What is Azure Firewall?
Azure Firewall is a cloud-based network security tool designed to protect Azure Virtual Network resources. It is a stateful, fully managed firewall that allows an Azure tenant to see and control which devices, users, and services are requesting access to their Azure resources. Since the firewall natively deploys within Azure, customers can quickly and easily enforce a set of central security policies – protecting all of their Azure resources.
The Role of Azure Firewall in Cloud Security
Azure virtual machines (VMs) are on-demand compute resources offered by Microsoft that allow users to run virtualized operating systems and applications in the cloud, without the need to purchase or maintain physical hardware. Azure VMs can be linked to one another, or to other networked devices, by placing them on an Azure virtual network. Virtual machines connected to an Azure virtual network can connect to devices on the same virtual network, different virtual networks, the internet, or an organization’s own on-premises networks.
In order to secure the connections made to and from Azure networks, Microsoft released Azure Firewall. Now a critical component to Microsoft’s Infrastructure as a Service (IaaS) offerings, it’s able to control the connections made between Azure-hosted resources, in accordance with its underlying security policies.
How Does Azure Firewall Work?
Since it’s such a useful tool, it’s important to clearly define how Azure Firewall works.
Traffic routing
Routing is a core component of how Azure Firewall operates, and it’s how a security team determines the path of data packets through the network. When deployed, Azure Firewall uses routing to ensure that traffic to and from protected resources is properly managed and inspected. By default, it creates an automatic route table that channels all outbound traffic via the firewall, enabling comprehensive inspection before the data reaches its destination. On top of this, Azure allows for user-defined routes, giving organizations the ability to customize traffic flow based on specific needs – therefore restricting unexpected data paths.
Traffic filtering
Traffic filtering is a foundational component of the firewall: it’s how it can analyze and control data flows into and out of Azure networks. As such, it’s one of the most important Azure firewall features. The legitimacy of each connection is based on various criteria such as IP addresses, HTTP headers, keywords, and URI strings. This filtering capability helps prevent any traffic that matches a policy from reaching the underlying applications and services. Central to this process are Azure Firewall Policies – collections of high-level rules that define how the firewall handles inbound and outbound traffic.
Logging
While the firewall assesses real-world network traffic against the relevant policies, every action is kept track of as a log. These are small files that can be used in other ways. Regularly analyzing firewall logs can be a vital way of identifying anomalies in network traffic, and spotting potential security incidents. Azure’s logging therefore provides deep insight into the well-being of the tool, as long as an organization is able to incorporate these logs into their wider security tooling.
Plan Comparison: Basic vs. Standard vs. Premium
Because Azure offers IaaS to millions of organizations, it also offers its Firewall in three tiers: basic, standard, and premium. They are the same functional tool, with different levels of throughput and accessibility options.
Azure Firewall Basic
Azure Firewall Basic is for Azure’s small to medium-sized businesses with relatively moderate network demands. It provides essential integration with Azure services like Azure Monitor and Microsoft Defender for Cloud, with all the core rules and integration features needed. Basic requires a fair amount of manual refinement, since rules need to be tweaked over time, and also has a strict throughput cap of 250 Mbps. As a result, basic Azure firewall performance can suffer.
Azure Firewall Standard
Azure Firewall Standard caters to slightly more established enterprises, with a greater degree of customizability and compute power. It’s here that Azure firewall scalability shines: the standard tier supports automatic throughput scaling – up to 30 Gbps – while also offering DNS proxy and custom DNS settings. It also offers greater threat detection possibilities, since it takes Microsoft’s threat intelligence and analyzes a client’s network traffic to assess any overlap. This allows it to both alert on and automatically deny traffic from known malicious sources, enhancing security posture. The standard tier also supports greater integration with popular DevOps tools, allowing security to be implemented into more of the CI/CD pipeline.
Azure Firewall Premium
Azure Firewall Premium is the most advanced tier, built for organizations with stringent security and compliance requirements. It includes all features from the Standard tier and adds capabilities like Azure Firewall TLS inspection, making it the only tier that can decrypt and inspect outbound or East-West traffic. Premium also supports Azure Firewall IDPS (Intrusion Detection and Prevention System), providing deep packet inspection that can detect and block known attack patterns. Additionally, it offers URL and web categories to be grouped into their own sets of policies, giving greater organization-level control.
Augment Azure Firewall with Check Point CloudGuard
As an organization develops its cloud environments, it’s common to begin deploying resources across multiple cloud providers. As such, Azure firewall limitations can begin to introduce operational difficulties: hybrid setups may need multiple firewall toolings, which each come with their own extensive configuration and maintenance demands.
Check Point CloudGuard can enhance or replace an Azure Firewall by providing advanced, multi-layered security and unified management across all cloud environments. Explore Azure’s CloudGuard collaboration on the Check Point and Azure Marketplace page. Offering in-depth firewall and IPS protection, CloudGuard champions automated intrusion detection and monitoring. Rather than endless manual configurations, CloudGuard offers dynamic policies that reflect Check Point’s leading threat intelligence and network-level behavioral analysis.
Explore CloudGuard’s single-pane-of-glass dashboard with a demo, and start bringing your entire cloud security in line with industry best practice.
