDeploying and managing a firewall within Azure incurs additional costs and administrative overhead, including licensing fees, infrastructure provisioning, and ongoing maintenance. In scenarios where the cost of implementing and managing a firewall outweighs the potential security benefits, organisations may opt for alternative security controls or rely on the native security features offered by Azure services.

While firewalls play a crucial role in network security, there are instances in which deploying a firewall within your Azure environment may not be appropriate or necessary. Alternative architecture patterns and the technologies discussed earlier such as WAFs and/or NSGs may allow you to secure your workloads and data, particularly if supported with other capabilities such as access control and encryption. It’s essential for you to carefully assess your specific architectural requirements, security considerations, and compliance obligations to determine whether deploying a firewall aligns with your overall security strategy and objectives.

Firewalls, Firewalls and more Firewalls

Azure Firewall serves as a pivotal component in safeguarding your Azure cloud workloads, providing top-tier threat protection seamlessly integrated into the Azure infrastructure. Azure Firewall is available in three variants, and it is imperative to ensure you select the correct one to appropriately balance organisations risk appetite with security features and cost. We’ll delve into its three distinct variants (SKUs) in the following sections, but first Microsoft at a high level recommend the following:

Basic Recommended for SMBs with low throughput requirements (<250 Mbps)
StandardRecommended if you need auto-scaling to handle peak traffic periods of up to 30 Gbps along with support for enterprise features.
PremiumRecommended to secure highly sensitive applications (such as payment processing or health care) and provides advanced threat protection capabilities.

Azure Firewall Feature Comparison

While Azure Firewall offers a broad set of capabilities, its real value lies in centralisation and consistency, not deep protocol-specific inspection. It excels at enforcing uniform policy across environments, controlling east-west and north-south traffic, and providing a common inspection layer for multiple workloads. Understanding these strengths — and their limits — is critical when deciding where Azure Firewall fits in an overall security architecture.

Azure Firewall Standard

Azure Firewall Standard offers a comprehensive suite of features to bolster network security. Azure Firewall Standard provides a fully stateful firewall as a service, ensuring robust threat protection for your cloud workloads running in Azure. It offers both east-west (Azure to Azure, OR Azure to on-premise) and north-south (Azure to Internet) traffic inspection, catering to various security requirements. Check out: Microsoft’s official Azure Firewall Standard Features.

Key features of Azure Firewall Standard include:

