Azure Firewall

Azure Firewall: Complete Guide for SC-900 Exam

Why Azure Firewall Is Important

In today's cloud-centric world, organizations must protect their Azure virtual networks from unauthorized access, malicious traffic, and data exfiltration. Azure Firewall serves as a critical line of defense, providing centralized network security that helps organizations enforce policies, log traffic, and maintain compliance. Understanding Azure Firewall is essential for the SC-900 exam because it is a core component of Microsoft's security solutions and directly ties into the broader concept of defense in depth.

What Is Azure Firewall?

Azure Firewall is a cloud-native, managed, network security service that protects your Azure Virtual Network (VNet) resources. It is a fully stateful firewall-as-a-service with built-in high availability and unrestricted cloud scalability. Key characteristics include:

- Fully managed: Microsoft handles the underlying infrastructure, patching, and maintenance. You do not need to manage VMs or load balancers for the firewall.
- Stateful: It tracks the state of active connections and makes decisions based on the context of traffic (not just individual packets).
- Cloud-native: It is built specifically for Azure and integrates seamlessly with Azure Monitor, Azure Sentinel, and other Azure services.
- Centralized: It provides a single point for creating, enforcing, and logging application and network connectivity policies across subscriptions and virtual networks.

Azure Firewall is typically deployed in a hub virtual network in a hub-and-spoke architecture, allowing you to centrally govern traffic flowing between spoke VNets, on-premises networks, and the internet.

Azure Firewall SKUs

Azure Firewall comes in multiple tiers:
- Azure Firewall Standard: Provides L3-L7 filtering, threat intelligence feeds from Microsoft Cyber Security, and integration with Azure Firewall Manager.
- Azure Firewall Premium: Includes all Standard features plus advanced capabilities such as TLS inspection, IDPS (Intrusion Detection and Prevention System), URL filtering, and web categories.
- Azure Firewall Basic: A cost-effective option for smaller environments with lower throughput needs, offering essential firewall capabilities.

How Azure Firewall Works

Azure Firewall works by filtering traffic that passes through it based on a set of rules you define. Here is how the key components function:

1. Rule Types:
- NAT Rules (DNAT): Translate and filter inbound internet traffic to your Azure resources. For example, you can redirect traffic arriving on the firewall's public IP to a specific internal server.
- Network Rules: Filter traffic based on source address, destination address, port, and protocol (TCP/UDP/ICMP/Any). These operate at L3-L4.
- Application Rules: Filter outbound traffic based on fully qualified domain names (FQDNs). For example, you can allow outbound access only to *.microsoft.com. These operate at L7.

2. Rule Processing Order:
Azure Firewall processes rules in this priority order: NAT rules → Network rules → Application rules. If a network rule match is found, application rules are not evaluated. If no rule matches, traffic is denied by default (deny by default behavior).

3. Threat Intelligence:
Azure Firewall can be configured with threat intelligence-based filtering, which alerts on and/or denies traffic from/to known malicious IP addresses and domains. The threat intelligence feed is sourced from the Microsoft Threat Intelligence feed and is updated in real time.

4. FQDN Tags and Service Tags:
- FQDN tags represent groups of FQDNs associated with well-known Azure services (e.g., Windows Update). This simplifies rule creation.
- Service tags represent groups of IP address prefixes for specific Azure services, reducing the complexity of network rule management.

5. DNS Proxy:
Azure Firewall can act as a DNS proxy, meaning all DNS requests from client VMs go through the firewall. This enables FQDN-based filtering in network rules.

6. Forced Tunneling:
You can configure Azure Firewall to route all internet-bound traffic to an on-premises firewall or network virtual appliance (NVA) for additional inspection before it reaches the internet.

7. Integration with Azure Firewall Manager:
Azure Firewall Manager provides centralized security policy and route management across multiple Azure Firewall instances. It supports both VNet deployments and Secured Virtual Hubs (integration with Azure Virtual WAN).

