Azure Firewall Service Endpoints is a managed, cloud-based network security service that safeguards the resources of your Azure Virtual Network. It’s a domain-specific firewall-as-a-service with built-in high availability and limitless cloud scalability.
You can design, enforce, and log application and network connectivity policies across subscriptions and virtual networks from a single location.
Azure Firewall Deployment Model
Customers usually implement Azure Firewall on a central virtual network and peer other virtual networks to it in a hub-and-spoke arrangement.
Global VNet peering is possible, however, not advised. This is due to potential performance and latency difficulties across regions. Deploy one firewall per region for optimal performance.
The benefit of this paradigm is the ability to centrally control many spoke VNETs across multiple subscriptions. Additionally, there are cost savings because you do not have to separately configure a firewall in each VNet. Based on client traffic patterns, you should compare the cost reductions to the cost of associate peering.
Concepts of Azure Firewall
Azure Firewall supports rules and rule sets. A group of rules that adhere to the same priority and order is what we call a rule collection. It then executes rule collections in the order of their priority. All rules are terminating, and network rule collections have a higher priority than application rule collections.
What Logging and Analytics Services Does The Azure Firewall Support?
Azure Monitor and Azure Firewall are connected for viewing and analyzing firewall logs. You can forward logs to Log Analytics, Azure Storage, or Event Hubs. They may be evaluated in Log Analytics or with other tools.
Difference Between Azure Firewall and NVAs
Azure Firewall is a cloud-based network security service. It maintains and protects your virtual network resources. It’s a completely stateful firewall as a service with high availability and unconstrained cloud scalability built-in.
It is pre-integrated with third-party security as a service (SECaaS) providers to provide superior security for your virtual network and branch Internet connections.
Difference between Application Gateway WAF and Azure Firewall?
The Web Application Firewall (WAF) is an Application Gateway feature that protects your web applications from common exploits and vulnerabilities via centralized inbound protection.
Inbound protection for non-HTTP/S protocols (such as RDP, SSH, and FTP), outgoing network-level security for all ports and protocols, and application-level protection for outbound HTTP/S are all provided by Azure Firewall.
Difference between Azure Firewall and Network Security Groups (NSGs)?
The Azure Firewall service supplements the capability of network security groups. They work together to improve “defense-in-depth” network security.
Network security groups enable distributed network layer traffic filtering in each subscription to limit traffic to resources within virtual networks. Azure Firewall is a completely stateful, centralized network firewall-as-a-service that protects networks and applications across subscriptions and virtual networks.
Is it possible to use Network Security Groups (NSGs) on the AzureFirewallSubnet?
Azure Firewall is a managed service that provides various layers of protection, including platform protection with NIC level NSGs (not viewable). AzureFirewallSubnet does not require subnet level NSGs and disables them to prevent service disruptions.
How do I configure Azure Firewall to protect my service endpoints?
We recommend service endpoints for secure access to PaaS services. Enabling service endpoints in the Azure Firewall and disabling it on the connected spoke virtual networks is possible. This way, you get the best of both worlds: service endpoint security and centralized logging for all traffic.