Built-in High AvailabilityEnjoy reliability without complexity as Azure Firewall integrates high availability seamlessly. This feature eliminates the need for additional load balancers or intricate configurations, ensuring continuous protection for your network resources.
Availability ZonesOpt for enhanced availability by configuring Azure Firewall across multiple Availability Zones, ensuring uptime of 99.99%. Leveraging Availability Zones enhances fault tolerance and ensures that your firewall remains operational even in the event of a failure in one Availability Zone.
Unrestricted Cloud ScalabilityAdapt dynamically to changing traffic demands without constraints, scaling as needed. Azure Firewall seamlessly accommodates fluctuating network traffic flows, eliminating the need for manual intervention and ensuring consistent performance.
Application FQDN Filtering RulesExercise precise control over outbound traffic by setting restrictions based on fully qualified domain names (FQDN). With this feature, you can define specific FQDNs that are allowed or denied, providing granular control over network access and enhancing security.
Network Traffic Filtering RulesCentralize network filtering rules with stateful filtering capabilities across Layer 3 and Layer 4 protocols. Azure Firewall allows you to create rules based on source and destination IP addresses, ports, and protocols, enabling you to enforce security policies effectively.
Threat IntelligenceStay ahead of emerging threats with real-time threat intelligence feeds, identifying and thwarting traffic from known malicious sources. Azure Firewall integrates with Microsoft Cyber Security to provide threat intelligence-based filtering, enhancing your network security posture.
DNS ProxyEnsure reliable FQDN filtering with DNS proxy functionality, crucial for maintaining consistent network security. Azure Firewall acts as a DNS proxy, processing and forwarding DNS queries from your virtual networks to your desired DNS server, ensuring accurate FQDN resolution.
Custom DNSTailor Azure Firewall to your network's DNS requirements by configuring custom DNS settings. This feature allows you to specify your own DNS server, ensuring that DNS queries are resolved according to your organisation's requirements while maintaining compatibility with Azure DNS.
FQDN in Network RulesLeverage fully qualified domain names (FQDNs) within network rules for flexible outbound traffic filtering. Azure Firewall dynamically resolves FQDNs to IP addresses, allowing you to filter outbound traffic based on domain names, enhancing your security controls.
Deploy Azure Firewall without Public IP Address in Forced Tunnel ModeOpt for enhanced security with Forced Tunnel mode, operating without exposing a public IP address directly to the internet. In Forced Tunnel mode, Azure Firewall can be deployed without a public IP address, ensuring that internet-bound traffic is routed through designated next hops for inspection and filtering.
Outbound SNAT SupportStreamline outbound traffic management with Source Network Address Translation (SNAT), enhancing security and control. Azure Firewall translates outbound virtual network traffic IP addresses, ensuring that traffic originates from a trusted source and providing additional layers of security.
Inbound DNAT SupportEfficiently manage inbound internet traffic with Destination Network Address Translation (DNAT), filtering and translating inbound traffic. Azure Firewall can translate inbound traffic destined for its public IP address to the private IP addresses of your virtual networks, allowing you to control access to your resources effectively.
Multiple Public IP AddressesDiversify firewall capabilities with multiple public IP addresses, enabling advanced scenarios such as DNAT and SNAT. With multiple public IP addresses, you can segregate traffic, enhance security controls, and support various application requirements.
Azure Monitor LoggingGain comprehensive visibility into firewall events with Azure Monitor integration, empowering proactive security measures. Azure Firewall logs events and metrics to Azure Monitor, allowing you to analyse and monitor firewall activity, detect anomalies, and respond to security incidents effectively.
Forced TunnellingDirect all internet-bound traffic through designated next hops with Forced Tunnelling, ensuring stringent network security. By configuring Forced Tunnelling, you can route all outbound internet traffic through specified network appliances or services, allowing for centralised inspection and control.
Web CategoriesFine-tune web access policies with Web Categories, defining access permissions based on categories such as gambling or social media websites. Azure Firewall allows you to enforce web access policies based on predefined categories, providing granular control over internet usage and enhancing security.
CertificationsRest assured with Azure Firewall's compliance certifications, meeting industry standards including PCI, SOC, and ISO. Azure Firewall undergoes rigorous compliance assessments to ensure that it meets the security and privacy requirements of various regulatory frameworks, providing assurance to organisations handling sensitive data.

Azure Firewall Premium

Azure Firewall Premium extends its capabilities to meet the demands of highly sensitive environments. Microsoft’s official Azure Firewall Premium Features. Key features above and beyond Standard include:

TLS InspectionEnhance security posture with TLS inspection, decrypting outbound traffic for thorough inspection before re-encrypting and forwarding data. Azure Firewall can inspect TLS-encrypted traffic, allowing you to detect and prevent threats hidden within encrypted communications, enhancing your network security posture.
IDPSRapidly detect and mitigate attacks with Intrusion Detection and Prevention System (IDPS), employing over 67,000 signatures continuously updated to safeguard against evolving threats. Azure Firewall Premium integrates with Microsoft Cyber Security to provide signature-based IDPS, enabling you to detect and prevent a wide range of threats, including malware, phishing, and exploits.
URL FilteringRefine security policies with URL filtering, scrutinizing entire URLs for precise control over web access and enhanced threat detection capabilities. Azure Firewall Premium can inspect URLs within web traffic, allowing you to enforce granular web access policies based on specific URLs or categories, enhancing your organisation's security posture.

Azure Firewall Basic

Azure Firewall Basic caters to small and medium-sized businesses, offering essential protection at an affordable price point. Microsoft’s official Azure Firewall Basic Fe atures, highlights include:

Supports Threat Intel Alert Mode OnlyAzure Firewall Basic provides essential threat intelligence alerting capabilities, allowing you to receive alerts for known malicious IP addresses and domains.
Fixed Scale UnitOperates on fixed scale units, making it ideal for environments with moderate throughput requirements

Azure Firewall Manager

You can centralise your firewall management across multiple subscriptions with Azure Firewall Manager, empowering you to apply consistent network policies and configurations effortlessly, ensuring a robust security posture across the board. Azure Firewall Manager simplifies firewall management by providing a centralised platform to define and enforce network security policies, allowing you to streamline security operations and maintain compliance with regulatory requirements. Check out Microsoft’s official Azure Firewall Manager page.

