Microsoft have announced their Azure Firewall service, a fully stateful and native firewall service for Azure has gone into public preview. With standard cloud service features such as high availability and the ability to scale automatically on demand it’s a great adding to the now large and diverse Azure security lineup.
Azure Firewall will allow you to create and enforce connectivity policies using a mixture of both application and network level filtering rules, with those policies being enforced across multiple subscriptions and virtual networks. Great news for those who have multiple subscriptions and a more complex network environment.
What can it do?
During this public preview phase there are four main capabilities for the firewall:
- Outbound SNAT support: Source Network Address Translation (SNAT) provides address translation between your VNet and Public IP, while integrating with existing security perimeter and sharing of policies.
- Logging with Azure Monitor: Events from the firewall will be logged onto Azure Monitor. By leveraging Azure Monitor for the logging of all block/allow events, and enabling the archiving of logs to an Azure storage account you can leverage your current monitoring and alerting processes by stream events to your Event Hub, or sending them into Log Analytics (part of OMS) for additional insight.
- Outbound FQDN filtering: Filtering will prevent outbound Internet traffic and prevent the leakage of data by limiting outbound traffic to a specific approved list of addresses.
- Network traffic filtering rules: Increase control across multiple subscriptions by centrally creating, enforcing and managing stateful filtering rules by source and destination address, port and protocol.
Can I start to use it?
Azure Firewall is currently a managed public preview meaning you will be required to enable the feature using the Register-AzureRmProviderFeature PowerShell command. Detailed information on how to enable Azure Firewall visit the Microsoft Docs pages – https://docs.microsoft.com/en-us/azure/firewall/public-preview. It’s important to note that as this is a public preview feature no SLA will be provided, and it should go without saying that it shouldn’t be used for production workloads.
Part of a wider security posture
Azure Firewall should be seen as a new component to an existing and diverse security approach. Azure Firewall nicely complements existing Azure security tools and services such as NSGs, Application Gateways (WAFs), Service Endpoints, and Azure DDoS protection.
But what about NVAs? Well, Microsoft’s stance on this is “Customers can have a mix of 3rd party NVAs and Azure Firewalls. We are working with our partners on multiple better together scenarios.”
How much will it cost?
Azure Firewall is still in public preview but it looks like it will be changed on a per GB basis for inbound and outbound data, in addition to a ‘Security Boundary’ fee that will be charged per logical firewall unit (billed in hours). https://azure.microsoft.com/en-us/pricing/details/azure-firewall/