Azure Firewall is a cloud-native, managed network security service that protects your Azure Virtual Network resources. It provides stateful firewall capabilities with built-in high availability and unrestricted cloud scalability. Azure Firewall operates as a fully stateful firewall as a service, of…Azure Firewall is a cloud-native, managed network security service that protects your Azure Virtual Network resources. It provides stateful firewall capabilities with built-in high availability and unrestricted cloud scalability. Azure Firewall operates as a fully stateful firewall as a service, offering centralized network and application-level protection across different subscriptions and virtual networks.
Key features of Azure Firewall include application FQDN filtering rules, network traffic filtering rules, FQDN tags for allowing traffic to well-known Azure services, outbound SNAT and inbound DNAT support, threat intelligence-based filtering to alert and deny traffic from known malicious IP addresses and domains, and integration with Azure Monitor for logging and analytics.
Azure Firewall comes in three SKUs: Basic, Standard, and Premium. The Premium tier adds advanced threat protection capabilities including TLS inspection, IDPS (Intrusion Detection and Prevention System), URL filtering, and web categories.
Azure Firewall Manager is a centralized security management service that provides security policy and route management for cloud-based security perimeters. It enables you to manage multiple Azure Firewall instances across different regions and subscriptions from a single management plane.
With Firewall Manager, you can create and apply firewall policies consistently across your organization. It supports both Azure Firewall in Virtual Networks (hub virtual networks) and Azure Firewall in Virtual WAN (secured virtual hubs). This allows for hierarchical policy management where global administrators can define organization-wide policies while local teams can implement regional variations.
Firewall Manager also integrates with third-party Security-as-a-Service (SECaaS) partners, enabling you to use familiar security solutions to protect internet access for your users. The service provides a unified view of your security posture, simplifying the deployment and configuration of network security across your Azure infrastructure while maintaining consistent policy enforcement.
Azure Firewall and Azure Firewall Manager: Complete Guide for AZ-500
Why Azure Firewall and Firewall Manager Are Important
Azure Firewall is a critical component of network security in Azure, providing centralized protection for your cloud resources. For the AZ-500 exam, understanding these services is essential because they represent Microsoft's recommended approach to securing network traffic at scale. Organizations rely on Azure Firewall to enforce security policies, protect against threats, and maintain compliance across their Azure deployments.
What is Azure Firewall?
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It is a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability.
Key Features: • Application FQDN Filtering - Filter outbound traffic based on fully qualified domain names • Network Traffic Filtering Rules - Create allow or deny rules based on source/destination IP, port, and protocol • FQDN Tags - Pre-defined tags for common Microsoft services like Windows Update • Threat Intelligence - Alert and deny traffic from known malicious IPs and domains • SNAT/DNAT Support - Source and Destination Network Address Translation • Multiple Public IPs - Associate up to 250 public IP addresses
Azure Firewall SKUs: • Standard - L3-L7 filtering and threat intelligence feeds • Premium - Adds TLS inspection, IDPS, URL filtering, and web categories • Basic - Simplified offering for small-scale environments
What is Azure Firewall Manager?
Azure Firewall Manager is a central security management service that provides security policy and route management for cloud-based security perimeters. It enables centralized management of multiple Azure Firewall instances across subscriptions and regions.
Key Capabilities: • Centralized Policy Management - Create and apply firewall policies across multiple firewalls • Secured Virtual Hubs - Convert Azure Virtual WAN hubs into secured hubs • Hub Virtual Networks - Standard hub-and-spoke architecture management • Third-Party Security Integration - Integrate with SECaaS partners • Hierarchical Policies - Inherit policies from parent to child for consistent governance
How Azure Firewall Works
Architecture Components: 1. Firewall Subnet - Requires a dedicated subnet named 'AzureFirewallSubnet' with minimum /26 prefix 2. Public IP Address - Standard SKU public IP for inbound and outbound connectivity 3. Rule Collections - Groups of rules processed by priority
Within each rule type, rules are processed by priority number (lowest number = highest priority)
How Firewall Manager Works
Firewall Manager uses Firewall Policies as the primary configuration object. These policies contain: • Rule Collection Groups • Threat Intelligence settings • DNS settings • TLS Inspection configuration (Premium)
Policies can be associated with firewalls in: • Secured Virtual Hubs - Azure Virtual WAN integration • Hub Virtual Networks - Traditional hub-and-spoke topology
Exam Tips: Answering Questions on Azure Firewall and Firewall Manager
Tip 1: Know the Subnet Requirements Remember that Azure Firewall requires a subnet named exactly 'AzureFirewallSubnet' with a minimum size of /26. Questions often test this specific requirement.
Tip 2: Understand Rule Processing Order DNAT rules are processed first, then Network rules, then Application rules. This is a frequently tested concept. Network rules that allow traffic will be applied before Application rules are evaluated.
Tip 3: Distinguish Between SKUs Premium SKU features like TLS inspection, IDPS, URL filtering, and Web categories are common exam topics. If a question mentions inspecting encrypted traffic or intrusion detection, think Premium.
Tip 4: Policy Hierarchy Child policies inherit from parent policies. Local rules in child policies are always processed after inherited rules. Understand that this enables enterprise-wide base policies with regional customization.
Tip 5: Threat Intelligence Modes Know the three modes: Off, Alert only, and Alert and deny. Questions may ask which mode to use for monitoring versus blocking scenarios.
Tip 6: SNAT vs DNAT SNAT is used for outbound traffic (hides internal IPs). DNAT is used for inbound traffic (maps public IP to private IP). Exam questions often present scenarios requiring you to choose the correct approach.
Tip 7: Firewall Manager vs Individual Management When questions describe managing multiple firewalls across subscriptions or regions, Firewall Manager is typically the correct answer. For single firewall scenarios, portal management may suffice.
Tip 8: Integration Points Remember that Azure Firewall integrates with Azure Monitor for logging, Azure Sentinel for SIEM, and can work alongside NSGs (NSGs provide micro-segmentation, Firewall provides centralized control).
Tip 9: Forced Tunneling If a question mentions routing all internet-bound traffic through an on-premises firewall, remember that Azure Firewall supports forced tunneling but requires a separate management subnet (AzureFirewallManagementSubnet).
Tip 10: DNS Settings Azure Firewall can act as a DNS proxy. When questions mention FQDN filtering in network rules, remember that DNS proxy must be enabled for this to work properly.