Firewall Deployment Best Practices

In practice, the effectiveness of Azure Firewall is less about where it is deployed and more about what assumptions it enforces. Used well, it becomes a control that validates traffic flows against intent — which services should talk, which protocols are expected, and which paths are explicitly disallowed. Used poorly, it becomes a permissive transit layer that merely centralises risk instead of reducing it.

Deploying a firewall within your network infrastructure is a critical step in fortifying your defences against cyber threats and safeguarding your digital assets. However, the effectiveness of a firewall implementation extends beyond the mere deployment of the device itself. It encompasses various aspects, including designing a secure network topology, defining a robust firewall rulebase, and adhering to Azure-specific guidance in cloud environments. In this section, we delve into essential best practices to ensure that your firewall deployment not only meets your security requirements but also aligns with industry standards and regulatory compliance.

The topics we will cover are:

Securing Your Network TopologyEstablishing a secure network topology lays the foundation for an effective firewall deployment. By designing your network infrastructure with security in mind, you can mitigate potential vulnerabilities and create barriers that deter unauthorised access. We explore strategies for segmenting your network, implementing access controls, and securing critical assets to enhance overall network security.
Best Practices for Firewall RulebaseCrafting a well-defined firewall rulebase is paramount to the success of your firewall deployment. A meticulously curated set of rules ensures that only legitimate traffic is permitted while unauthorised or malicious activity is thwarted. We discuss best practices for organising firewall rules, implementing rule granularity, and regularly reviewing and refining the rulebase to adapt to evolving threats and operational requirements.
Azure-Specific GuidanceFor organisations leveraging Azure cloud services, adhering to Azure-specific guidance is essential to maximise the effectiveness of firewall deployments in cloud environments. We delve into Azure's native firewall capabilities, integration with Azure networking services, and recommendations for securing virtual networks and resources within Azure. By following Azure-specific best practices, organisations can harness the power of cloud-native security controls while leveraging the scalability and flexibility of Azure infrastructure.

In the following sections, we provide actionable insights and practical recommendations to guide you through the process of deploying and managing firewalls effectively. Whether you’re securing an on-premise network or transitioning to the cloud with Azure, adopting these best practices will bolster your security posture and strengthen your defence against cyber threats.

Securing Your Network Topology

Defining an Azure network topology is fundamental to establishing a robust landing zone architecture that facilitates effective communication between applications while ensuring security and scalability. This section delves into various technologies and topology approaches for Azure deployments, focusing on Virtual WAN-based and traditional topologies.

Virtual WAN-Based Topologies

Azure Virtual WAN offers a managed solution for large-scale interconnectivity requirements, reducing network complexity and modernizing organisational networks. Consider Virtual WAN topology when:

Your organisation operates across multiple Azure regions and necessitates global connectivity between virtual networks in these regions and on-premises locations.
Integration of a large-scale branch network into Azure via SD-WAN deployment or more than 30 branch sites for native IPSec termination is required.
Transitive routing between VPN and Azure ExpressRoute is needed, such as connectivity between remote branches via site-to-site VPN or remote users via point-to-site VPN to an ExpressRoute-connected data centre.

Traditional Hub-and-Spoke Topologies

In contrast, a traditional hub-and-spoke network topology offers customised, enhanced-security networks in Azure, where routing and security are managed manually. Go for this topology when:

Deploying resources across one or multiple Azure regions with anticipated traffic between virtual networks across different regions, but a full mesh network isn't necessary.
A low number of remote or branch locations per region is expected, requiring fewer than 30 IPSec site-to-site tunnels.
Full control and granularity to configure Azure network routing policy are essential.

Azure Virtual Network Manager

Azure landing zones recommend either Virtual WAN-based or traditional hub-and-spoke architectures. As business requirements evolve, Azure Virtual Network Manager facilitates topology changes without disrupting existing deployments. It supports three types of topologies across subscriptions:

Hub-and-spoke topology
Mesh topology (in preview)
Hub-and-spoke topology with direct spoke-to-spoke connectivity

Virtual Network Manager enables dynamic grouping of virtual networks, applying configurations to groups rather than individual networks. This approach streamlines management, connectivity, configuration, topology, and security rules, accommodating application migration, modernisation, and innovation at scale.

Design Considerations:

Automate virtual network peering with Virtual Network Manager to simplify management, especially for complex topologies like mesh networks.
Define network groups based on security requirements to efficiently manage connectivity and security rules at scale.
Segment networks by functions or business units to apply consistent security policies.
Utilise security admin rules in Virtual Network Manager to enforce organisation-level rules and maintain control over NSGs.