Key Features Summary

- Built-in high availability (no need for additional load balancers)
- Unrestricted cloud scalability (scales automatically with traffic)
- Centralized FQDN and network rule enforcement
- Threat intelligence-based filtering
- TLS inspection and IDPS (Premium SKU)
- Full integration with Azure Monitor for logging and analytics
- Support for multiple public IP addresses (up to 250)
- SNAT and DNAT support
- Availability Zones support for increased resilience

Azure Firewall vs. Network Security Groups (NSGs)

This is an important distinction for the SC-900 exam:
- NSGs operate at L3/L4 and are applied at the subnet or NIC level. They provide basic allow/deny rules based on IP, port, and protocol.
- Azure Firewall operates at L3-L7, is centralized, provides FQDN filtering, threat intelligence, NAT, and advanced capabilities like TLS inspection. It is deployed as a dedicated resource in a VNet.
- They are complementary — best practice is to use both together as part of a defense-in-depth strategy.

Azure Firewall vs. Azure DDoS Protection

- Azure DDoS Protection protects against volumetric distributed denial-of-service attacks at L3/L4.
- Azure Firewall protects against unauthorized access and application-layer threats, and filters traffic based on rules and threat intelligence.
- They serve different purposes and are used together for comprehensive protection.

Azure Firewall vs. Web Application Firewall (WAF)

- WAF (available via Azure Application Gateway or Azure Front Door) protects web applications specifically from common web exploits like SQL injection and cross-site scripting (XSS). It operates at L7 for HTTP/HTTPS traffic.
- Azure Firewall provides broader network-level protection across all protocols and ports, not limited to web traffic.
- They are also complementary and are often used together.

How to Answer Questions on Azure Firewall in the SC-900 Exam

Exam Tips: Answering Questions on Azure Firewall

Tip 1: Know the core definition. Azure Firewall is a cloud-native, fully managed, stateful firewall-as-a-service. If a question asks what provides centralized network protection for Azure VNets, the answer is Azure Firewall.

Tip 2: Understand the difference between Azure Firewall, NSGs, WAF, and DDoS Protection. Exam questions frequently test whether you can distinguish between these services. Remember: NSGs = basic L3/L4 subnet/NIC filtering; Azure Firewall = centralized L3-L7 with threat intelligence and FQDN filtering; WAF = web application L7 protection (HTTP/HTTPS); DDoS Protection = volumetric attack mitigation.

Tip 3: Remember threat intelligence-based filtering. This is a signature feature of Azure Firewall. If a question mentions blocking traffic from known malicious IPs or domains, think Azure Firewall with threat intelligence enabled.

Tip 4: Know that Azure Firewall is deployed in a hub VNet. If a scenario describes a hub-and-spoke architecture and asks where to centralize network security, the answer is Azure Firewall in the hub VNet.

Tip 5: Recognize the Premium SKU features. If a question mentions TLS inspection, IDPS, or advanced URL filtering, the answer points to Azure Firewall Premium.

Tip 6: Azure Firewall denies traffic by default. This is a key principle — all traffic is denied unless a rule explicitly allows it. This is the zero trust approach to network security.

Tip 7: Azure Firewall Manager is the centralized management tool. If a question asks about managing firewall policies across multiple firewalls or subscriptions, the answer is Azure Firewall Manager.

Tip 8: Do not confuse Azure Firewall with third-party NVAs. Azure Firewall is a first-party Microsoft service. While third-party network virtual appliances exist in the Azure Marketplace, Azure Firewall is the managed, native solution.

Tip 9: Complementary services. Expect questions that test whether you understand that Azure Firewall, NSGs, WAF, and DDoS Protection are used together as part of a defense-in-depth strategy, not as replacements for one another.

Tip 10: Integration with Azure Monitor and Azure Sentinel. Azure Firewall logs can be sent to Azure Monitor (Log Analytics), Azure Storage, or Event Hubs. These logs can also be ingested into Microsoft Sentinel for advanced threat detection and response. If a question asks about monitoring or analyzing firewall traffic, remember this integration.

Quick-Reference Summary for the Exam

- Azure Firewall = managed, stateful, cloud-native firewall-as-a-service
- Provides L3-L7 filtering with application rules, network rules, and NAT rules
- Threat intelligence-based filtering from Microsoft's feed
- Deployed centrally in a hub VNet
- Scales automatically with built-in high availability
- Premium SKU adds TLS inspection, IDPS, URL filtering, and web categories
- Managed centrally via Azure Firewall Manager
- Complements NSGs, WAF, and DDoS Protection
- Follows a deny-by-default model aligned with Zero Trust principles
- Logs integrate with Azure Monitor and Microsoft Sentinel