Design Recommendations:

Define Virtual Network Manager scope at the root management group level to hierarchically apply security rules.
Create a Virtual Network Manager instance in the Connectivity subscription to enable security admin features and apply rules across all virtual networks.
Segment networks by grouping virtual networks statically or dynamically based on policy.
Enable direct spoke-to-spoke connectivity for frequent communication between selected spokes.
Assign priority values to security admin rules to control their order of execution.
Utilise security admin rules to explicitly allow or deny network flows, overriding NSG configurations controlled by application teams.

By adhering to these recommendations, organisations can establish secure and scalable network topologies in Azure, facilitating seamless communication between applications while maintaining robust security controls. Please visit Define an Azure Network Topology for further information.

Best Practices for Firewall Rulebase

Effectively managing firewall rules is crucial for maintaining the security and integrity of your network infrastructure. By adhering to best practices, you can optimise rule sets to mitigate risks, enhance visibility, and streamline traffic management. The following are some key best practices.

Prioritise Explicit RulesWhen structuring your firewall rulebase, prioritise explicit rules that explicitly define allowed or denied traffic. Placing these rules at the top of the rulebase ensures that traffic is matched against them first, minimising the risk of inadvertently allowing unauthorised access. Follow the principle of least privilege and only grant access to necessary services and resources. Address desired resource access rules, blocking of undesired sources, removal of noise (such as network protocol chatter), allowing of management traffic and any rules you require explicit logging.
Set Explicit Drop RulesInclude an explicit drop rule at the bottom of each security zone context to block all unclassified traffic. This catch-all rule ensures that unwanted or unauthorised traffic does not bypass the security policy, providing an additional layer of defence against potential threats. Placing these rules after each security zone context prevents a subsequent rules inadvertently allowing access. To be clear, these are in addition to the traditional drop-all rule at the end of a rulebase.
Maintain Audit LogsRegularly review audit logs to monitor firewall activity, detect anomalies, and identify potential security incidents. Keeping metrics of all firewall activity enables you to track rule utilisation, analyse traffic patterns, and identify areas for optimisation. General network monitoring is better served with other more appropriate tools. Utilise log analysis tools, including artificial intelligence and machine learning capabilities, to extract actionable insights from log data and enhance security posture.
Block Default TrafficAdopt a default-deny approach, where all traffic is blocked by default, and only specific traffic to recognised services is permitted. Configure the last rule in the rulebase to deny all traffic, providing granular control over traffic management and reducing the risk of breaches due to misconfigurations.
Restrict Zone AccessImplement network segmentation to enforce access control and monitor traffic flow between different network zones. Whether employing macro segmentation for perimeter networks (e.g., exterior, internal, DMZ) or micro segmentation for dynamic cloud environments, define firewall policies that restrict access based on source, destination, and application service. Utilise whitelisting or blacklisting strategies to manage inbound and outbound traffic effectively.
Specify Source and Destination IP Addresses:Define network access restrictions with precision by specifying source and destination IP addresses, along with associated ports and protocols. Adhere to the principle of least privilege, restricting traffic to authorised entities and services. Consider remote access VPN as a compensating control for situations where defining source IP addresses for network management is impractical.
Document the RulebaseIt is imperative that you document all rulebase configurations, ideally both within the rulebase to ease auditing and externally, removed from the device to account for any technical failures. No one should be wondering why a rule is there, configured in such a manner or who owns it.

Note: Logging from Azure Firewall is most valuable when it supports decision-making, not just troubleshooting. High-quality firewall telemetry helps teams understand which controls are being exercised, where traffic is routinely denied, and which rules are rarely — or never — triggered. Over time, this insight can inform rule tightening, segmentation improvements, and architectural simplification.

By implementing these best practices, you can optimize your firewall rulebase to effectively mitigate threats, enforce security policies, and maintain regulatory compliance. Regularly review and update rule sets to adapt to evolving threats and operational requirements, ensuring continuous protection of your network infrastructure.

It is recommended that at least once a year, or after any substantial configuration change that the rulebase is reviewed. Network penetration testing can anecdotally comment on firewall rules, however a comprehensive firewall security review is the recommended route as it has full visibility of the entire configuration. A comprehensive review of Azure Firewall rules and NSG configurations is included within our Azure Security Assessment.

Azure Specific Guidance

When deploying Azure Firewall, adhering to architectural best practices is essential to ensure reliability, security, cost optimisation, operational excellence, and performance efficiency. Based on the five pillars of architecture excellence, outlined below are key recommendations tailored for Azure Firewall deployments:

Reliability:

Deploy in Hub Virtual NetworksConsider deploying Azure Firewall in hub virtual networks or as part of Azure Virtual WAN hubs to benefit from enhanced network services availability.
Leverage Availability ZonesEnhance resiliency by leveraging Azure Firewall's support for Availability Zones, ensuring high availability and fault tolerance.
Establish Azure Firewall Policy StructureCreate a well-defined Azure Firewall Policy structure to enforce consistent security controls across your Azure environment.
Monitor Health StateRegularly monitor the health state of Azure Firewall to promptly identify and address any operational issues.

Security:

Implement Least Privilege AccessDefine firewall rules based on least privilege access criteria, limiting access to only necessary resources and services.
Utilise Threat IntelligenceLeverage Azure Firewall's threat intelligence capabilities to protect against emerging threats and malicious activities.
Enable Azure Firewall DNS ProxyEnhance security by enabling Azure Firewall DNS proxy to inspect and filter DNS queries.
Consider Forced TunnellingAssess the need for forced tunnelling to direct all internet-bound traffic through Azure Firewall for enhanced security controls.
Protect Public IP AddressesSafeguard Azure Firewall's public IP addresses from distributed denial-of-service (DDoS) attacks by implementing appropriate DDoS protection measures.
Explore Third-Party Security SolutionsEvaluate the use of third-party security-as-a-service (SECaaS) providers to augment Azure Firewall's security capabilities.

Cost Optimisation:

Right-Sizing Azure Firewall SKUsSelect the appropriate Azure Firewall SKU based on workload requirements and traffic volume to optimize costs.
Optimise Resource AllocationIdentify instances where Azure Firewall resources can be dynamically allocated to match workload demands, reducing unnecessary expenses.
Review Logging RequirementsReview logging requirements to optimise costs associated with storing and analysing firewall logs over time.
Optimise Public IP AddressesEvaluate the number of public IP addresses required for Azure Firewall instances and policies, optimising cost-effectiveness.

Operational Excellence:

Maintain Configuration BackupsMaintain inventory and backup of Azure Firewall configurations and policies to facilitate rapid recovery in case of configuration drift or failures.
Utilise Diagnostic LogsLeverage diagnostic logs for monitoring, troubleshooting, and performance optimisation of Azure Firewall deployments.
Leverage Monitoring WorkbooksUtilise Azure Firewall Monitoring workbooks to gain insights into firewall performance and operational metrics.
Integrate with Security SolutionsIntegrate Azure Firewall with Microsoft Defender for Cloud and Microsoft Sentinel for enhanced threat detection and response capabilities.

Performance Efficiency:

Azure Advisor Recommendations:

While there are no specific Azure Firewall recommendations within Azure Advisor, consider implementing the following:

Regularly Review and Optimise RulesContinuously review and optimise firewall rules to maintain performance efficiency and align with evolving security requirements.
Optimise Policy RequirementsEvaluate policy requirements to consolidate IP ranges and URLs lists, reducing complexity and improving performance.
Assess SNAT Port RequirementsAssess SNAT (Source Network Address Translation) port requirements to ensure optimal performance and scalability.
Conduct Load TestsPlan and conduct load tests to evaluate Azure Firewall's auto-scaling performance under different workload conditions.
Minimise Diagnostic OverheadAvoid enabling diagnostic tools and logging unless required to minimise performance overhead.

Set up Azure Service Health alertsStay informed about Azure service incidents affecting your deployments.
Access to Azure ExpertsEnsure access to Azure cloud experts for timely assistance and guidance.
Enable Traffic AnalyticsGain insights into traffic patterns across Azure resources to identify potential optimization opportunities.
Follow Least Privilege PrincipleAdhere to the principle of least privilege to restrict access to only necessary resources and services.
Leverage Microsoft Defender for CloudEnhance network security by protecting your resources with Microsoft Defender for Cloud.

By following these Azure-specific guidance recommendations, organisations can effectively deploy and manage Azure Firewall deployments, ensuring robust security, high availability, and optimal performance across their Azure environments.

Additional Resources

The topic of firewalls in general and Azure Firewall in particular is vast, this article has attempted to cover the core aspects of the subject. The following blog posts, all sourced from the Azure Network Security Blog, may prove beneficial for those with a niche/focused requirement.

Managing Network Rules by using Azure Tags with Illumio for Microsoft Azure Firewall

“In collaboration with Illumio, the leader in Zero Trust Segmentation, Microsoft has built Illumio for Microsoft Azure Firewall – an integrated solution that extends the advantages of Zero Trust Segmentation into the Azure environment. A two blog series.”

Managing Azure Firewall Network Rules with Illumination

Demystifying Explicit proxy: Enhancing Security with Azure Firewall

“In today’s cybersecurity threat landscape, organisations face numerous challenges in securing their networks and data. A critical aspect of every organisation’s security strategy is ensuring secure and efficient outbound connectivity for users. This is where the Explicit proxy capability, available in network firewalls, emerges as a powerful tool to address these security concerns.”

Azure Firewall: New Embedded Workbooks

“The Embedded Workbook presents users with consolidated information through charts and logs. It is structured into distinct sections, covering Application rules, Network rules, DNS proxy, Intrusion Detection and Prevention System (IDPS), Threat intelligence, and Investigation. Designed to function across multiple tenants and subscriptions, it offers filtering capabilities for various firewalls.”

Azure Firewall's Auto Learn SNAT Routes: A Guide to Dynamic Routing and SNAT Configuration

“Some Azure Firewall customers may face challenges when they need to configure non-RFC-1918 address spaces to not SNAT through the Azure Firewall. This can cause issues with routing, connectivity, and performance.”

Backup Azure Firewall and Azure Firewall Policy with Logic Apps

“By default, Azure Firewall Policy is not backed up automatically. Since the Firewall Policy will contain your specific Firewall rules and settings, you will want to ensure that it is continuously backed up, so you do not lose your defined configuration. Therefore, we have created a Logic App that will run every three days to back up your Azure Firewall and Azure Firewall Policy.”

Configuring Azure Firewall in Forced Tunneling mode

“There are some organisations that require outbound network traffic to be inspected by multiple network security appliances, such as firewalls, before it is sent out to an internet destination. “

Automatically Configure Azure Firewall Rules to Allow Traffic to Office 365 Endpoints

“One common use case we see is customers needing to easily allow traffic communication through Azure Firewall to Office 365 endpoints that their users rely on for their day-to-day productivity. To make the process easier to allow traffic to Office 365, we have created a deployment template to automate this process for you.”

Parting Thoughts

Azure Firewall is best viewed as a breadth control: it provides consistent enforcement across protocols, environments, and workloads. On its own, that breadth does not guarantee strong security outcomes — but when combined with complementary, depth-focused controls, it forms a reliable foundation for enforcing intent in cloud networks.

In practice, Azure Firewall is often combined with layer-7 controls such as Application Gateway or Front Door, allowing organisations to balance broad network enforcement with deep application-level inspection — a pattern commonly seen in Zero Trust architectures.

In conclusion, implementing a robust firewall solution and securing network topology are paramount in Azure cloud environments to safeguard data, applications, and infrastructure from evolving cyber threats. By leveraging Azure Firewall alongside Web Application Firewall and Network Security Groups, organisations can fortify their defences and enforce granular access controls, ensuring compliance with regulatory requirements and industry best practices.

While firewalls are considered a default security control, deploying them blindly without considering the specific requirements and network topology is unlikely to be appropriate. Organisations should carefully assess their needs, considering factors such as network integration, traffic routing, and user behaviour, to determine the most suitable approach.

Furthermore, securing network topology plays a crucial role in defining how applications communicate within the Azure environment. Whether adopting Virtual WAN-based or traditional hub-and-spoke architectures, organisations must prioritise reliability, security, cost optimisation, operational excellence, and performance efficiency to achieve a robust and scalable network infrastructure.

In essence, by adopting best practices for firewall deployment and network topology security, organisations can strengthen their defence posture, mitigate security risks, and enable seamless communication and collaboration within the Azure cloud environment. As the threat landscape continues to evolve, investing in comprehensive security measures is imperative to safeguarding critical assets and maintaining business continuity in today’s digital landscape.

David Morgan

Founder & Consultant

Trusted Microsoft Cloud Security Advisor with 27 years experience | Empowering Businesses to Embrace Cloud Innovation with Confidence

azure firewall Security

Previous PostSOAR Above the Clouds: Transforming Security with Microsoft Sentinel and AINext PostIdentity Is the New Perimeter: How Attackers Exploit Microsoft 365